Global commerce and the privacy clash: there are critical gaps in the privacy rights laws of Europe and the United States that pose a major challenge to companies embracing global commerce. (Global Outlook).
This same clash is likely between the United States and countries that form the European Union (E.U.), which includes Austria, Belgium, Denmark, Finland, Germany, Greece, Ireland, Italy, France, United Kingdom, Luxembourg, Portugal, Spain, Sweden, and The Netherlands. Privacy rules are strikingly different in the European Union, and the differences threaten to hamper the ability of U.S. companies to engage in transactions with E.U. countries without risk of incurring penalties. Like Australia, European rules forbid the transfer of personal data to a country that does not provide a level of protection similar to its own. Therefore, the prospect looms that U.S. companies can be denied access to information from their own European subsidiaries or other companies located in Europe.
E.U. Directive 95/46/EC, which was adopted in 1998 and became applicable to the United States in 2001, was devised in Europe after it was recognized that some E.U. member states did not have privacy protection, while others had incompatible laws To address this problem, the European Parliament issued the directive so that member states could harmonize their laws, assuring that all states have the same provisions regarding protection of personal data.
The directive's significant feature is that the data subject (i.e., the person from whom data is collected) must unambiguously give consent for personal data to be collected after being informed about the purposes for which the data will be used. Otherwise, the European Union will allow personal data to be collected and processed only if
* the data is necessary for the performance of a contract
*its processing is required by a legal contract
* the data is critical to the person's life -- for example, taking blood from an unconscious person after an accident
* the data is necessary for a public interest, such as collection of taxes
* the controller or third party has a legitimate interest in doing so -- striking a balance between the business interests of the controller and the privacy of the person
However, the European Union expressly prohibits asking for "sensitive information," which is defined as the person's racial or ethnic origin, political opinions, religious beliefs, trade union membership, and sexual preference. Such data cannot be processed unless specific consent has been given. The E.U. directive also applies to invisible collection of personal data, such as "cookies" that collect information on a person's Web surfing
The directive makes special provision for situations when personal data will be used for direct mailings. E.U. member states must give data subjects the right to object to personal data use for direct mailing purposes. More significantly, data subjects must be informed that data will be used for direct mailing. The E.U. rules apply even if the person providing data is located outside of the European Union if the data will be processed in an E.U. member state.
Collection of personal data becomes an international issue because of the Internet, the primary instrument that makes it possible to send personal data from one continent to another in a millisecond. Via the Internet, a company located in one country with one set of privacy rules can send personal data about an individual -- or a database of millions of individuals -- to other firms in more than 150 countries worldwide. Each recipient's country may have different privacy laws or no laws at all.
In order to bridge these different privacy approaches, the U.S. Department of Commerce, in consultation with the European Commission, developed the Safe Harbor provision by which U.S. companies can avoid sanctions in Europe if they voluntarily embrace a watered-down version of E.U. privacy standards covering data flow, both online and offline.
The Safe Harbor plan lets Europe certify that U.S. companies meet E.U. guidelines for privacy protection. Without that negotiated agreement, the $350 billion U.S./E.U. trade could be threatened.
Instead of being a legislative enactment by Congress, Safe Harbor was established as a voluntary program administered by the Department of Commerce. Certifying compliance with the Safe Harbor is supposed to ensure that E.U. businesses know which U.S. companies provide adequate privacy protection as defined by the directive. The question is whether this voluntary program will remain acceptable to the E.U., since fewer than 75 U.S. companies had signed up for it as of mid-2001. This may be because it opens them up to scrutiny by the U.S. Federal Trade Commission (FTC) if a complaint is lodged against them. Because of this, privacy groups in the United States will probably push for a legislative mandate in the near future.
How and when the European Union would enforce the agreement remains unclear. One unexpected complication is that not all E.U. countries have complied with the directive; France, Ireland, and Luxembourg had not enacted any privacy laws as of mid-2001. Sweden, on the other hand, believes that the Safe Harbor provision is inadequate, deficient, and not in compliance with the E.U. directive. Practically speaking, if E.U. member countries' laws are not up to standard, it will be politically difficult for the European Union to impose penalties on U.S. companies, and countries like Sweden may object to data transfers even if a U.S. company has signed on to Safe Harbor.
In the United States, some say that the Safe Harbor agreement may not meet legal muster because the FTC does not appear to have authority to protect foreign consumers' rights in the United States.
In the meantime, U.S. companies operating in Europe should be very careful. Customers must be informed of the identity of the entity collecting the data, the purposes for the processing, and the recipients of the data collected, as well as any rights they may have. Customers have the right to receive a copy of this information even if the data was acquired directly or indirectly from a third party. If it is not accurate or was unlawfully processed, the data subject has the right to have it corrected, blocked, or erased. The subject can even require that third parties that may have seen the incorrect data be notified. The onus throughout will be on the data user or the member states to justify their application.
Also, E.U. authorities retain powers to intervene in certain cases. For example, if a private sector dispute resolution body found that a company had seriously violated the principles, but the company contested the finding and the case was referred to the FTC, the E.U. authorities could suspend data transfers to that company until the matter was resolved. Also, if evidence of non-compliance accumulates, and the European Union feels that the relevant U.S. enforcement body is not doing its job properly and that letting transfers continue risks causing grave harm to data subjects, E.U. authorities can again suspend transfers. The commission could subsequently change the Safe Harbor decision to exclude an ineffective U.S. enforcement body.
One of the self-regulating privacy watchdogs is TRUSTe, which has set up a special TRUSTe stamp, similar to its current seal, indicating that a Web site has received E.U. Safe Harbor certification. TRUSTe has published its opinion that Safe Harbor will lead to an improvement of privacy as companies come under the threat of not being able to sell or use their data wares at the global level. Companies that want to compete globally will be strongly motivated to comply with the law, and global brands will want to manage their reputations, which can be threatened by evidence of wanton disregard for the law. Safe Harbor gives them the opportunity to balance business interests with government demands.
That may, in fact, be happening. Microsoft, Intel, Hewlett-Packard, and Procter & Gamble have signed on to Safe Harbor and recently pledged to provide European-grade privacy protection to their customers in the United States and around the world, even though no law requires them to do so. Although Safe Harbor only pertains to what companies do with the personal data of citizens within the European Union, the E.U. laws are having a spillover effect to the benefit of U.S., Asian, and Latin American consumers doing business with these trend-setting, global U.S. companies. The impact of Microsoft and Intel signing up will make it harder for other U.S. companies to avoid signing on if they want to maintain their customer base as consumers become more aware of privacy issues, identity theft, and related issues. This race to increase standards is a process called "trading up," and the spread of European data protection standards into the United States and elsewhere is a classic example of the theory in motion.
But in Europe, not all are happy with the E.U. directive or even Safe Harbor. A British civil liberties watchdog called Statewatch grabbed headlines recently with dire predictions that the European Union is about to grant Euro-police sweeping new surveillance powers. The report portrays Europe on the brink of an Orwellian catastrophe, in which all phone, fax, wireless, and Internet traffic records would be archived and accessible to law enforcement for seven years. It cites a British report that recommends increased data retention. Some feel that this is an outgrowth of the Council of Europe's proposed Cyber-crime Convention.
The Council of the European Union wants to give European police broader access to information about the e-mail and Internet patterns of the continent's citizens. Under present law, Internet service providers are required to maintain the network data only as long as necessary for billing. Under the new proposal, police would be able to access the data simply by asking for it -- no court order would be necessary. It would give the police a map of a person's business and personal life without restrictions. It remains to be seen if the European Parliament will approve this proposal, but after the September 11 terrorist attacks in the United States and the discovery that the terrorists used the Internet to plot the attacks, its chances of passage could be vastly improved.
The area of privacy, both online and offline, is becoming an urgent issue of the 21st century. Indications are that the United States will eventually follow the privacy standards initiated in the European Union, initially through the voluntary Safe Harbor provision but very possibly through some additional form of mandatory rules. Some clear exceptions will apply in the area of police protection due to terrorism, but eventually the E.U. directive on the collection and use of personal data may become standardized in the United States and Europe. That will then leave open the question of privacy in Asia as it becomes the fastest growing sector of Internet users in the 21st century.
At the Core
* Examines privacy differences between the United States and the European Union that affect e-commerce
* Shows the impact of privacy legislation, such as Safe Harbor
* Analyzes other privacy trends and their impact on global commerce
What U.S. and European Companies Need to Know
* How will data controllers in Europe know which companies in the U.S. can receive data? The U.S. Department of Commerce will hold (or designate some entity to hold) a list of organizations that have joined the Safe Harbor. The list will also make clear if any harborites lose their Safe Harbor status because they have not complied with the rules. The list will be publicly available, including online.
* How does a European company or European subsidiary of a U.S. company ensure that data transferred to U.S. companies within the Safe Harbor will not be passed on to others outside the Safe Harbor where data is not protected? One of the Safe Harbor rules is that data transfers to third parties can only be made if the individual has first been given the opportunity to prevent it. The only exception to this rule is when the disclosure is made to a third party acting as an agent under instructions from the harborite. In this case, the disclosure can be made either to other harborites or to companies that have undertaken contractual obligations to observe similar standards.
* Since this is a voluntary system, who will make sure that the rules are, in fact, observed? Many U.S. companies in the Safe Harbor will have their compliance checked annually by an independent body, but this is not obligatory so as not to discourage small and medium-sized enterprises from signing up. For them, there are rules about how to conduct effective self-verification. Beyond that, enforcement will largely be through alternative dispute resolution mechanisms. Independent private sector bodies will investigate and try to resolve complaints. If harborites fail to comply with the rulings of these bodies, cases will be referred to the FTC or the Department of Transportation, which have legal powers to oblige them to comply. Serious cases of non-compliance will result in companies being struck off the Department of Commerce's list. This means that they will no longer receive data transfers from the E.U. under the Safe Harbor arrangement.
Read More About It
"Clarity on Communications Data Retention Law," 2000. Available at www.statewatch.org/ news/dec00/02ncis.htm (a British report that recommends increased data retention)
Council of Europe at press.coe.int/cp/2001/456a%282001%29.htm (Council of Europe press release about final draft of a convention on cyber-crime)
TRUSTe at www.truste.org (provides information about the privacy watchdog group, TRUSTe)
U.S. Department of Commerce at web.ita.doc.gov/safeharbor/shreg.nsf/safeharbor?openform (provides information about certifying as an organization that adheres to Safe Harbor)
Michael Fjetland, J.D., is an International Attorney for the International Legal Group and has negotiated in more than 60 countries. He can be reached at Fjet2020@aol.com.