10-29-98
EUROPEAN PRIVACY LAW MAY THREATEN U.S. BUSINESSES, EXPERT SAYS
COLUMBUS, Ohio -- Many U.S. companies face possible legal
troubles and disruption of their business overseas because of a
tough new European privacy law, according to a new book co-
authored by an Ohio State University law professor.
In their book None of Your Business: World Data Flows,
Electronic Commerce, and the European Privacy Directive (1998,
Brookings Institution Press), co-authors Peter P. Swire, Ohio
State professor of law, and Brookings Institution economist
Robert Litan detail effects of the European Union Data Protection
Directive, which went into effect Oct. 25.
The EU directive imposes a minimum standard of data privacy
protection in Europe for the EU’s 370 million citizens. The
directive broadly defines personal data as “any information
relating to an identified or identifiable natural person,”
including phone numbers, e-mail addresses and any other
information that can be linked to a specific person.
“The big rule is that after October, data can’t be
transferred to countries that lack ‘adequate’ protection. And
the EU will not make a finding that the United States has
adequate protection,” Swire said. “Nor has it said it is
inadequate across the board. So all transfers to the United
States are potentially at risk under the new law.”
Swire said the book’s primary purpose is to alert American
businesses about the effects of the new requirements.
“Although it is unclear how strictly these rules will be
enforced under the directive,” he said, “any company with
European operations should examine its own privacy practices to
make sure they comply with European laws.”
Industries such as health care, airlines, direct marketing,
higher education and even the news media are likely to struggle
the most with the new standards, Swire suggested. “Some U.S.
marketing practices would be directly against the European Union
law,” he said.
Investment banking operations, auditing practices and human
resources records -- even something as basic as the creation of
e-mail or telephone directories -- also could be hit particularly
hard by the new rules. U.S. reporters accustomed to First
Amendment protections may encounter restrictions on reporting of
personal information about people in Europe, including Americans.
And European consumers may be prevented from buying products from
U.S. World Wide Web sites.
“Europeans begin with the assumption that information
belongs to individuals, and use of data involves the human rights
of the individual,” Swire said. “American businesses have often
taken the position that they own rights to information and have
the right to use it as they see fit.”
Swire and Litan propose that affected organizations in the
United States consider adopting self-regulatory measures designed
to bridge the gap between European and U.S. privacy laws. Swire
is part of a national team of legal experts developing model
contracts that U.S. companies could use when they transfer
personal data out of Europe. The contracts would serve as a
guarantee that American companies would comply with the EU
directive despite the less stringent approach to privacy
protection in the United States.
“Without contracts, many transfers would violate the
language of the law,” Swire said. “We recommend to Europe that
they support the model contracts approach. In the EU’s first
official statement on this, it said contracts would rarely be
used. But more recently, the EU has recognized that contracts
are an essential component to allowing companies to comply in
good faith.”
The authors also propose the creation of an Office of
Electronic Commerce and Privacy Policy in the U.S. Department of
Commerce to provide an ongoing institutional mechanism for
handling the range of privacy and electronic commerce issues sure
to develop in the Internet Age. For the time being they do not,
however, recommend a comprehensive regulatory approach to data
protection in the United States.
The EU directive was adopted three years ago and went into
effect on Oct. 25, requiring each member state to pass national
legislation that complies with the directive’s minimum standards.
It requires that individuals: be told how personal data about
them will be used; receive an opportunity to see and correct data
held by companies; be given notice before data is forwarded to a
third party for marketing purposes; and may opt out of such
marketing free of charge. The directive also calls for
establishment of a national privacy agency in each of the 15 EU
countries.
The regulations do not apply to information passing through
Europe only in transit or to data used for entirely nonbusiness
purposes. The directive allows for exceptions to the
restrictions if the individual in question gives unambiguous
consent in advance of the transfer; if personal information is
needed to complete a transaction, such as a shipment into Europe;
or if a contract between a U.S. and European business indicates
European standards will be followed in the United States.
If companies improperly process data in Europe or send it
abroad illegally, national authorities will be able to seek
injunctions, fines and even criminal sanctions in extreme cases.
The directive also requires that people whose data is mishandled
be allowed to seek compensation.
#
Contact: Peter P. Swire, (614) 292-2547; Swire.1@osu.edu;
http://www.osu.edu/units/law/swire.htm
Written by Emily Caldwell, (614) 292-8309; Caldwell.151@osu.edu