Lex 8256: The Law in
Cyberspace Seminar
US vs. EU privacy law
-Betina Schlossberg
In 1995, the European Union adopted Directive 95/46/EC, establishing
the EU’s policy as regards international electronic commerce, and
requiring that every EU member protect the processing of personal data.
This directive, which became effective in 1998, prohibits the transfer
of personal data to non-EU members that cannot guarantee an “adequate
level of protection.” Please read http://www.privacy-and-data.com/european-union.php.
It will give you a short factual description of this policy.
On the other hand, the U.S. does not have such strict regulations as
regards personal information. Please read http://www.privacy-and-data.com/privacy-law.php.
The US Department of Commerce says “the United States takes a different
approach to privacy from that taken by the European Union” – but it
does not identify that approach. However, facing a possible
interruption of business movement between the US and the EU, “the US
Department of Commerce in consultation with the European Commission
developed a 'safe harbor' framework.” This safe harbor is a way in
which US companies can self-regulate themselves, guaranteeing the EU
that they provide “adequate” privacy protection, as determined by
Directive 95/46. Please read the European Commission's Decision
2000/520/EC, which states that the US Safe Harbor ensures the level
of protection required by EU law. This decision includes four annexes.
Annex I is the Safe Harbor Privacy Principles, as issued by the
Department of Commerce in 2000. Annex II is the FAQ posted by the
Department of Commerce to help those companies interested in
subscribing to the Safe Harbor. Annex III is the Safe Harbor
Enforcement Overview; actually, it describes the different US
regulations as regards privacy. Annex IV describes damages for breaches
to privacy in US law. After reading the decision and the annexes, what
do you think? Is the Safe Harbor a real agreement on privacy
issues? Is it the US giving in to the EU’s stricter policy, or is
the EU closing its eyes to non-compliance to its privacy policy for the
sake of US-EU commerce? Does the FAQ section really help?
In 2002, the European Parliament and the Council issued a directive on
the processing of personal data and the protection of privacy in the
electronic communications sector. Please read Directive 2002/58/EC (html
or pdf).
The directive makes clear, in Article 2, that it is a complement to
Directive 95/46. This directive deals with issues from spam to itemized
billing. Should we enact something similar in the US? Why or why
not?
After the Safe Harbor, all differences should have been solved.
However, the demands on both the US and the EU regarding how to proceed
with the personal information of air passengers still present a hot
issue. Both sides are constantly pressing for more or less information.
A recent European Court of Justice ruling determined that handing
passenger information to non-European countries (US) was illegal. As a
consequence a new air passenger sharing data agreement came to light.
How do you like it? Please read this
news report.
Finally, the following articles are short and will make you smile and
think. They leave the academic arena and focus on everyday life. Please
read “EU
may be powerless to stop US snooping”: and “EU data directive bans
church teacher, dog owner Swedish web sites.”
Last, but not least, please read “US
vs. EU: How do they measure up on privacy?” Do you agree with
Ponemon’s position? Do you see anything wrong here?