Though it is not law in the United States, the European Union's Data Protection
Directive is an important document in privacy debates today. Agreed to among
European bureaucrats in 1995, the directive requires member countries of the EU
to adopt laws that implement its terms.
The Directive creates rights for persons about whom information is collected, known as
"data subjects." Entities that collect information must give data subjects
notice explaining who is collecting the data, who will ultimately have access to
it, and why the data is being collected. Data subjects also have the right to
access and correct data about them.
This top-down, bureaucratic model imposes heavy costs and inconveniences on
European businesses compared to the American system in which information flows
freely and only harmful uses of information are prevented or punished.
The Directive is also inconsistent in many respects with free speech.
The Directive creates stricter rules for companies that want to use data in direct
marketing, or to transfer the data for other companies for that use. The data
subject must be explicitly informed of these plans and given the chance to object.
Stricter rules also govern sensitive information relating to racial and ethnic
background, political affiliation, religious or philosophical beliefs, trade-union
membership, sexual preferences, and health. Before this information may be collected
the data subject must give explicit consent. There are exceptions to this rule for
employment contracts, non-profits, and the legal system, among other things.
In order not to completely disrupt life in Europe, the Directive is riddled with
exceptions. For example, data may be kept for personal and household use like an
address book. Synagogues, trade unions, churches, and other non-profits are
permitted to keep even "sensitive" information about their members. National
governments are permitted to exempt journalists from provisions of the directive,
if the government thinks free speech might outweigh privacy interests.
Ironically, because governments are the most voracious collectors, users, and sometime
abusers of personal information, governments may exempt themselves from the Directive
when it conflicts with their own interests in taxation or law enforcement. Though it is
inspired by the bloody use some European governments made of sensitive personal
information in the last century, the Data Privacy Directive does not hit that mark.
The Directive fails to address privacy coherently because it does not
recognize a rather fundamental premise: the vast difference in rights, powers, and
incentives between governments and the private sector.
In order for American companies to transfer information about data subjects with
European businesses, the EU and the U.S. Commerce Department negotiated an agreement.
Called the "safe harbor" agreement, it outlines the conditions under which U.S. companies
may receive information about EU data subjects. U.S. companies have have been reluctant
to use "safe harbor."
as a Trade Issue: Guidelines for U.S. Trade Negotiators, by Solveig Singleton,
Heritage Foundation (March 18, 2002)
Safe Harbor Web
site, U.S. Department of Commerce (includes link to "Safe Harbor List" of companies
adhering to safe harbor principles)
Concerns Regarding the EU Data Directive, by Professor Jacob
Palme, Stockholm University (November 30, 2000)
EU-US "Safe Harbor" Privacy Arrangement U.S. Department of Commerce (July 21, 2000)
Privacy and Human Rights: Comparing the United States to Europe by Solveig Singleton, Cato Institute (December 1, 1999)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data