European Data Directives: A U.S. Perspective
Ronald L. Plesser
Piper & Marbury
The European Community's draft Directive on the confidential treatment of personal data is of concern for two reasons.
First, under the terms of the draft Directive, it may become more difficult to do business in Europe. Clearly, all European national laws will have to be amended with the additional requirements of the draft Directive. Some countries, like Germany, focus on the rights of record subjects. Others, like France and the U.K., focus on some form of data base registration with increased central government authority to oversee privacy practices. The draft Directive adopts both approaches. Therefore, every country will, to some extent, have to revise its current statutes. These changes will both increase regulatory requirements and increase the risk of violating an individual's statutory rights regarding certain practices. In some cases, certain uses of information will be prohibited. These prohibitions may affect direct marketing, debt collection, credit, medical research, and other commercially accepted practices.
Moreover, since all of the member states' laws will have to be changed, there will be significant business disruptions. This could have been avoided by adoption of the Council of Europe Convention, which has already been adopted by most European community members.
Second, and of equal importance to U.S. companies, is the transborder flow of personal data to non-EC countries. The Directive states that member countries may be limited in transferring personal data to countries that have "adequate" privacy laws. This is of concern to U.S.-based companies who employ Europeans, provide pension benefits to or do business with them and need to transfer personal data to the United States. Similarly affected will be drug companies doing medical research, insurance companies, credit card companies, and banks. They all may be limited in transferring personal information to the U.S. because, under the Directive, the data commissions of each country may prohibit the transborder flow of personal data. U.S. privacy laws follow a sectorial approach rather than the omnibus approach of the Europeans. Whether the U.S. laws are "adequate" remains an open question. It is also important to note that the draft Directive asserts jurisdiction over files that contain data on Europeans, even when those files are located in non-member countries.
Summary of Analysis
The draft Directive's proposals go far beyond what is needed to accomplish the Directive's laudable, twin goals of protecting the subjects of personal data collection and the transborder flow of personal data. Indeed, the proposals exceed the principles for data protection contained in the 1981 Council of Europe Convention for the Protection Of Individuals With Regard To Automatic Processing Of Personal Data. Thus, while the privacy principles embodied in the Directive reflect appropriate privacy concerns, the specific requirements are not well focused on resolving the issues raised.
The draft Directive is also incomplete. It fails to address the issue of unauthorized access to stored data or data in the process of being transmitted over telecommunications facilities. Rather, the focus of the Directive is almost exclusively on the ability of controllers of files to collect or process personal data. This narrow focus leaves the subjects of legitimate personal data collection unprotected against unauthorized access to the data. While there is a separate Directive on communications privacy, it does not cover issues raised by data stored by non-telecommunications organizations, as is the case with the Electronic Communications Privacy Act (ECPA) enacted in the United States. ECPA creates significant rights of individuals to prevent governmental access to remotely stored electronic data.
The draft Directive's primary flaw is its imposition of unduly burdensome requirements on commercial users of data without substantially benefitting the individual. The notion of informed consent lies at the heart of this problem. The Directive proposes a general prohibition against the collection or processing of personal data by commercial entities unless consented to by the subject of the personal data or specifically authorized by law. This consent would be invalid unless, among other things, the data user previously supplies the data subject with very specific information and the consent itself specifies the forms of processing authorized and the potential recipients covered by it. The informed consent approach serves as a barrier to the free flow of information and to legitimate uses of personal data in, for example, the credit and banking, insurance, and direct marketing industries. It can even impact the political process by preventing political organizations from recruiting new members or educating the public through direct mail campaigns, because in neither instance are the recipients of materials "members who have consented to being included" in the files (1).
A notice approach, whereby the user informs data subjects of its use of personal data about them and advises them of their right to object to such use, is a more effective and less burdensome means of accomplishing the Directive's goals. This approach favors the free flow of information except where such disclosures impinge on personal rights. Indeed, the Directive recognizes the merits of the notice approach by applying it to governmental users of personal data. The notice approach prevails in the United States, with the support of self-regulatory efforts by various industries. Moreover, a recent nationwide Harris poll indicates that the notice approach has the support of an overwhelming majority of Americans (2).
The draft Directive's more restrictive approach to the private sector's collection and processing of personal data makes it unbalanced. Instead of applying the notice approach only to the processing of information by the public sector, the Directive should extend that approach to such activities by either governmental or commercial entities.
(1) See Draft Directive, Article 2(b).
(2) See "The Equifax Report on Consumers in the Information Age: A National Opinion Survey" (1990)
Copyright, 1991, Jim Warren & Computer Professionals for Social Responsibility All rights to copy the materials contained herein are reserved, except as hereafter explicitly licensed and permitted for anyone: Anyone may receive, store and distribute copies of this ASCII-format computer textfile in purely magnetic or electronic form, including on computer networks, computer bulletin board systems, computer conferencing systems, free computer diskettes, and host and personal computers, provided and only provided that:
- this file, including this notice, is not altered in any manner, and
- no profit or payment of any kind is charged for its distribution, other than normal online connect-time fees or the cost of the magnetic media, and
- it is not reproduced nor distributed in printed or paper form, nor on CD ROM, nor in any form other than the electronic forms described above without prior written permission from the copyright holder.
Return to CFP'91 Index page.
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004