Though it is not law in the United States, the European Union's Data Protection
Directive is an important document in privacy debates today. Agreed to among
European bureaucrats in 1995, the directive required member countries of the EU
to adopt laws that implement its terms.
The Directive creates rights for persons about whom information is collected, known as
"data subjects." Entities that collect information must give data subjects
notice explaining who is collecting the data, who will ultimately have access to
it, and why the data is being collected. Data subjects also have the right to
access and correct data about them.
This top-down, bureaucratic model imposes heavy costs and inconveniences on
European businesses compared to the American system in which information flows
freely and only harmful uses of information are prevented or punished.
The Directive is also inconsistent in many respects with free speech.
The Directive creates stricter rules for companies that want to use data in direct
marketing, or to transfer the data for other companies for that use. The data
subject must be explicitly informed of these plans and given the chance to object.
Stricter rules also govern sensitive information relating to racial and ethnic
background, political affiliation, religious or philosophical beliefs, trade-union
membership, sexual preferences, and health. Before this information may be collected
the data subject must give explicit consent. There are exceptions to this rule for
employment contracts, non-profits, and the legal system, among other things.
In order not to completely disrupt life in Europe, the Directive is riddled with
exceptions. For example, data may be kept for personal and household use like an
address book. Synagogues, trade unions, churches, and other non-profits are
permitted to keep even "sensitive" information about their members. National
governments are permitted to exempt journalists from provisions of the directive,
if the government thinks free speech might outweigh privacy interests.
Ironically, because governments are the most voracious collectors, users, and sometime
abusers of personal information, governments may exempt themselves from the Directive
when it conflicts with their own interests in taxation or law enforcement. Though it is
inspired by the bloody use some European governments made of sensitive personal
information in the last century, the Data Privacy Directive does not hit that mark.
The Directive fails to address privacy coherently because it does not
recognize a rather fundamental premise: the vast difference in rights, powers, and
incentives between governments and the private sector.
In order for American companies to transfer information about data subjects with
European businesses, the EU and the U.S. Commerce Department negotiated an agreement.
Called the "safe harbor" agreement, it outlines the conditions under which U.S. companies
may receive information about EU data subjects. U.S. companies may also enter into special
data protection contracts.
On May 16, 2003, the European Commission released its review of the Directive and its
implementation. Eleven of the 15 EU Member states missed the 1998 deadline for adopting
the Directive's terms in their national laws. France had yet to implement the Directive,
while Luxembourg and Ireland had only done so in 2002.
Significant differences in the
way Member states have implemented the Directive are impeding information flows in Europe,
and internationally as well. The Commission suspects that many "unauthorized" or illegal
transfers of data are occuring.
Despite requests from four Member countries, the EC declined to propose simplifying
or harmonizing changes to the Directive. It will consider making such amendments in 2005.
Enforced Standards Versus Evolution by General Acceptance:
A Comparative Study of E-Commerce Privacy Disclosure and Practice in The U.S.
and The U.K.; Karim Jamal et al., AEI-Brookings Joint Center on Regulatory
Studies (July 2003)
Report on the transposition of Directive 95/46/EC, Commission of
the European Communities (May 15, 2003)
Safe Harbor Web
site, U.S. Department of Commerce (includes link to "Safe Harbor List" of companies
adhering to safe harbor principles)
Concerns Regarding the EU Data Directive, by Professor Jacob
Palme, Stockholm University (November 30, 2000)
EU-US "Safe Harbor"
Privacy Arrangement U.S. Department of Commerce (July 21, 2000)
and Human Rights: Comparing the United States to Europe by Solveig Singleton, Cato
Institute (December 1, 1999)
Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal data and
on the free movement of such data