None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive by Peter P. Swire and Robert E. Litan. Washington, D.C.: Brookings Institution Press, 1998. $39.95 (hardcover), $16.95 (paperback).
How can a country protect the personal privacy1 interests of its citizens in a world filled with multinational business enterprises, global computer networks, electronic commerce, and cultural diversity? The ease with which personal data flows across national borders, even in the pursuit of seemingly wholly domestic activities,2 creates a particularly complex challenge for a world, which only in the last two decades began to pay serious attention to the privacy of personal information.
Although privacy law was largely invented in the United States,3 leadership in privacy law and policy clearly shifted to Europe by the early 1980s.4 Germany, Sweden, France, and Great Britain were among the first European countries to enact formal "data protection"5 laws establishing standards for the collection, maintenance, use, and disclosure of personal information. Around the same time, international bodies also developed privacy principles that had significant worldwide influence.6
The enactment by European nations of laws with similar objectives7 but different implementation schemes has presented two serious threshold problems for the European Union (EU). First, differing data protection laws within Europe are a potential barrier to the flow of information necessary to support a common economic market. The EU needed a policy to harmonize these laws so that data could flow from one member state to another without impediment, yet without losing the protections afforded under national laws.8 Second, internal EU policies cannot be effective if personal data can be exported from a country covered by the EU data protection regime to another country where the data can be used without legal protection or other limits.9
A solution to both of these problems is found in the European Union Directive on the Processing of Personal Data and on the Free Movement of Such Data (Directive).10 Although the Directive is commonly called the "Data Protection Directive," the reference in the full title to the free movement of data reflects a major purpose. Once an EU member state has passed a data protection law meeting the standards of the Directive, personal data can be sent to that state for processing without interference on data protection grounds. Member states can enact stronger laws but the Directive establishes a qualifying minimum standard and resolves any intraEU data flow conflicts.
The Directive also addresses the export of data outside the EU community. Article 25 directs member states to permit the transfer of personal data to a third country only if the third country ensures an adequate level of protection. This requirement gives the Directive major international significance and establishes a potential barrier to the flow of personal information to the United States and other countries. The U.S. business community and the U.S. government have, to varying degrees, reacted to the Directive as a non-tariff barrier and an illegitimate and unsupported policy exercise by the Europeans. The deliberate mischaracterization of the data protection movement has only antagonized the Europeans and delayed the development of a U.S. response.
This background brings us, finally, to None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive by Peter P. Swire and Robert E. Litan. Swire is a professor of law at the Ohio State University College of Law, and Litan is the Director of Economic Studies at the Brookings Institution.
Swire and Litan offer a comprehensive and largely even-handed analysis of the Directive's potential effects on the flow of personal data from Europe to other countries. They accept the Directive on its own terms, acknowledging that the advancement of human rights was a principal purpose of the Directive. …