Introduction
Privacy concerns have grown with
each improvement of modern information technology (MIT). MIT has made it easy for virtually every
organization to set up a database to track their customers’ habits and
purchases. The Internet has increased the
uneasiness because of the ease that Internet sites have been able to profile
web surfers and share that information with others. However, consumers have taken notice, and they have demanded that
web sites protect their personally identifiable information.
The European Union (EU) countries
have taken one approach. They have imposed
complex procedures directed by powerful institutions in order to protect data,
and they have demanded that other counties follow their lead if they wish to
trade with them. The United States has
rejected the EU demands. Instead, the
US has relied on self-regulation to protect individually identifiable data.
This paper examines the impact of
the EU Privacy Directive on the direction of regulation in the United
States. I begin by reviewing the
history of the European Union and its institutions. Next, I analyze the self-regulatory measures introduced in the
United States. Finally, I conclude that
privacy seal programs offer American Internet Sites (AIS) the best mix of
protecting information and minimizing government intrusion.
Background
In order to appreciate the power
and influence of the EU, it is important to understand the structure of
decision making and the institutions that are involved in enacting those
decisions. First, in this section, I
will review the circumstances and the resulting treaties of post World War II
Europe that forged the EU we know today.
Next, I will describe the institutions and procedures necessary to
implement Community Law.
(1)
Building a Union
After World War II, political and
economic instability left European nations vulnerable.[1] The Soviet Union threatened the sovereignty
of individual European nations, as evidenced by the Czechoslovakian coup d'etat
in 1948 and the Berlin blockade in 1948-1949.[2] Moreover, the Soviet Union developed nuclear
capabilities in the late 1940’s, adding to European instability.[3]
To bring about a stable unified
Europe, western European nations started to get together.[4] In October 1947, twenty-three countries
signed a joint agreement, the General Agreement on Tariffs and Trade (GATT).[5] Thus began the long road to European
unification.
The next important date is
1957. That year, the Treaty of Rome
formed the European Economic Community (ECC), which consisted of six
nation-states: Belgium, France, Germany, Italy, Luxembourg and the Netherlands.[6] The United Kingdom was invited to join, but
chose not to become a member at that time.[7]
The political and economic
success of the ECC, encouraged other nations to join the club.[8] In 1973 the United Kingdom, Denmark, and
Ireland increased the number of member nations to nine.[9] Next, in the 1980’s, came the
"Mediterranean enlargement."[10] Greece joined in 1981 and, in 1986, Portugal
and Spain became members.[11] Finally, in 1995 Austria, Finland and Sweden
signed up.[12]
Today there are fifteen Member
States in the EU.[13] In 1999, the European Union represented
almost $350 billion in trade with the United States. Only Canada had more trade with the US that year.[14]
(2)
Expanding Co-operation
The Treaty on
European Union (TEU), which is sometimes referred to as the Treaty of
Maastricht, became effective in 1993.
The TEU formally restructured the ECC into the European Union. The TEU, Article 2, states the purpose of
the EU:
The Community shall have as its task, by
establishing a common market and an economic and monetary union and by
implementing common policies or activities referred to in Articles 3 and 4, to
promote throughout the Community a harmonious, balanced and sustainable
development of economic activities, a high level of employment and of social protection,
equality between men and women, sustainable and noninflationary growth, a high
degree of competitiveness and convergence of economic performance, a high level
of protection and improvement of the quality of the environment, the raising of
the standard of living and quality of life, and economic and social cohesion
and solidarity among Member States.[15]
(3)
Institutions of the Union
The TEU establishes institutions
and procedures “necessary to achieve the objectives” of the Treaty.[16] There are three Institutions involved in
formulating much of the EU’s policies and direction,[17]
the European Parliament (the “Parliament”), the Council of the European Union
(the “Council”), and the European Commission (the “Commission”).[18] I will summarize the responsibilities of
each.
The European Parliament
The Parliament is a directly
elected democratic institution[19]
and represents 370 million citizens.[20] The Parliament’s “primary objectives are . .
. to pass good laws and to scrutinize and control the use of executive power.”[21] To accomplish these objectives the
Parliament has three important powers: legislative power, budgetary power, and
oversight power.[22] I will address each in turn.
Legislative Power:
Originally, the Parliament had
only a consultative role.[23] Today, in addition to their consultative
role, the Parliament has the power to amend and adopt certain legislation.[24] For issues that relate to the internal
market, consumer protection, trans-European networks, education, health, and
other related issues, legislation is adopted jointly by the Parliament and the
Council.[25] This two tiered decision making procedure is
known as "co-decision making".[26]
In addition, the Parliament has a
role in appointing the President of the Parliament and the members of the Commission.[27]
Budgetary Power:
The Parliament approves the
Union’s yearly budget.[28] By withholding its approval, the Parliament
may exercise authority in how funds are distributed, thereby giving it
influence over the content of all legislation.[29] The President of the Parliament must sign
the budget to enact it into law.[30]
Oversight Power:
The Parliament has the obligation
to assure that funds are spent for the purposes agreed upon.[31] Moreover, the Parliament has the duty to
prevent and detect fraud.[32]
It is important to note that the
Parliament is the only EU Institution “that meets and deliberates in public.”[33] Nearly all of the decisions in the EU are
done in secret meetings.[34] In fact, all members and former members of
an EU institution are required “not to disclose
information . . . about the undertakings, their business relations or their
cost components.” [35]
The Council of the European Union
The Council is made up of fifteen
Ministers.[36] Each Member State names one Minister.[37] Each Minister is empowered to commit his
Government.[38] In turn, each Minister is politically
accountable to their national parliaments.[39] Ministers attend council meetings that deal
with specific subject areas.[40] Which Minister attends each Council meeting
depends on the subject matter discussed.[41]
The Presidency
The President of the Council
presides over all of the Council meetings.[42] Every six months, the Presidency rotates
according to a set schedule.[43] The President of the Council is to host a
meeting of the European Council (not to be confused with the Council for the
European Union) at least twice a year for a “European Summit.”[44]
The European Council
The European Council is made up
“of the heads of State or Government of each Member State and the President of
the European Union.”[45] The Summit is an informal gathering, where
there are no set procedures.[46]
“The European Council has become
an increasingly important element of the Union, setting priorities, giving
political direction, providing impetus for its development and resolving contentious
issues that have proved too difficult for the Council of Ministers.”[47]
Legislation
The Council (or by the Parliament
and Council if a co-decision is called for) must adopt proposals Law in order
for them to become Community law.[48] There are four forms of Community law:
1.
Regulations: these
are directly applied without the need for national measures to implement them;
2.
Directives: bind
Member States as to the objectives to be achieved while leaving the national
authorities the power to choose the form and the means to be used;
3.
Decisions: these
are binding in all their aspects upon those to whom they are addressed. A decision may be addressed to any or all
Member States, to undertakings or to individuals;
4.
Recommendations and
opinions: these are not binding.[49]
The European Commission
There are twenty members of the
Commission, each member is appointed to a five-year term by their home
governments.[50] The break down of the Commission is:
|
Country
|
Number
|
|
|
Germany
|
2
|
|
Spain
|
2
|
|
France
|
2
|
|
Italy
|
2
|
|
United Kingdom
|
2
|
|
Belgium
|
1
|
|
Denmark
|
1
|
|
Greece
|
1
|
|
Ireland
|
1
|
|
Luxembourg
|
1
|
|
The Netherlands
|
1
|
|
Austria
|
1
|
|
Portugal
|
1
|
|
Finland
|
1
|
|
Sweden
|
1
|
|
|
|
|
|
With 16,000 staff members, the
Commission is the largest Institution of the EU.[51] The Commission meets at least “once a week
to adopt proposals, finalize policy papers and take other decisions required of
it.”[52] Commissioners have a duty to act in the best
interests of the European Union, rather than in the interest of their national
governments.[53]
The Commission has three distinct
functions:
1)
to initiate proposals for legislation;
2)
to be the guardian of the Treaties; and
3)
to execute EU policies and actions.[54]
I will address each function
individually.
Initiate Legislation
The Commission initiates
Community policy and represents the general interest of the European Union.[55] Before the Commission recommends any
legislation, they perform extensive fact gathering. They interview and seek comment from individual governments,
industry representatives, trade unions officials, special interest groups and
technical experts.
The Commission recommends action
on an issue “only when it will be more effective than if [action were left] to
individual Member States.”
Guardian of the Treaties
The Commission acts as the
“guardian of the EU treaties to ensure that EU legislation is applied correctly
by the Member States and that all citizens and participants in the single
market can benefit from the level playing field that has been created.” Where necessary, the Commission takes action
against those in the public or private sector that fail to respect their treaty
obligations. “It can, for instance,
institute legal proceedings against Member States or businesses that fail to
comply with European law and, as a last resort, bring them before the European
Court of Justice.”[56]
Execute EU Policies and Actions
The third function of the
Commission is that of the executive body of the EU.[57] The Commission is responsible for
implementing and managing policy.[58] It manages the Union's annual budget,[59]
runs its Structural Funds[60],
and negotiates trade agreements with third countries.[61]
The Commission has played a
leading role in integrating the Member States, by playing the role of mediator
when disputes arise between members.[62] “Its impartiality and commitment to the
common interest make it an accepted mediator by all sides.”[63]
The Privacy Policy of the EU
In order to accomplish the goals
stated in Article 2 of the TEU, Member States are prohibited from establishing
policies that restrict the import or export of goods among the Member States.[64] In addition, each Member State must
establish laws that facilitate the functioning of a common market.[65]
In 1993, before the TEU, Germany
and France (the two largest economies in the EU) had legislation that protected
their citizens’ data privacy, but several other Member States did not have any
privacy policies in place (like Italy).[66] The disparity in privacy protection among
the Member States threatened to inhibit the flow of data, therefore trade,
among the member nations.[67]
To ease concerns, and harmonize
the privacy policies among the EU, the EU enacted Directive 95/46/EC, “on the
protection of individuals with regard to the processing of personal data and on
the free movement of such data.” [68] The European Community Privacy Directive
(the Directive) took effect on October 25, 1998; three years after the
Parliament and the Council passed it.[69]
The Directive begins with the
premise that data protection is a “fundamental right.”[70] In order to protect this fundament right,
the Directive provides:
Member
States shall provide that personal data may be processed only if:
(a)
the data subject has unambiguously given his consent; or
(b)
processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract; or
(c)
processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d)
processing is necessary in order to protect the vital interests
of the data subject; or
(e)
processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority vested in
the controller or in a third party to whom the data are disclosed; or
(f)
processing is necessary for the purposes of the legitimate
interests pursued by the controller or by the third party or parties to whom
the data are disclosed, except where such interests are overridden by the
interests for fundamental rights and freedoms of the data subject which require
protection under Article 1 (1).
The Directive was designed to
foster economic trade between the Member States of the European Union. Ironically, the Directive that was designed
to foster trade, may work to disrupt trade between the EU and “third
countries,” most notably the United States.
Article 25 of the EU Privacy
Directive states:
Transfer to a third country of
personal data which are undergoing processing or are intended for processing
after transfer may take place only if . . .the third country in question
ensures an adequate level of protection.
Where a country is found to have
inadequate protection, Article 26 spells out a list of exceptions that may
allow the transfer of data despite inadequate countrywide protections. Article 26 says:
.
. . transfers of personal data to a third country which does not
ensure an adequate level of protection within the meaning of Article 25 may
take place on condition that:
1) unambiguous consent
2) performance of a K
3) K in interest of data subject
4) public interest
5) vital interest
6)
according to law or regulation
2) Without
prejudice to paragraph 1, a Member State may authorize a transfer or a set of
transfers of personal data to a third country which does not ensure an adequate
level of protection within the meaning of Article 25 (2), where the controller
adduces adequate safeguards with respect to the protection of the privacy and
fundamental rights and freedoms of individuals and as regards to exercise of
the corresponding rights; such safeguards may in particular result from
appropriate contractual clauses.
Because the proffered protections
are in the form of a “Directive,” they do not apply directly to individual
Member States. Each Member State must
take measures to implement the Directive into national legislation. However, the Directive does establish new
institutions for “coordinating the enforcement authorities of the fifteen
nations.”[71] In addition, each Member State must erect
one or more privacy agencies to monitor their national privacy policy.[72]
Privacy Protection in the United States
In the US, privacy protection is
not considered a fundamental right.
Therefore, US privacy laws are not as broad or far-reaching as the
European Union Privacy Directive calls for.
The US data protection laws take a
“sectoral,” [73] some would
say "ad hoc,"[74]
approach. Generally, privacy
protections in the US are limited to the right of the citizen against the
government and do not regulate individual relationships, as does the Directive.[75] Individual relationships are left to private
agreements or self-regulation.[76]
Self-Regulation
Modern information technology,
through the Internet, has created an easily accessible worldwide market. American Internet Sites (AIS) are “open” to
visitors from around the world, including citizens of the EU. Therefore, unless a EU visitor
"unambiguously" gives consent for an AIS to gather, collect and
process personal data, or another narrow exception applies, the AIS will be
barred from using or collecting that data.[77]
Federal privacy regulations in
the United States are not going to be implemented any time soon.[78] Therefore, in order to continue the flow of
information from the EU, it is incumbent upon AISs to self regulate if they
wish to extend their market and avoid government regulation. This section will examine two
self-regulatory practices that may qualify as “adequate” under the
Directive. First I will summarize the
safe harbor proposal. Then, I will
review seal programs.
(1)
Safe Harbor
The American Government has
addressed this threat to trade by negotiating with EU representatives, through
the United States Commerce Department (USCD).[79] The negotiations center on creating a “safe
harbor” for American companies, to “enable them to comply with the requirements
of the European Union's Directive on Data Protection regarding personal data
transfers to third countries.”[80]
On March 14, 2000, after two
years of intense negotiations, the US and EU tentatively agreed on the
principles that the US safe harbor must include in order to be “adequate” under
the Directive.[81]
In order for the safe harbor
arrangement to become effective, the agreement must be approved by a qualified
majority of Member States in the committee established in the Directive.[82] Before seeking the Committee's formal
decision, however, the Commission must consult with the data protection
commissioners of the Member States.[83] Then the Commission must submit the decision
to the European Parliament for approval.[84] Only after the Parliament approves will the
safe harbor become effective.[85] Furthermore, AIS operators must submit to
oversight by the European Data Protection Authorities, the Federal Trade
Commission and the United States Commerce Department.[86]
Soon after the tentative
agreement, the EU balked, declaring that the safe harbor principles “do not go
far enough to protect the rights of the citizens.”[87] Additionally, US groups have protested the
agreement as too intrusive and going too far.[88]
(2)
Privacy Seal Programs
The “adequate” standard set by Article
25 of the Directive is not a clear standard.
Because the standard is not clearly defined, the best way to determine
what constitutes adequate protection is to review the Directive Commission’s
Working Documents to resolve what the EU Commission considers necessary to
establish adequate protection.
This section begins by
establishing what elements comprise adequate protection according to the EU
Commission. Next, I will focus on the
two most popular “Privacy Seal” programs and reveal their elements and
standards. Finally, I will assess
whether these seal programs should qualify for an exemption from the
Directive’s mandates.
What Constitutes "Adequate Protection"?
In 1998, the Working Party of the
EU Data Protection Commissioners[89]
issued a Working Document titled “Transfers of personal data to third
countries: Applying Articles 25 and 26 of the EU data protection directive.”[90] This document lays out the requirements for
answering “all the central questions raised by flows of personal data to third
countries in the context of the application of EU data protection directive.”[91]
The basic principles to be
included are the following:
1. the purpose limitation principle - data
should be processed for a specific purpose and subsequently used or further
communicated only insofar as this is not incompatible with the purpose of the
transfer. The only exemptions to this rule would be those necessary in a
democratic society on one of the grounds listed in Article 13 of the directive.
2. the data quality and proportionality
principle - data should be accurate and, where necessary, kept up to date.
The data should be adequate, relevant and not excessive in relation to the
purposes for which they are transferred or further processed.
3. the transparency principle - individuals
should be provided with information as to the purpose of the processing and the
identity of the data controller in the third country, and other information
insofar as this is necessary to ensure fairness. The only exemptions permitted
should be in line with Articles 11(2) and 13 of the directive.
4. the security principle - technical and
organizational security measures should be taken by the data controller that
are appropriate to the risks presented by the processing. Any person acting
under the authority of the data controller, including a processor, must not
process data except on instructions from the controller.
5. the rights of access, rectification and
opposition - the data subject should have a right to obtain a copy of all
data relating to him/her that are processed, and a right to rectification of
those data where they are shown to be inaccurate. In certain situations he/she
should also be able to object to the processing of the data relating to
him/her. The only exemptions to these
rights should be in line with Article 13 of the directive.
6. restrictions on onward transfers -
further transfers of the personal data by the recipient of the original data
transfer should be permitted only where the second recipient (i.e. the
recipient of the onward transfer) is also subject to rules affording an
adequate level of protection. The only exceptions permitted should be in line
with Article 26(1) of the directive.[92]
Self-Regulation Through Privacy Seal Programs
Privacy Seal programs are third
party companies that place tamper proof logos in a prominent place on a web
site. The seal lets visitors know that
the site has a privacy policy in place and that the company follows the posted
policy. Furthermore, by “clicking” on
the seal, the visitor is taken to the web site’s privacy policy. In addition, the Seal Company provides for
an oversight procedure and a dispute resolution process.
This section analyzes the two
most popular seal programs, both of which were recommended by President Clinton
recently. He challenged AISs “to engage
in effective self-regulation, with enforcement by organizations such as
BBBOnLine and TRUSTe.”[93]
I will take a three-step
approach. First I will summarize the
organizations’ history. Next I will
review their privacy standards, oversight procedures and resolution
processes. Finally, I will compare each
to the organization’s standards to that of the safe harbor, in order to
determine if the standards may qualify as adequate protection under the
Directive.
TRUSTe
TRUSTe is the oldest and largest
of the privacy seal programs. The
TRUSTe program was launched in 1997, with 18 licensed sites.[94] In 1998 the number of participating sites
climbed to 279.[95] Recently, TRUSTe awarded its 1000th
privacy seal to X-Collaboration, a Boston-based software company.[96]
The idea for TRUSTe began during
a lecture on "Trust" in March 1996.[97] Lori Fena, Executive Director of the
Electronic Frontier Foundation (EFF), and Charles Jennings, founder and CEO of
Portland Software were attending that lecture.[98] The two met at that meeting and discussed
the need “for branded symbols of trust on the Internet similar to UL Labs or
Good Housekeeping ‘seals of approval.’"[99] The idea took hold and the two worked
together to institute such a program.[100]
TRUSTe is a non-profit
organization “whose mission is to build users' trust and confidence on the
Internet and, in doing so, accelerate growth of the Internet industry.”[101] To that end, TRUSTe awards its “trustmark”
or seal “to Web sites that adhere to established privacy principles and agree
to comply with [TRUSTe’s] oversight and consumer resolution process.”[102]
Privacy Policy
In order to be awarded a TRUSTe
seal a web site must adopt a privacy statement that discloses, at a minimum:
¨
What personal information is being gathered.
¨
Who is collecting the information.
¨
How the information will be used.
¨
With whom the information will be shared.
¨
The choices available to users regarding collection,
use, and distribution of their information: You must offer users an opportunity
to opt-out of internal secondary uses as well as third-party distribution for
secondary uses.
¨
The security procedures in place to protect users'
collected information from loss, misuse, or alteration: If your site collects,
uses, or distributes personally identifiable information such as credit card or
social security numbers, accepted transmission protocols (e.g. encryption) must
be in place.
¨
How users can update or correct inaccuracies in their
pertinent information: Appropriate measures shall be taken to ensure that
personal information collected online is accurate, complete, and timely, and
that easy-to-use mechanisms are in place for users to verify that inaccuracies
have been corrected.[103]
Oversight Procedure
TRUSTe uses a three tiered
oversight procedure: initial and periodic review, “seeding,” and community
monitoring.[104] I will address each procedure separately.
(a) Initial and Periodic Review
Before a potential licensee can
complete a TRUSTe application, the applicant must have a privacy policy in
place.[105] In order to assist the applicant, TRUSTe
provides a “Privacy Policy Wizard.”[106] The wizard tailors a policy based on answers
to questions it poses regarding the specific privacy practices of the
applicant’s web site. Next, the
applicant is asked to perform a self-assessment of their internal privacy and
security practices.[107]
After that, a TRUSTe
representative conducts a review and certification process, to ensure that the
stated policy is accessible to visitors and meets the stated requirements.[108] Once an applicant’s site has been approved,
a TRUSTe representative periodically reviews the site to ensure that it
continues to comply with the posted privacy practices and program requirements.[109] The representative also checks for changes
to the site’s privacy policy.[110]
(b) Seeding
In order to verify that a site is
compiling with its privacy policy, TRUSTe submits unique identifiers to the web
site.[111] The web site does not know which submissions
are genuine and which is a “seed” planted by TRUSTe.[112] Then, TRUSTe monitors the seeded identifier
to ensure that the site is “practicing information collection and use practices
that are consistent with its stated policies.”[113]
(c) Community Monitoring
TRUSTe also relies on visitors of
the web site to “report violations of posted privacy policies, misuse of the
TRUSTe trustmark, or specific privacy concerns pertaining to a licensee.”[114] After all, the visitors of the web site are
the parties that are protected by the TRUSTe program.[115] If they want to voice a complaint or concern
about the privacy practices of a licensed web site, they need only submit a
“Watchdog reporting form” and TRUSTe will follow up on the report.[116]
Resolution Processes
A complaint or concern may arise because of a complaint from a visitor or
from TRUSTe’s monitoring program.[117] To address complaints, TRUSTe uses a
three-tier approach.[118] First, they rely on the licensee and the
complainant to resolve the dispute per the posted privacy policy.[119] Second, if the parties can not reach an
agreement, TRUSTe acts a
