The
European Union's
Data
Transport Privacy Regulations
and
Safe Harbor
Charles Oriez
May 19, 1999
copyright
Charles Oriez, May 1999,
reproduction
for non-commercial and educational purposes permitted
October 24, 1995 was the effective date of the EU's data protection directive setting standards for the protection of personal data. Adoption of this directive, and in particular Articles 25 and 26 of that directive, can have profound impacts on the ability of Americans to do business in Europe, and/or be a major advancement for privacy rights worldwide. That depends of course on the viewpoint of the person evaluating the implications of this directive. These standards were viewed as necessary given a European recognition of a right to individual privacy and the need to facilitate the transmission of data between countries by ensuring that all members of the EU had consistent national legislation in this area. At the time of enactment, 4 of the 15 countries in Europe were in compliance with its guidelines with the remaining companies expected to be in compliance by the end of 1998. They viewed inconsistent national laws as an impediment to data transfers between the 15 countries of the EU, as well as a potential for a loss of consumer confidence across Europe and a resultant delay in development of the information society. The directive's tasks were to establish consistent privacy legislation in Europe, in that "the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community".
Their guiding principles were quite specific and said in part: "Any processing of personal data must be lawful and fair to the individuals concerned; ... in particular, the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; ... such purposes must be explicit and legitimate and must be determined at the time of collection of the data; ... the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified".
Another requirement of critical import here is that "in order to be lawful, the processing of personal data must in addition be carried out with the consent of the data subject." Further, "the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information."
The EU also recognized that member states might wish to engage in international trade with non-member states, such as the United States. With that in mind, the EU specifically provided that member states can exchange data with non-member states, when and only when those non-member states have a level of protection consistent with EU rules.
The United States, specifically Ambassador David Aaron, has over the last nine months been engaged in negotiations with the EU over how US companies could comply with European law without strong privacy legislation being enacted in the United States. The principal US initiative known as the Safe Harbor proposal, promulgated by the Department of Commerce International Trade Administration, has been broadly criticized as inadequate, and negotiations continue. Europe has delayed enforcement with regards to the United States for the duration of the negotiations.
Key Provisions
There are six key provisions in the directive.
Companies must give notice to employees and consumers
about how their information will be used
Businesses can not use personal data for
anything other than what they claim they intent to use it for.
Individual right of review, and the ability to
correct errors.
Companies must give notice before providing the
data to third parties for direct marketing
Employees and consumers have the right to opt
out of the marketing campaigns, without cost
Enforcement provisions
From the viewpoint of the United States, there is an additional key provision - Article 25. European countries may not send personal information to third countries that do not have adequate safeguards over the use of that information. This could in theory be interpreted to the point where a US web server can not exchange cookies with a browser client in Europe if the US fails to comply with the directive. And there have already been incidents where US companies have run up against the strict national laws that this directive is patterned on. In November 1994 Citibank concluded an agreement with the German National Railway that was to be the biggest credit card project in German history. But when it was learned that credit card information would be processed in the United States instead of Germany, German authorities announced that the arrangement would be prohibited in the absence of guaranteed privacy standards even stricter than provided for in the EU directive. And in 1997, Sweden ordered American Airlines to delete all health and medical information on Swedish passengers after each flight, or halt the transfer of data from Sweden to AMR's SABRE central reservation system in the US.
The US Safe Harbor Proposal
Amazon summed up one of the significant current problems with the Safe Harbor proposal. In commenting on the November, 1998 draft, they said " … further definition and detail is needed; without such detail, it is difficult to evaluate how the 'safe harbor' principles actually will operate. For example, guidelines for governing disputes, including legal standards for issues such as jurisdiction, choice of law, and the rules of evidence, must be made explicit and fair." That problem seems to remain with the April draft. Joel Reidenberg of Fordham Law School agreed that the plan was too vague, even after the changes made between November and April. In particular, the Europeans continue to be concerned about the access provisions, and the sanctions for violations. On its face, those fears seem to have merit. Consider the basic fact that the April 19 draft of the Safe Harbor Principles is only three pages long, including end notes. Contrast this with the 32 page working paper developed solely to apply Articles 25 and 26 of the Directive. One wonders whether the absence of detail signifies an absence of seriousness on the part of the Department of Commerce, which perhaps is hoping that the Europeans will back down.
The Safe Harbor Principles contains seven components that theoretically at least are consistent with the EU's directive.
Notice
Companies must provide individuals notice concerning the purpose for which personal data is being collected, how to contact the organization with questions and complaints, any third parties they intend to disclose the data to, and the choices and means the organization offers individuals to limit that disclosure.
Choice
Individuals have the right to opt out of the transfer of data to third parties when that transfer is for a purpose incompatible with the original purposes for which the data was collected. The opt-out mechanism must be affordable, easy to use, readily available, and the instructions for using it must be clear and conspicuous. Some sensitive information requires specific approval of the individual.
Onward transfer
Third parties will be bound by the regulations that permit the originating organization to be covered by the Safe Harbor provisions.
Security
Data will be protected from misappropriation or misuse, unauthorized disclosure to third parties, destruction, or alteration.
Data Integrity
Reasonable steps will be taken to ensure that data is accurate, complete, and current. Additionally steps will be taken to ensure that the data is only used for the originally intended purposes.
Access
Individuals must have reasonable access to personal information about themselves. Under the US version of the access rules, any organization that can design their system in such a way so as to make access expensive or difficult for the organization would be exempt from the access rules. In the European view, the organization should not gain an 'ineptitude of design' exemption. This is a major sticking point between the US and the EU.
Enforcement
Effective enforcement mechanisms are necessary to ensure compliance with the Safe Harbor principles, including recourse for individuals affected by non-compliance as it relates to their own data, and consequences for violation. At a minimum there must be available independent and affordable mechanisms by which an individual's complaints and disputes can be investigated and resolved and damages awarded and problems remedied. This constitutes the additional major point of disagreement between the US and the EU. The European Union is willing to permit private enforcement mechanisms, regulatory action, or oversight via existing EU privacy commissioners. Despite Amazon's testimony after the first draft proposal was circulated, the US persists in vagueness here on exactly what the enforcement mechanism would be.
I am personally involved in existing enforcement actions through two complaints to the FCC (violations of the Telemarketing Consumer Protection Act), and one FTC complaint (credit bureau violation in prohibited sharing of marketing data). I share the EU's lack of faith with regards to US government complaint resolution procedures, if they are not coupled with a private right of action.
Canada's involvement
Canada is the largest single trading partner of the US, although Western Europe considered as a unit accounts for an even larger amount of our trade. And Canada is siding with the Europeans on this one. A decision by the United States to engage in a trade war with our largest trading partners, who are standing together, will have serious economic impacts.
The Personal Information Protection and Electronic Documents Act (C-54) has cleared the Committee on Industry in the House of Commons in April and is slated for floor action in the immediate future, with the expectation that the Act will become law this summer. The act provides for both government and private action to enforce privacy provisions, and includes a private right of judicial review of unresolved complaints. C-54 is generally viewed in its present form to be in full compliance with the EU's data privacy directive. In fact, Anne Cavoukian, privacy commissioner for the province of Ontario, viewed C-5 as 'a direct response to the EU directive". Canada, unlike the United States, is a confederation, which much stronger provincial ability to set their own course. Cavoukian noted that Quebec was already in full compliance with the directive based on existing provincial law, while most of the rest of Canada was not. Canada was faced with the possibility that companies in Quebec could have done business with Europe while the rest of Canada was excluded.
The Electronic Frontier Foundation's Tara Lemmey expects that the combined pressure from Canada, the EU, and the OEDC will place added pressure on the United States to enact strong privacy legislation sooner rather than later.
Conclusions
The European Union has little confidence in the current willingness and ability of the US government and private industry to protect personal data. The Safe Harbor principles presented by Ambassador Aaron in recent months appear on their face to be so non-specific and weak that it seems unlikely that the EU will accept them as written, without significant modification. The possibility of a trade war, or at least a WTO confrontation between the US on one side, and Europe and Canada on the other, can not be ruled out as a likely future event. Ironically, this comes with the average consumer in the United States apparently sharing the EU's lack of confidence in the US government's and industry ability to protect personal information and to be honest in how it will be used. It will be an interesting battle with our own citizens siding with Europe against industry and our government.
Authorities
Canadian
Parliament homepage http://www.parl.gc.ca/ C-54 can be found at
http://www.parl.gc.ca/36/1/parlbus/chambus/house/bills/government/C-54/C-54_2/C-54TOCE.html
Data Protection
Working Party, "Transfers of personal data to third countries : Applying
Articles 25 and 26 of the EU data protection directive", European Union,
24 July 1998 http://europa.eu.int:80/comm/dg15/en/media/dataprot/wpdocs/wp12en.htm
Department of
Commerce, Bureau of Economic Analysis, International Accounts Data, Sept 18,
1997 http://www.bea.doc.gov/bea/di/bparea-d.htm
Department of
Commerce, International Trade Administration, Safe Harbor Proposal, April 19,
1999 http://www.ita.doc.gov/ecom/shprin.html
"Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data" Official Journal L 281, 23/11/1995
p. 0031 - 0050, Referenced as Document 395L0046 http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
European
Commission Press Release, "Council Definitively Adopys Directive on
Protection of Personal Data, July 25, 1995 http://www.privacy.org/pi/intl_orgs/ec/dp_EC_press_release.txt
European
Convention for the Protection of Human Rights and Fundamental Freedoms, Article
8 http://europa.eu.int:80/comm/dg15/en/media/dataprot/law/fechr.htm
Freidman, Matt,
"Canada Aligns with EU on Privacy", Wired News, 20 Apr 99
Gabrieli, David,
Government Affairs Counsel Amazon.com, Inc., Nov 19,1998 comments on Department
of Commerce November version of the Safe Harbor proposal http://www.ita.doc.gov/ecom/com4abc.htm#amazon
Glave, James,
"US, EU Still Stuck on Privacy", Wired News, 21 Apr 99 http://www.wired.com/news/news/politics/story/19232.html
Oakes, Chris,
"Is RealNetworks a RealSpammer?", Wired News, 18 May 99 http://www.wired.com/news/news/technology/story/19748.html
Privacy
International, Project Compliance, http://www.privacy.org/pi/issues/compliance/
Shachtman, Noah,
"EU Privacy Law is Awkward for US", Wired News, 23 Oct 98, http://www.wired.com/news/news/business/story/15779.html
Simon, Davies,
"Europe to U.S.: No privacy, no trade", Wired Archive v6.05, May
1998, http://www.wired.com/wired/6.05/europe.html
Treaty on the
European Union, Title I - Common Provisions - Article F http://europa.eu.int:80/comm/dg15/en/media/dataprot/law/fechr.htm