The EU Privacy Directive: Society-Driven Personal Data Protections Serving as an Impediment to Global Business
February, 2006
In an ever-growing global economy, the increased mobility of information has, in most ways, made life simpler for businesses operating internationally; however, in other ways, it has made life extremely more complex. Privacy laws and data protection provisions of various nations often contradict one another and are as diverse as the countries that provide them. It can be a complicated process to establish which nation or nations’ laws apply and what liability a corporation may face for violations. This article will briefly address the rising security protections on personal data under the Directives of the European Union (“EU”) and the potential liability for non-complying businesses.
Background
Whereas the United States (“U.S.”) has always taken an opt-out, free-access approach to direct marketing and the use of private personal information, the EU and its Member States value personal privacy as a fundamental right. Thus, the EU has tackled harmonizing the fragmented European national data protection laws in an all-inclusive fashion by mandating EU Member States legislate the EU Privacy Directive’s (“Directive”) provisions into national laws, while the U.S. regulates only in sporadic, narrowly-tailored sector-specific legislation targeted at certain industries.
The Law
EU Directive 95/46/EC, adopted in July 1995 and effective in October 1998, has two primary objectives: 1) protecting the fundamental right of privacy; and 2) promoting the continued free flow of personal data between Member States. The Directive creates an expectation of privacy, with some limited exceptions for public interests and private party legitimate interests. Under the Directive, a business can only collect personal data information in six situations: 1) where the individual unambiguously consents; 2) where the process is required to fulfill a contract requested by the individual; 3) where the process is required by law; 4) where it is necessary to protect the individual’s own vital interests; 5) where it is necessary to public interest/government function; or 6) under the catch-all provision whereby the business has a “legitimate interest” in gathering the data, not outweighed by the individual’s rights. The Directive provisions apply to personal data processed through computerized data processing, as well as non-computerized paper files if the files are maintained in an individually identifiable and searchable form. “Personal data” is defined as “any information relating to an identified or identifiable natural person.”
The Directive also has rules on the transfer of information to locations outside the EU, requiring the transferee business’s country of location to have adequate levels of privacy protection in place as a prerequisite to data transfer. If the country the business is located in has inadequate levels of protection, a “safe harbor” provision may be put into place as a gap-filler. The U.S. Commerce Department’s Safe Harbor Agreement with the EU, negotiated in July 2000 and effective in November 2000, allows companies wishing to do personal data processing work to agree and sign a commitment (with the Commerce Department) to abide by certain conditions and make certain assurances under the terms of the agreement.
It is vitally important to recognize that while participation in the U.S.-EU Safe Harbor Agreement has grown steadily (currently 766 participants), the provisions apply only to the flow of data from the EU to U.S. organizations in sectors subject to the jurisdiction of the Federal Trade Commission (“FTC”) or the Department of Transportation (“DOT”) (both guaranteed enforcement actions for non-compliance during the negotiation of the agreement); thus, the safe harbor provisions are not a substitute for generally complying with Member State national laws.
Notably, the Directive was strengthened in July 2002 under a new Directive on privacy and electronic communications (“New Directive”) 2002/58/EC, effective in October 2003. The New Directive has stringent requirements with respect to personal data processing in electronic communications that go far beyond the scope of the safe harbor principles under the original Directive. One of the harsh changes is the “anti-spam” provision requiring that persons may be directly contacted for marketing purposes only if they consent or opt-in (the safe harbor provisions allowed both opt-in and opt-out approaches).
Potential Liability
The Directive does present a legal challenge - it grants individual rights of enforcement, and businesses may be subject to penalties in the U.S. as well as abroad for violation. The Directive requires that individuals be granted the right to seek a judicial remedy for any breach of a Member State’s national privacy law on personal data transfer, as well as a right to recover compensatory damages and dissuasive penalties (akin to punitive), where appropriate. The Member States have all implemented Directive 95/46/EC by effecting national legislation that provides for the voicing of complaints to an administrative agency, civil and/or criminal liability for non-compliance, and private individual rights of action for compensation, pecuniary, and sometimes non-pecuniary damages.
Additionally, when data is flowing from the EU to the U.S. in accordance with the Safe Harbor Agreement, any misrepresentations made to the public or to the Commerce Department (or its designee) concerning the business’s compliance may be actionable by the FTC (or Department of Justice) or Commerce Department, respectively, resulting in civil penalties with each day of non-compliance constituting a separate violation. Also, private causes of action may be available under the Electronic Communications Privacy Act of 1986, Telecommunications Act of 1996, or the Consumer Credit Reporting Reform Act of 1996, under certain circumstances.
Finally, all fifty states, plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted laws to prevent unfair or deceptive trade practices, and in 46 jurisdictions, the law allows private actions for actual, double, treble, or punitive damages and, in some cases, recovery of costs and attorney’s fees. Moreover, the right to recover damages under private causes of action for invasion of personal privacy is well established under U.S. common law. As the Safe Harbor Agreement between the U.S. and EU only pertains to practices under the jurisdiction of the FTC and DOT, the state law private rights of action could be a real threat to those businesses accepting personal data from the EU.
Learning Point:
Although enforcement actions are not yet commonplace, the Directive’s complexity and multiplicity of available enforcement scenarios should be addressed by each global business. The Directive and Member State national privacy laws may act as a barrier to global information transfer whereby a business with an office in Europe and one in the U.S. (or another country) cannot transfer customer data or even personnel data without making adequate assurances of protection, or whereby a U.S.-based business (or business located in another inadequately assured country) takes an order of a European consumer over the internet but cannot complete the order because that business or its webpage provider (as data controller) does not meet the Directive’s adequacy conditions and cannot transfer personal data. Although a business could attempt to comply with the Directive by including clauses in contracts that follow the Directive’s requirements, the potential for liability is ever present.
Please contact Allison at abaten@clausen.com if you would like additional information on this issue. •
Back to CM Report: Business Practice Group Report (2006) 2006 Volume 1 Table of Contents
