As e-commerce and international outsourcing rapidly expands, the governments of the leading Western industrial nations are making every effort to balance protection of their citizens' personal information with governmental interests in national security and promotion of commercial competitiveness. A continuously developing body of international law--to which we refer as the International Data Privacy (IDP) regime--attempts to reconcile the rights and conduct of the three major actors in this regime: governments, businesses, and individuals whose information is gathered, stored or traded. Famously, Europe and the United States have drastically different notions of what constitutes the proper balance of rights and responsibilities of the three actors, and approaches to achieving that balance. On the one hand, European governments are focused on protecting their citizens' privacy and ensuring that those individuals have enough faith in the safety of the international system to freely engage in commerce, especially e-commerce. On the other hand, national security concerns in the United States, particularly after September 11, 2001, push the limits of civil rights such as privacy in order to satisfy the State's duty to protect its citizens. Canada has traditionally taken a middle-of-the-road approach to this cross-Atlantic divide. However, since the enactment of the EU Data Privacy Directive of 1995 ("EU Directive"), Canada has been moving closer toward the European model of the IDP regime, and will likely continue to make its data protection laws increasingly restrictive. (1)
No single document was as instrumental to the development of the IDP regime as the EU Directive. The Directive tied together the rights and responsibilities of the three major actors in a way that was most secure for the individual, and most burdensome for the corporation. Perhaps even more importantly, the EU Directive set out major requirements for the export of data from the European Union, effectively passing judgment on the status of data privacy protection outside the EU The EU Directive pushed boundaries almost literally, causing numerous other nations to reconsider, or even consider for the first time, their positions and attitudes towards data privacy.
The United States has taken a more laissez-faire approach toward international data privacy protection law. Despite participating in shaping the original international framework for data protection in the 1970s, the United States now occupies the opposite end of the spectrum from its Western industrialized counterparts and is reluctant to play by the EU's rules. The United States has developed what has been widely referred to as a "sectoral" regime, (2) enacting legislation that affects only specific industries, such as healthcare or financial services. The U.S. government otherwise participates in the IDP regime tangentially, such as by negotiating Safe Harbor provisions for U.S. companies to do business abroad. (3) Nonetheless, U.S. companies doing business in Europe have little choice but to assent to the EU Directive's requirements. They can comply by either enrolling in the Safe Harbor program (subject to eligibility requirements discussed in Part II, infra) or by adopting other self-regulatory mechanisms, such as standard clauses or binding corporate rules. (4)
Development of Canadian privacy law has been largely influenced by two radically different approaches within the IDP regime--the strict, protectionist EU approach, and the targeted, sectoral U.S. approach. The EU Directive doubtlessly had a major transformational impact on the development of data privacy law in Canada. Data privacy legislation existed in Canada before 2000, in the form of the Privacy Act, enacted in 1985, which regulated public entities' treatment of personal information. (5) Several Canadian provinces--led by Quebec, after 1994--enacted their own data privacy legislation, increasing or creating protections for individuals. …