Privacy Protection: When Is "Adequate" Actually Adequate?
Palekar, Nikhil S., Duke Journal of Comparative & International Law
Notice has been referred to as an essential element of privacy when dealing with the sharing and dissemination of personal information, but because websites are not always required to provide individuals with notice of their privacy policies, notice is oftentimes overlooked or disregarded. The European Union and United States approach data privacy and the protection of personal information very differently, which creates tension when considering the adequacy of privacy protection for information transferred between the two regions.
The European Union values privacy as a fundamental right, and the protection of private personal information, which includes Internet Protocol (IP) and cookie information insofar as it can be linked with a natural person, is paramount. Accordingly, the European Union utilizes a rigorous and comprehensive approach toward privacy protection where data collection entities are required to carefully safeguard individuals' personal information. (1) Consequently, while there is no selective enforcement of standard privacy policies and practices in the European Union, this blanket approach may lack the flexibility to adapt privacy standards to particular industries.
The United States generally follows a market-dominated approach that provides limited statutory rights regarding information privacy. (2) Instead, self-regulation of industries prevails as a common method of data privacy protection, and the few privacy laws that do exist do not cover many companies that interact with consumers via the Internet. (3) Although there are exceptions, most e-commerce operations are left with self-regulation, which has produced privacy protection that varies substantially between economic sectors. (4)
Safe Harbor provisions designed to bridge the gap between U.S. and E.U. privacy protection schemes allow organizations in the United States to have a presumption of adequate privacy protection if the organization undertakes certain compliance measures under the Safe Harbor provisions, and the Federal Trade Commission (FTC) enforces such compliance in the United States. Trans-border data transfers generally remain unimpeded by the differing standards, but this arrangement seems to establish actual privacy protection more in form than function because companies collecting information in the United States are still operating under a self-regulatory system with insignificant enforcement of actual privacy protection. One of the central problems is that consumers still do not receive adequate notice of privacy and information policies, even though the Safe Harbor prescribes certain practices with regard to notice. Notice is of great concern because consumers should have the opportunity to provide meaningful consent to information practices before they provide their information. (5) Addressing the problem of notice through constructive policies will lessen the disparity between the territories and potentially eliminate the necessity for overarching legislation or regulation to provide adequate protection for personal data transferred between the European Union and United States.
This paper explores the differences in approach to privacy law particularly with regard to the function of notice in online privacy policies. First, it provides overviews of E.U. and U.S. privacy provisions and current practices. Second, it provides a comparative analysis of the adequacy of notice in real-world situations based on the E.U. and U.S. privacy provisions. Finally, this paper demonstrates how modifications to the U.S. system could provide for increased homogeneity in privacy practices without abandoning the self-regulatory regime already in place.
I. EUROPEAN PRIVACY LAW
A. History of European Privacy Law
The Council of Europe Convention on Human Rights of 1950 established the European right to privacy. (6) After countless human rights abuses experienced throughout Europe at the hands of the Nazis, it is not surprising that the Council of Europe quickly engaged in such measures to establish privacy rights in the years following the conflict. …