Global Privacy Protection – No One Set of Rules
The privacy laws of Europe and the United States are not the same. In general, European law requires that companies safeguard personal information, and not use or release it without the individual’s express consent. The United States, by contrast, has taken an “opt-out” view – unless an individual has expressly indicated that personal data cannot be used or shared with third parties, a company may do so. This is coupled with an emerging consensus that consumers that the right of disclosure of how their data might be used or shared, with an implied consent if the person does not affirmatively indicate the desire that the data not be so used or shared. The “opt-in” rules of Europe and the “opt-out” rules of the United States are oversimplifications. They represent, however, a basic difference in starting point for how the privacy of personal information is viewed.
The European Union’s Directive on Data Protection was enacted several years ago. Most EU countries have enacted “opt-in” laws that forbid the transfer of most personal information about individuals without their express consent. EU country laws generally do not protect corporate or non-personal information, but treat as confidential almost all personal information, including birth dates, purchasing patterns and financial information. The European approach is a system of central government control. This contrasts with the highly decentralized U.S. approach. Depending on the subject matter, personal information in the U.S. may be governed by trade industry codes, state law, the Federal Trade Commission or U.S. statute (for financial institutions). Because of this, Europe does not consider the United States to be a country that adequately protects personal information. Because the EU directive and European laws forbid transfers of personal information to third countries that do not adequately protect privacy laws, this has created liability for U.S. and European countries in their transfer of personal data.
Europe responded by offering a “safe harbor” approach available to individual companies. A U.S. company with significant relationships with EU persons can commit to the same “opt-in” approach as it would have to respect if it were operating in Europe. The voluntary U.S.-EU safe harbor program was adopted by about 130 U.S. companies in its first year. These companies commit to “opt-in” safe harbor principles, and have subjected themselves to voluntary private enforcement procedures and regulatory oversight that would not otherwise be required. Financial services companies are excluded from the program.
There are exceptions for companies that want to engage in data flow of European personal information, but do not wish to enter the safe harbor program. First, transfers of data are permitted that are necessary on substantial public interest grounds or in aid of defense of the legal rights of the holder of the data (e.g., for litigation in the U.S.). A “vital interest” exception allows data transfers about EU individuals to protect their health or safety (medical information given to a U.S. doctor treating a European patient).
Second, model contract clauses have been approved by the EU. Companies that adopt and use them may receive and transfer data involving Europeans. Introduced in June 2001, the model contract clauses embrace similar principles to the safe harbor program:
- specified limits on data usage, disclosure and retention
- insistence that data be updated, accurate and limited to the purpose specified
- required disclosure of how the data will be used or shared
- adequate confidentiality and security controls
- limits on further disclosures, and
- an express opt-out option from marketing personal information.
Adopting the model contract language should not be done without understanding the legal implications. A U.S. company that uses the clauses would be jointly liable with an EU data transferor for damages suffered by individuals if their privacy is breached. Some EU countries require that contracts be deposited with their central authority, or no protection is available. For this and other reasons, the model contract approach has not been used much.
U.S. companies that need access to volumes of personal information about Europeans must decide how to handle their EU-origin data. The safe harbor principles continue as an option, although technically each EU country is free to enforce its own privacy rules, which differ in certain details country-by-country. Enforcement has been spotty, but in high-profile cases, it is sure to come, and would be costly and embarrassing to an infringing company.
The European approach and the U.S. approach represent only two bipolar extremes of the privacy legal frontier. Other countries regulate personal data flows as well. In an age of global information sharing, national rules are important limits in how personal information can be used and transferred across national boundaries.