European Data Privacy Directive at Odds with American Policy

1999 B.C. Intell. Prop. & Tech. F. 012501
European Data Privacy Directive at Odds with American Policy

by Christopher B. Kaczmarek, Staff Writer

United States and European Union officials met on December 1st, and are continuing discussions to resolve data privacy issues arising from the new Data Protection Directive (the "Directive"), which became effective on October 26, 1998. The European Union is negotiating to preserve the integrity of the Directive, a new law aimed at protecting the privacy of consumers' personal data. The Directive is at odds with current American policy and may have a profound effect on international commerce, especially Internet-based commerce.

The Directive provides individuals with a number of important rights and places corresponding obligations on companies that collect data. Individuals have the right to access their data, to know the source of that data and to be able to correct any errors. Individuals are also given the right to withhold permission to use their data in marketing campaigns. Particularly sensitive data, including ethnicity, religious beliefs, political affiliation and health-related information may be processed only with the express consent of the individual. Companies are required to give notice to both employees and consumers about how their information will be used and they are forbidden from using such information for other undisclosed purposes. Companies must also provide notice to the customer before giving information to third-party direct marketers. The Directive requires that member nations provide legal recourse to individuals if Companies violate their obligations.

The Directive affects information that companies collect about their customers through, for example, credit card transactions, magazine subscriptions and visits to web sites. Web sites, for instance, often collect information about visitors and then sell that information to direct marketers or researchers.

Originally adopted in 1995, the Directive establishes a regulatory framework and requires each individual European Union country to implement the Directive by enacting its own domestic law. While all European Union countries have laws on data protection, currently only Italy, Sweden, Greece and the United Kingdom fully comply with the Directive. The remaining European Union states are expected to come in full compliance within the next few months.

This new policy poses a serious threat to American direct marketers who buy and sell personal information and use it to develop business strategies by identifying consumer preferences. European laws were already stricter than those in the United States, which favors a regime of self-regulation by industry organizations. With the Directive in place, European Union countries will be establishing government agencies (indeed, many already have them) to monitor compliance with the new laws. The Directive arguably threatens the geographically non-discriminatory nature of the Internet; under Article 25 of the Directive, any company that does business in the European Union is prohibited from transmitting personal data to countries, such as the United States, that do not offer similar protection to personal data. The potential impact on direct marketers is obviously substantial. Operators of web sites based in the United States who fail to comply with the Directive and mishandle personal data could potentially be exposed to suits by European Union citizens. While such suits are unlikely in the short term, some American industry groups are concerned that the mere potential for such suits acts as a disincentive to web-based commerce.

Moreover, this provision could potentially make it illegal for a company, with offices in both Europe and the United States to transfer protected data between its offices via its own intranet or network. The impact on the everyday operations of large multinationals, including banks and financial service companies, could be profound if European countries were to apply the Directive rigorously.

The United States negotiators have proposed a 'safe harbor' plan: U.S. organizations would come under the plan by certifying that they adhere to the seven European Union privacy principles. European Union officials have not agreed to the safe harbor plan, but have promised that no data will be interrupted as long as both sides continue to negotiate in good faith.

The Directive's force was felt, however, even before it officially took effect. In July, a committee of the European Union criticized proposed standards that were to be built into Netscape Navigator and Microsoft Internet Explorer as being in violation of the Directive. Those standards (also known as the Platform for Privacy Preferences, or P3P), which would allow individual computer users to determine how much personal information they are willing to make available to the operators of web sites, was criticized as offering inadequate protection to individual computer users. The committee, the Working Party on the Protection of Individuals' Personal Data, claimed that the browser standards failed to provide users with notice of the legal implications of the Directive, including the right to a remedy if a user's information is misused, in direct violation of the Directive. They further argue that the browser was preconfigured with default settings that were below the levels of data protection called for by the Directive and that users were unlikely to modify the settings to protect themselves fully.

American companies have found ways around prior European data privacy laws by showing that their own internal policies sufficiently protected personal information. The Department of Commerce is currently in negotiations with the European Union and individual member nations to work out a compromise between the two conflicting approaches to personal data. Negotiations are expected to continue in late January, 1999.