European Union (EU)
Privacy Directive Enters Into Force
(Originally published in Messaging Magazine, January/February 1999)

By John B. Reynolds, III, Wiley, Rein & Fielding
with contributions by Anne Hoge and John Papandrea

On October 25, 1998, the EU's Directive on the Protection of Personal Data ("the Directive") came into effect.¹ Although the Directive is designed to enhance the transfer of data among EU member states, it also prohibits transfers of data to non-EU countries such as the United States unless they provide "adequate protection" for the data. The United States does not have a comprehensive data privacy law and, generally, has promoted industry self-regulation rather than legislation as the best means of balancing privacy interests against the demands of electronic commerce. Moreover, the EU has not determined that existing non-statutory mechanisms that the United States has meet the Directive's "adequate protection" standard. However, rather than interrupt the transatlantic flow of data, which is critical to both the internal administration and ongoing business of many U.S. companies, U.S. and EU officials have agreed on a temporary "standstill" during ongoing talks about approaches to electronic privacy protection. This standstill period provides an opportunity for companies to examine their ability to comply with the Directive and make appropriate adjustments in their data protection programs and procedures.

While appreciable differences remain, it is clear that both sides recognize the need to ensure that personal data about individuals is protected from non-consensual use. Among the approaches being examined by the United States is a set of "safe harbor" principles, adherence to which would ensure that a U.S. company is not prosecuted for violating the Directive. The Department of Commerce released its proposed "Safe Harbor Principles" along with a request for comments on November 4, 1998.² Although the United States was optimistic that its "Safe Harbor Principles" would be acceptable to the EU, European Commission Spokeswoman Betty Olivi announced at a November 23 press briefing that all fifteen EU member states had deemed the proposal "unacceptable." Despite this setback, however, talks between U.S. and EU officials continue. David Aaron, the Commerce Department's Undersecretary for International Trade, and John Mogg, the European Commission's Director General for the Single Market, met in Washington on December 1, and reaffirmed their commitment to seek a final agreement on data privacy. Aaron and Mogg are scheduled to meet again at the end of January. Until then, Aaron will consult with U.S. industry, and Mogg will seek additional input from the EU member states.

Overview of the Data Protection Directive and Member State Laws

The Directive reflects the EU's philosophy that, while data processing is beneficial, an individual's fundamental privacy rights must be protected in all member states. Further, the Directive ensures that corporations, including U.S. multinationals doing business in the EU, do not circumvent the EU's data protection laws by exporting personal data to destinations not subject to EU privacy rules.

Many EU member states have had data protection laws since the 1980s. However, since these laws are generally not as comprehensive as the Directive, member states will have to enact new legislation to comply fully with the Directive. According to a European Commission official, as of late November, seven member states had enacted new laws, but five of them still needed to adopt additional regulations before the new laws could become effective.

The Directive applies to the collection, transmission, and processing of "personal data"³ within the EU and has three primary components: (i) collection and handling of personal data; (ii) automatic and manual processing of personal data;⁴ and (iii) exportation of personal data out of the EU. The Directive requires member states to ensure that the legislation gives individuals a direct right of action.

Collection and Handling of Personal Data

First, with respect to the collection and handling of personal data, member states must ensure that corporations, including U.S. multinationals doing business in the EU, manage personal data in their possession so that it is:

• processed fairly and lawfully;
• collected for specified and legitimate purposes and not processed further, contrary to these purposes;
• relevant and not excessive for the purpose collected;
• accurate and updated as necessary; and
• kept in a form that permits identification of data subjects for no longer than necessary.⁵

Moreover, individuals to whom this personal data relates must be informed of the identity of the controller, or individual in charge of the data, whether the data subjects are required to submit their personal data to the controller, their right of access to the data, and their right to correct any errors in the data.⁶

Processing of Personal Data

Second, corporations may not "process" this personal data, even within the EU, unless:

• the data subject has unambiguously given his or her consent;
• processing is necessary for the performance of a contract to which the data subject is a party or at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with the controller's legal obligation;
• processing is necessary to protect the vital interests of the data subject;
• processing is necessary for the public interest or the exercise of official authority vested in the controller or a third party; or
• processing is necessary for the legitimate interests pursued by the controller or a third party, except where the data subject's privacy interests are greater.

In addition, the controller of the data must notify the member state's personal data supervisory authority before carrying out any wholly or partly automatic processing operation.⁷  Thus, under these laws, a controller must not only ensure that the data is adequately protected but also may not process such data unless one of the broad "processing" factors is met. Further, if the data is automatically processed, the controller must notify the member states before processing.

Exportation of Data From the EU

Finally, personal data may be exported from the EU only if the destination country "ensures an adequate level of protection" for such data, or if some exception applies to the particular transfer.⁸  The United States does not have a broad personal data privacy law that applies to both the public and private sectors, and the EU has not determined that existing, non-statutory mechanisms in the United States meet the "adequate protection" standard of the Directive. Accordingly, EU member states may forbid the transfer of certain types of personal data from the EU to the United States unless the transferor can demonstrate that one of the following exceptions applies:

• the data subject has unambiguously given his consent;
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures at the data subject's request;
• the transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between the controller and a third party;
• the transfer is necessary or legally required, in the public interest, or for legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject; or
• the transfer is made from a register, which, according to laws or regulations, is intended to provide information to the public and which is open to the public or any person who can demonstrate legitimate interest.⁹ 

Most importantly, a member state may authorize the transfer of personal data to a third country that does not, as a matter of law, ensure an adequate level of protection if the controller can demonstrate the existence and applicability of safeguards sufficient to protect the privacy of the specific export, giving particular regard to contractual clauses that guarantee privacy.¹⁰

Although broad, these exceptions may provide little relief in practice since it will be up to the data protection authorities and courts of individual member states to interpret and apply them. It is quite possible that member states will not interpret these provisions broadly enough to protect U.S. interests. For instance, Greece's new data protection law requires that non-EU corporations actually receive licenses from the Greek Data Protection Authority before personal data may be exported.

U.S. Developments: "Safe Harbor Principles"

Although the United States does not have a single, comprehensive privacy law, it has developed different privacy laws for different categories of personal data. For instance, the Privacy Act of 1974 regulates the collection, use, and dissemination of personal information by federal agencies. In addition, various other federal privacy laws apply to the private sector such as wire-tapping laws, laws that protect individuals' telephone toll records, laws that safeguard personal financial information, and laws that protect personal credit information. Moreover, federal agencies such as the Federal Communications Commission (FCC) have developed regulations regarding the privacy of Consumer Proprietary Network Information (CPNI) and telemarketing. Earlier this year, the Federal Trade Commission (FTC) sought comments from trade associations and industry groups regarding the online collection and use of personal consumer information. In October, as a direct result of the FTC's inquiry, Congress enacted the "Children's Online Privacy Protection Act," which will require the FTC to adopt regulations for commercial websites regarding the collection, use, and disclosure of information about children under the age of 13. Industry groups such as the Direct Marketing Association have also developed guidelines regarding personal data protection.

For the last several months, the Commerce Department has been engaged in talks with the European Commission, and, in November, the agency released and sought comment on its "Safe Harbor Principles."¹¹ The proposals are based on the Commerce Department's discussion paper, "The Elements for Effective Privacy Protection," the 1980 OECD Privacy Guidelines, private sector self-regulatory programs, online privacy programs, and the input of industry and the European Commission.

There are seven "Safe Harbor Principles":

• Notice

To satisfy the notice requirement, an organization must let individuals know:

• what types of personal information it collects about them;
• how such information is collected;
• the purposes for which it collects such information;
• the types of organizations to which it discloses such information;

• the individuals' options for limiting the use and disclosure of such information.¹²

Individuals must receive the required notice when they are first asked to provide the organization with personal information. The notice must be in easily understood, clear and conspicuous language.

• Choice

This is an "opt-out" principle that requires organizations to offer individuals the opportunity to choose whether and how their personal information is used in cases where such use is unrelated to the purposes for which the individuals originally disclosed it.¹³  As in the case of the notice principle, the "opt-out" choice must be presented to individuals in clear and conspicuous language so that this option is readily exercisable. In addition, with respect to certain particularly sensitive personal data, such as a person's race, religion, or ethnic background, individuals must be given an "opt-in" choice. That is, they must affirmatively or explicitly permit the organization to transfer such sensitive information.

• Onward Transfer

According to this principle, an organization must give individuals an "opt-out" option to prevent transfers of their personal information to third parties.¹⁴ Moreover, for any transfer of personal data to third parties, the organization must ensure that the third parties provide at least the same level of privacy protection as that originally chosen by the individual.

• Reasonable Measures of Protection

Companies must take "reasonable measures" to ensure the security of personal information collected.¹⁵ This principle also obligates organizations to take"reasonable precautions" to protect the data from "loss, misuse, unauthorized access or disclosure, alteration, or destruction."¹⁶

• Data Integrity

Companies must protect the integrity of the data they collect. This means that they must ensure that it is "relevant, accurate, complete, and current" and that it has been gathered in accordance with the principles of notice and choice.¹⁷

• Access

The access issue, along with enforcement, has been the most divisive issue in the discussions between the Commerce Department and the European Commission. On the access issue, the EU has insisted that individuals have unconditional access to data collected about them so that they can correct any errors. In an attempt to find a middle ground between this position and the U.S. business community's belief that unlimited access is both unnecessary and impractical, the safe harbor principle of access requires companies to give individuals "reasonable access" to information about them derived from non-public records as well as the opportunity to correct errors.¹⁸ According to the proposal, "reasonableness" of access "depends on the nature and sensitivity of the information collected and its intended uses."¹⁹ For example, companies must give individuals access to "sensitive information" or information that is used to make substantive decisions about the individual.²⁰

• Enforcement

The "Safe Harbor Principles" provide for a number of enforcement mechanisms in cases where privacy rights are alleged to have been violated. Because the proposal describes these mechanisms in very general terms, it is impossible to predict at this point what they will look like in a final safe harbor plan. Nonetheless, it is clear that any safe harbor plan will provide some level of enforcement so that companies do not end up being both judge and defendant when individuals bring complaints about the use of their personal data. The proposal's mechanisms include recourse to third-party dispute resolution and verification and sanction procedures. In addition, the proposal emphasizes that sanctions must be "sufficient to ensure compliance by organizations and must provide individuals the means of enforcement."²¹

The "Safe Harbor Principles" are designed to provide firms with several benefits. As stated above, though member states have expressed concern that the protections offered by the current "Safe Harbor Principles" are not adequate, the European Commission and the U.S. Commerce Department continue to seek an accommodation. First, once accepted by the EU, a "safe harbor" plan would bind all EU member states, thus narrowing U.S. companies' exposure under the Directive to noncompliance with the approved "safe harbor" plan rather than noncompliance with the laws of any given member state. Second, it is hoped that companies within the safe harbor would be exempt from the pre-approval requirements found in the privacy laws of some member states, and that safe harbor participants would be able to take advantage of streamlined and expedited dispute procedures. Finally, companies subscribing to an approved "safe harbor" plan would be given a "grace period" within which to come into full compliance. The United States and the EU are expected to agree on a final "safe harbor" plan sometime during the first quarter of 1999.

Conclusion

The Directive has entered into force and will be fully implemented by EU member states. It is highly unlikely that the substantive requirements of the Directive will be meaningfully amended in the near future. Indeed, member state implementation to date appears more conservative than the Directive requires.

The consultation process between the United States and the European Union is being pursued in good faith and shows substantial progress. Nonetheless, appreciable differences remain. Despite the stated expectations of the United States, the EU has not definitively promised that data transfers will not be blocked by member states during the standstill period.
EU officials have said that they have no authority to block any complaints that might be filed by EU individuals about data transferred to the United States, but U.S. officials have threatened a World Trade Organization challenge to any data interruption. In sum, the differences over individuals' access to information about them and enforcement against violators
of the Directive (or the "Safe Harbor Principles") are substantial, going to the heart of how online commerce should be conducted.

Even a mutually satisfactory accommodation with the EU will not put the issue fully to rest. Numerous non-EU countries with which U.S. companies exchange potentially sensitive data have adopted or are considering privacy laws that could interrupt, or merely burden, international information flows.

Taken together, these developments counsel careful attention to companies' data protection policies regarding information about their customers, stockholders, suppliers, employees, and former employees, and perhaps even casual website visitors. Only by knowing how information is actually collected, stored, processed, and shared can a company begin to assess its exposure under the various domestic and foreign legal regimes that may apply.

Footnotes

1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2 International Trade Administration, "International Safe Harbor Privacy Principles," <http://www.ita.doc.gov/ecom/menu.htm> (visited December 3, 1998) ("Safe Harbor Principles").

3 "Personal data" is broadly defined as "any information relating to an identified or identifiable natural person," and an "identifiable person" "is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Article 2(a), 95/46/EC. The Directive also relies on the concept of "data controller," defined as the "person, public authority, agency, or other body which alone or jointly determines the purposes and means of the processing of personal data."

4 "Processing of personal data" is defined as "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." Article 2(b), 95/46/EC. Notably, while existing personal data processed by automatic means had to comply with the new national laws by October 25, 1998, member states may give controllers up to 12 years to bring existing manually processed data, such as paper files, into compliance. Art. 32(2), 95/46/EC.

5 Art. 6, 95/46/EC.

6 Art. 10, 95/46/EC.

7 Arts. 7, 18, 95/46/EC.

8 Art. 25(1), 95/46/EC. "The adequacy of the level of protection afforded by a third country shall be assessed in light of all the circumstances surrounding a data transfer operation or set of...operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country." Art. 25(2), 95/46/EC.

9 Art. 26, 95/46/EC.

10 Id.

11 See "Safe Harbor Principles."

12 Id.

13 Id.

14 Id.

15 Id.

16 Id.

17 Id.

18 Id.

19 Id.

20 Id.

21 Id.