The perfect storm: the safe harbor and the directive on data protection.

AuthorEwing, Mike
PositionPersonal data privacy law
  1. INTRODUCTION

    With the stunning recent growth of international electronic commerce, issues of personal privacy have become far more visible. Consumers express increasing concern with the ability to control their private information, and many nations are responding by considering or passing regulations. (1) Such regulations are classified as data protection laws. (2)

    The concept of data protection in U.S. law falls within the loose conglomeration of rights that comprise privacy law. The terms are often muddied, and require a clearer definition. As Professor Joel Reidenberg has suggested, "The terminology for standards of fair information practice has been poorly defined in the United States" (3) He continues:

    The term "privacy" is often used to describe the allocation of rights to personal information. This rhetoric is confusing. "Privacy" serves as a catch-all term, protecting a variety of interests ranging from government intrusion into the bedroom to the inviolability of telephone communications. Although fair information practices may be subsumed under the broad "privacy" label, the standards represent a narrower and distinct interest: maintaining the integrity of personal information and fairness to the individuals about whom the data relates. Specifically, such standards apply to the collection, storage, use, and disclosure of personal information. (4) U.S. privacy laws generally deal with concepts of "invasion." (5) They stem from what Warren and Brandeis immortalized as "the right to be let alone" in their landmark Harvard Law Review article first arguing for the creation of an individual right to privacy. (6) Privacy laws also deal with the specific disclosure of "private" facts; behind this apparent tautology is the concept that freely available information should be unprotected. (7) Privacy laws function more to define what is not protected than what is.

    Both of these legal foundations will have difficulty weathering new technologies and attitudes about personal data privacy. The invasion concept, while flexible to a point, may fail to encompass broad issues of the passivity of modern data collection. (8) Further, the collection of such information, even if seen as publicly available and not worthy of protection, is significantly impacted by the new ability to store and analyze enormous amounts of such information. New technologies allow the creation of massive databases of so-called public information, which while unprotected by U.S. law, may reveal singly private patterns. (9)

    These technologies also impact the psychological foundations of privacy laws. The new passivity of collection and the ease with which such data is used and transferred has begun to create growing concerns among American consumers about electronic privacy. (10)

    The foundry for much change in data protection legislation has been the European Union. European data protection standards have gradually evolved to address the issues above, granting broad rights to data subjects in an effort to address the passivity issue, and broad control rights to deal with the potential for escalating secondary uses. (11)

    Two documents in the 1980s, the Organisation for Economic Cooperation and Development's (OECD's) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, (12) and the Council of Europe's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, (13) were the first European attempts to consolidate and harmonize national data protection legislation.

    The range of these documents was extended by an E.U. directive, Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data. (14) The Directive sought to further limit the collection and use of personal data, and granted individuals significant rights to access collected data and consent to its collection. (15)

    The Directive also forced European nations to ensure that any non-participatory nation provides an adequate level of protection before data may be transferred to that nation. (16) This presented a significant problem for U.S. organizations seeking to participate in Europe's growing information marketplace. The United States Department of Commerce and the European Commission entered into protracted negotiations to reach an agreement whereby U.S. organizations could meet the adequacy requirements. (17) The result was the Safe Harbor Privacy Principles, (18) a voluntary program through which a U.S. organization could receive certification that its data protection standards were adequate within the meaning of the Directive. (19)

    This paper will analyze the refinements in European data protection standards that resulted in the ultimate passage of the Directive. Part II is an analysis of the OECD Guidelines, and Part III covers the Council of Europe Convention. Part IV is an examination of the Directive, focusing on the new commitment to individual rights and limited collection and use principles it requires. Part V is a discussion of the Safe Harbor Principles, and their inadequacy in light of the broad protections guaranteed by the Directive.

  2. THE OECD GUIDELINES

    The first effort to reconcile inconsistent international data protection laws occurred in 1981. (20) The Organisation for Economic Co-operation and Development (21) Council set forth the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Guidelines). (22) As the preface to the Guidelines suggests, "[t]he development of automatic data processing, which enables vast quantities of data to be transmitted within seconds across national frontiers, and indeed across continents, has made it necessary to consider privacy protection in relation to personal data." (23) At the date the Guidelines were promulgated, nine OECD member countries had passed privacy protection legislation, and five more nations were considering draft bills. (24)

    The OECD Council recognized that these varying regulatory schemes were a valuable preservation of human rights, but that the disparities could disrupt the free flow of personal data. (25) The Guidelines thus attempt to balance privacy and individual liberties with the removal of "unjustified obstacles to transborder flows of personal data." (26) The Guidelines contain eight principles to achieve this end:

    * Collection limitation principle: Data collection should be by fair means, with the knowledge or consent of the subject.

    * Data quality principle: The data should be relevant to the purpose for which it is to be used, and should be accurate, complete and kept current.

    * Purpose specification principle: A purpose should be specified at or before collection, and subsequent uses must comply with that purpose.

    * Use limitation principle: No disclosure or use should occur for purposes other than the specified use without consent of the subject or authorization by law.

    * Security safeguards principle: There should be reasonable precautions to protect data against loss and unauthorized access.

    * Openness principle: Developments, practices, and policies of personal data use, along with the existence and nature of the data, should generally be open.

    * Individual participation principle: The individual should be allowed to verify the existence of data concerning him, to obtain the information, and to correct or erase any challenged data relating to him.

    * Accountability principle: Persons who control the data are responsible for compliance with national law regarding the data protection rules. (27)

    These eight basic principles are intended to serve as a framework for the protection of data privacy at the national level. (28) The Guidelines apply to personal data, defined as "any information relating to an identified or identifiable individual," and apply to both the public and private sectors. (29) They are minimum standards, and may be supplemented by appropriate national legislation or regulation. (30)

    The Guidelines make clear, however, that any supplementation or modification should not unjustifiably interfere with the transborder flow of information. (31) The preservations of individual liberty offered through the eight principles above are thus balanced against the stated goal of preserving the free flow of data between Member countries. (32) The principles offer individuals some quality control over their personal data, and suggest that data collection and processing rights are limited. (33)

    The division between quality rights and limitations on collection and use in the Guidelines tends to blur, however. Section 8, the Data Quality principle, clearly offers data subjects some quality rights by suggesting data be accurate, complete and up-to-date. (34) Paired with section 13, the Individual Participation principle (granting data subjects the ability to confirm the existence of data, to obtain the data, and to correct or destroy it if challenged), (35) the Guidelines grant data subjects a fairly broad right of control.

    Section 7, the Collection Limitation principle, contains a mixture of control and use rights by acting both to limit collection of personal data, and also requiring "the knowledge or consent of the data subject." (36) Section 12, the Openness Principle, requires disclosure of both data practices and policies and the means to determine the existence and nature of personal data. (37) It also requires openness about the use of the data, as well as the identity of the data controller. (38) Openness in the existence and nature of data falls more closely under the right to data quality, while disclosure of use, policy, purpose and the controller's identity are collection and use rights. (39) Of course, a policy of openness provides little benefit without an accompanying remedy, which does not directly exist in Section 12. (40)

    The goal of the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT