European Commission's Directive on Data Privacy
EUROPEAN COMMISSION'S DIRECTIVE ON DATA PRIVACY
In October 1995, the European Commission issued a parliamentary directive on data protection (Directive 95/46/EC) that contained comprehensive guidelines for safeguarding the privacy of Internet issues. The guidelines addressed the collection, storage, retrieval, and dissemination of personal data that could be gathered and transferred over the Web. The directive is aimed at the European Union (EU) member states and constitutes one of the strongest statements regarding the protection of online users' privacy rights in the international Internet forum. By January 2000 about two-thirds of EU member states had adopted the directive.
The directive, which took effect in the fall of 1998, creates a standardized framework for online privacy rights for citizens of all EU member states. It sets out minimum standards that the Internet privacy legislation of each EU member nation must meet. For example, it prohibits the processing and collection of personal data unless the user consents to such an activity. In addition, data considered to be of a particularly sensitive nature—such as that concerning political or religious beliefs, racial or ethnic origin, or sexual preference—cannot be gathered at all, except in cases where the individual user has explicitly agreed, or where pressing medical or legal circumstances mandate it. Finally, the transferal of personal data outside of the EU can only occur if the recipient demonstrates it will provide an "adequate" level of protection for the individual's privacy consistent with the directive's standards. The acceptability of non-EU data recipients is gauged by the industry rules and security measures taken to be the standard in the recipient's country. Under the directive, individual EU citizens may sue for breach of privacy.
The United States lacks clear legal remedies for breaches of data privacy. For this reason, the EU does not consider the American approach to online privacy "adequate" enough to permit data transfers to American companies. This difficulty concerning data transfers affects intranets and e-mail, as well as data transportation on floppy disks and laptop computers.
Critics of the directive—prominent among them governmental officials and industries in the United States—feel that the it is too restrictive, and that by privileging user privacy it stifles both economic enterprise and free expression on the Web. In contrast to mandated legislation, American online marketers have argued for industry self-regulation. The United States worked to establish this through the Safe Harbor Privacy Program, which requires that participating organizations voluntarily provide proof to the U.S. Department of Commerce that they have "reasonable data protections" in place. In July 2000, the European Commission ruled that the American Safe Harbor Privacy Principles met the protection standards outlined by the commission directive. According to those standards, Safe Harbor certification can be earned by becoming a member of a self-regulatory program that follows Safe Harbor guidelines; by developing an internal privacy policy that meets those guidelines; or by submitting to an administrative, regulatory, or statutory body or law that provides an acceptable level of data protection.
If such practices satisfy the standards of the EU directive, compliant organizations are exempt from prosecution for violating the directive's guidelines when they transfer personal data into or out of any EU member country. Though a fledgling Safe Harbor program was put into place in 2000, U.S. companies were slow to embrace the terms of the agreement.
FURTHER READING:
Argen, Per-Olof. "Is Online Democracy in the EU for Professionals Only?" Communications of the ACM. January 2001.
Gillin, Donna. "Safe Harbor Principles for the European Privacy Directive Are Finalized." Marketing Research. Winter 2000.
Johnson, Mark. "As Seen from Europe: A Very Public War Over Privacy." Global Finance. January 2001.
Thibodeau, Patrick. "Big Companies Shy Away from Safe Harbor Accord." Computerworld. February 19, 2001.
White, Martin. "The Impact of Data Protection Legislation on Intranets." Econtent. August/September 2000.
SEE ALSO: Global e-commerce: Europe; Privacy: Issues, Policies, Statements; Safe Harbor Privacy Framework