Lex 8256: The Law in Cyberspace Seminar

US vs. EU privacy law

-Betina Schlossberg

In 1995, the European Union adopted Directive 95/46/EC, establishing the EU’s policy as regards international electronic commerce, and requiring that every EU member protect the processing of personal data. This directive, which became effective in 1998, prohibits the transfer of personal data to non-EU members that cannot guarantee an “adequate level of protection.” Please read http://www.privacy-and-data.com/european-union.php.  It will give you a short factual description of this policy.

On the other hand, the U.S. does not have such strict regulations as regards personal information. Please read http://www.privacy-and-data.com/privacy-law.php. The US Department of Commerce says “the United States takes a different approach to privacy from that taken by the European Union” – but it does not identify that approach.  However, facing a possible interruption of business movement between the US and the EU, “the US Department of Commerce in consultation with the European Commission developed a 'safe harbor' framework.” This safe harbor is a way in which US companies can self-regulate themselves, guaranteeing the EU that they provide “adequate” privacy protection, as determined by Directive 95/46. Please read the European Commission's Decision 2000/520/EC, which states that the US Safe Harbor ensures the level of protection required by EU law. This decision includes four annexes. Annex I is the Safe Harbor Privacy Principles, as issued by the Department of Commerce in 2000. Annex II is the FAQ posted by the Department of Commerce to help those companies interested in subscribing to the Safe Harbor. Annex III is the Safe Harbor Enforcement Overview; actually, it describes the different US regulations as regards privacy. Annex IV describes damages for breaches to privacy in US law. After reading the decision and the annexes, what do you think? Is the Safe Harbor a real agreement on privacy issues?  Is it the US giving in to the EU’s stricter policy, or is the EU closing its eyes to non-compliance to its privacy policy for the sake of US-EU commerce? Does the FAQ section really help?

In 2002, the European Parliament and the Council issued a directive on the processing of personal data and the protection of privacy in the electronic communications sector. Please read Directive 2002/58/EC (html or pdf). The directive makes clear, in Article 2, that it is a complement to Directive 95/46. This directive deals with issues from spam to itemized billing.  Should we enact something similar in the US? Why or why not?

After the Safe Harbor, all differences should have been solved. However, the demands on both the US and the EU regarding how to proceed with the personal information of air passengers still present a hot issue. Both sides are constantly pressing for more or less information. A recent European Court of Justice ruling determined that handing passenger information to non-European countries (US) was illegal. As a consequence a new air passenger sharing data agreement came to light. How do you like it? Please read this news report.

Finally, the following articles are short and will make you smile and think. They leave the academic arena and focus on everyday life. Please read “EU may be powerless to stop US snooping”:  and “EU data directive bans church teacher, dog owner Swedish web sites.”

Last, but not least, please read “US vs. EU: How do they measure up on privacy?”  Do you agree with Ponemon’s position? Do you see anything wrong here?