Content Last Updated

Self-Regulation and The EU Privacy Directive:
Do Privacy Seals Offer "Adequate" Protection to EU Citizens Transferring Data to American Internet Companies?

By: Steven A. Leahy (June 2000)


Privacy concerns have grown with each improvement of modern information technology (MIT).  MIT has made it easy for virtually every organization to set up a database to track their customers’ habits and purchases.  The Internet has increased the uneasiness because of the ease that Internet sites have been able to profile web surfers and share that information with others.  However, consumers have taken notice, and they have demanded that web sites protect their personally identifiable information.


The European Union (EU) countries have taken one approach.  They have imposed complex procedures directed by powerful institutions in order to protect data, and they have demanded that other counties follow their lead if they wish to trade with them.  The United States has rejected the EU demands.  Instead, the US has relied on self-regulation to protect individually identifiable data.


This paper examines the impact of the EU Privacy Directive on the direction of regulation in the United States.  I begin by reviewing the history of the European Union and its institutions.  Next, I analyze the self-regulatory measures introduced in the United States.  Finally, I conclude that privacy seal programs offer American Internet Sites (AIS) the best mix of protecting information and minimizing government intrusion.



In order to appreciate the power and influence of the EU, it is important to understand the structure of decision making and the institutions that are involved in enacting those decisions.  First, in this section, I will review the circumstances and the resulting treaties of post World War II Europe that forged the EU we know today.  Next, I will describe the institutions and procedures necessary to implement Community Law.


(1)          Building a Union

After World War II, political and economic instability left European nations vulnerable.[1]  The Soviet Union threatened the sovereignty of individual European nations, as evidenced by the Czechoslovakian coup d'etat in 1948 and the Berlin blockade in 1948-1949.[2]  Moreover, the Soviet Union developed nuclear capabilities in the late 1940’s, adding to European instability.[3] 


To bring about a stable unified Europe, western European nations started to get together.[4]  In October 1947, twenty-three countries signed a joint agreement, the General Agreement on Tariffs and Trade (GATT).[5]  Thus began the long road to European unification.


The next important date is 1957.  That year, the Treaty of Rome formed the European Economic Community (ECC), which consisted of six nation-states: Belgium, France, Germany, Italy, Luxembourg and the Netherlands.[6]  The United Kingdom was invited to join, but chose not to become a member at that time.[7]


The political and economic success of the ECC, encouraged other nations to join the club.[8]  In 1973 the United Kingdom, Denmark, and Ireland increased the number of member nations to nine.[9]  Next, in the 1980’s, came the "Mediterranean enlargement."[10]  Greece joined in 1981 and, in 1986, Portugal and Spain became members.[11]  Finally, in 1995 Austria, Finland and Sweden signed up.[12] 


Today there are fifteen Member States in the EU.[13]   In 1999, the European Union represented almost $350 billion in trade with the United States.  Only Canada had more trade with the US that year.[14]  


(2)          Expanding Co-operation

The Treaty on European Union (TEU), which is sometimes referred to as the Treaty of Maastricht, became effective in 1993.  The TEU formally restructured the ECC into the European Union.  The TEU, Article 2, states the purpose of the EU:


The Community shall have as its task, by establishing a common market and an economic and monetary union and by implementing common policies or activities referred to in Articles 3 and 4, to promote throughout the Community a harmonious, balanced and sustainable development of economic activities, a high level of employment and of social protection, equality between men and women, sustainable and noninflationary growth, a high degree of competitiveness and convergence of economic performance, a high level of protection and improvement of the quality of the environment, the raising of the standard of living and quality of life, and economic and social cohesion and solidarity among Member States.[15]




(3)          Institutions of the Union

The TEU establishes institutions and procedures “necessary to achieve the objectives” of the Treaty.[16]  There are three Institutions involved in formulating much of the EU’s policies and direction,[17] the European Parliament (the “Parliament”), the Council of the European Union (the “Council”), and the European Commission (the “Commission”).[18]  I will summarize the responsibilities of each. 


The European Parliament

The Parliament is a directly elected democratic institution[19] and represents 370 million citizens.[20]  The Parliament’s “primary objectives are . . . to pass good laws and to scrutinize and control the use of executive power.”[21]  To accomplish these objectives the Parliament has three important powers: legislative power, budgetary power, and oversight power.[22]  I will address each in turn.


Legislative Power:

Originally, the Parliament had only a consultative role.[23]  Today, in addition to their consultative role, the Parliament has the power to amend and adopt certain legislation.[24]  For issues that relate to the internal market, consumer protection, trans-European networks, education, health, and other related issues, legislation is adopted jointly by the Parliament and the Council.[25]  This two tiered decision making procedure is known as "co-decision making".[26] 


In addition, the Parliament has a role in appointing the President of the Parliament and the members of the Commission.[27]


Budgetary Power:

The Parliament approves the Union’s yearly budget.[28]  By withholding its approval, the Parliament may exercise authority in how funds are distributed, thereby giving it influence over the content of all legislation.[29]  The President of the Parliament must sign the budget to enact it into law.[30]


Oversight Power:

The Parliament has the obligation to assure that funds are spent for the purposes agreed upon.[31]  Moreover, the Parliament has the duty to prevent and detect fraud.[32]


It is important to note that the Parliament is the only EU Institution “that meets and deliberates in public.”[33]  Nearly all of the decisions in the EU are done in secret meetings.[34]  In fact, all members and former members of an EU institution are required “not to disclose information . . . about the undertakings, their business relations or their cost components.” [35]


The Council of the European Union

The Council is made up of fifteen Ministers.[36]  Each Member State names one Minister.[37]  Each Minister is empowered to commit his Government.[38]  In turn, each Minister is politically accountable to their national parliaments.[39]  Ministers attend council meetings that deal with specific subject areas.[40]  Which Minister attends each Council meeting depends on the subject matter discussed.[41]


The Presidency

The President of the Council presides over all of the Council meetings.[42]  Every six months, the Presidency rotates according to a set schedule.[43]  The President of the Council is to host a meeting of the European Council (not to be confused with the Council for the European Union) at least twice a year for a “European Summit.”[44] 


The European Council

The European Council is made up “of the heads of State or Government of each Member State and the President of the European Union.”[45]  The Summit is an informal gathering, where there are no set procedures.[46] 


“The European Council has become an increasingly important element of the Union, setting priorities, giving political direction, providing impetus for its development and resolving contentious issues that have proved too difficult for the Council of Ministers.”[47]



The Council (or by the Parliament and Council if a co-decision is called for) must adopt proposals Law in order for them to become Community law.[48]  There are four forms of Community law:


1.          Regulations: these are directly applied without the need for national measures to implement them;


2.          Directives: bind Member States as to the objectives to be achieved while leaving the national authorities the power to choose the form and the means to be used;


3.          Decisions: these are binding in all their aspects upon those to whom they are addressed.  A decision may be addressed to any or all Member States, to undertakings or to individuals;


4.          Recommendations and opinions: these are not binding.[49]




The European Commission

There are twenty members of the Commission, each member is appointed to a five-year term by their home governments.[50]  The break down of the Commission is:


















United Kingdom


















The Netherlands
















With 16,000 staff members, the Commission is the largest Institution of the EU.[51]  The Commission meets at least “once a week to adopt proposals, finalize policy papers and take other decisions required of it.”[52]  Commissioners have a duty to act in the best interests of the European Union, rather than in the interest of their national governments.[53]


The Commission has three distinct functions:


1)    to initiate proposals for legislation;

2)    to be the guardian of the Treaties; and

3)    to execute EU policies and actions.[54] 


I will address each function individually.


Initiate Legislation

The Commission initiates Community policy and represents the general interest of the European Union.[55]  Before the Commission recommends any legislation, they perform extensive fact gathering.  They interview and seek comment from individual governments, industry representatives, trade unions officials, special interest groups and technical experts.


The Commission recommends action on an issue “only when it will be more effective than if [action were left] to individual Member States.”


Guardian of the Treaties

The Commission acts as the “guardian of the EU treaties to ensure that EU legislation is applied correctly by the Member States and that all citizens and participants in the single market can benefit from the level playing field that has been created.”  Where necessary, the Commission takes action against those in the public or private sector that fail to respect their treaty obligations.  “It can, for instance, institute legal proceedings against Member States or businesses that fail to comply with European law and, as a last resort, bring them before the European Court of Justice.”[56]


Execute EU Policies and Actions

The third function of the Commission is that of the executive body of the EU.[57]  The Commission is responsible for implementing and managing policy.[58]  It manages the Union's annual budget,[59] runs its Structural Funds[60], and negotiates trade agreements with third countries.[61]


The Commission has played a leading role in integrating the Member States, by playing the role of mediator when disputes arise between members.[62]  “Its impartiality and commitment to the common interest make it an accepted mediator by all sides.”[63]


The Privacy Policy of the EU

In order to accomplish the goals stated in Article 2 of the TEU, Member States are prohibited from establishing policies that restrict the import or export of goods among the Member States.[64]  In addition, each Member State must establish laws that facilitate the functioning of a common market.[65]


In 1993, before the TEU, Germany and France (the two largest economies in the EU) had legislation that protected their citizens’ data privacy, but several other Member States did not have any privacy policies in place (like Italy).[66]  The disparity in privacy protection among the Member States threatened to inhibit the flow of data, therefore trade, among the member nations.[67]


To ease concerns, and harmonize the privacy policies among the EU, the EU enacted Directive 95/46/EC, “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” [68]   The European Community Privacy Directive (the Directive) took effect on October 25, 1998; three years after the Parliament and the Council passed it.[69] 


The Directive begins with the premise that data protection is a “fundamental right.”[70]  In order to protect this fundament right, the Directive provides:


Member States shall provide that personal data may be processed only if:



(a)            the data subject has unambiguously given his consent; or


(b)            processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or


(c)             processing is necessary for compliance with a legal obligation to which the controller is subject; or


(d)            processing is necessary in order to protect the vital interests of the data subject; or


(e)            processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or


(f)              processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).



The Directive was designed to foster economic trade between the Member States of the European Union.  Ironically, the Directive that was designed to foster trade, may work to disrupt trade between the EU and “third countries,” most notably the United States.


Article 25 of the EU Privacy Directive states:


Transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if . . .the third country in question ensures an adequate level of protection.



Where a country is found to have inadequate protection, Article 26 spells out a list of exceptions that may allow the transfer of data despite inadequate countrywide protections.  Article 26 says:


.  .  .  transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 may take place on condition that:



1) unambiguous consent


2) performance of a K


3) K in interest of data subject


4) public interest


5) vital interest


6) according to law or regulation



2)    Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards to exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.



Because the proffered protections are in the form of a “Directive,” they do not apply directly to individual Member States.  Each Member State must take measures to implement the Directive into national legislation.  However, the Directive does establish new institutions for “coordinating the enforcement authorities of the fifteen nations.”[71]  In addition, each Member State must erect one or more privacy agencies to monitor their national privacy policy.[72]


Privacy Protection in the United States

In the US, privacy protection is not considered a fundamental right.  Therefore, US privacy laws are not as broad or far-reaching as the European Union Privacy Directive calls for.  The US data protection laws take a  “sectoral,” [73] some would say "ad hoc,"[74] approach.  Generally, privacy protections in the US are limited to the right of the citizen against the government and do not regulate individual relationships, as does the Directive.[75]  Individual relationships are left to private agreements or self-regulation.[76]



Modern information technology, through the Internet, has created an easily accessible worldwide market.  American Internet Sites (AIS) are “open” to visitors from around the world, including citizens of the EU.  Therefore, unless a EU visitor "unambiguously" gives consent for an AIS to gather, collect and process personal data, or another narrow exception applies, the AIS will be barred from using or collecting that data.[77]


Federal privacy regulations in the United States are not going to be implemented any time soon.[78]  Therefore, in order to continue the flow of information from the EU, it is incumbent upon AISs to self regulate if they wish to extend their market and avoid government regulation.  This section will examine two self-regulatory practices that may qualify as “adequate” under the Directive.  First I will summarize the safe harbor proposal.  Then, I will review seal programs.


(1)          Safe Harbor

The American Government has addressed this threat to trade by negotiating with EU representatives, through the United States Commerce Department (USCD).[79]  The negotiations center on creating a “safe harbor” for American companies, to “enable them to comply with the requirements of the European Union's Directive on Data Protection regarding personal data transfers to third countries.”[80] 


On March 14, 2000, after two years of intense negotiations, the US and EU tentatively agreed on the principles that the US safe harbor must include in order to be “adequate” under the Directive.[81] 


In order for the safe harbor arrangement to become effective, the agreement must be approved by a qualified majority of Member States in the committee established in the Directive.[82]  Before seeking the Committee's formal decision, however, the Commission must consult with the data protection commissioners of the Member States.[83]  Then the Commission must submit the decision to the European Parliament for approval.[84]  Only after the Parliament approves will the safe harbor become effective.[85]  Furthermore, AIS operators must submit to oversight by the European Data Protection Authorities, the Federal Trade Commission and the United States Commerce Department.[86]


Soon after the tentative agreement, the EU balked, declaring that the safe harbor principles “do not go far enough to protect the rights of the citizens.”[87]  Additionally, US groups have protested the agreement as too intrusive and going too far.[88]


(2)          Privacy Seal Programs

The “adequate” standard set by Article 25 of the Directive is not a clear standard.  Because the standard is not clearly defined, the best way to determine what constitutes adequate protection is to review the Directive Commission’s Working Documents to resolve what the EU Commission considers necessary to establish adequate protection. 


This section begins by establishing what elements comprise adequate protection according to the EU Commission.  Next, I will focus on the two most popular “Privacy Seal” programs and reveal their elements and standards.  Finally, I will assess whether these seal programs should qualify for an exemption from the Directive’s mandates.


What Constitutes "Adequate Protection"?

In 1998, the Working Party of the EU Data Protection Commissioners[89] issued a Working Document titled “Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive.”[90]  This document lays out the requirements for answering “all the central questions raised by flows of personal data to third countries in the context of the application of EU data protection directive.”[91]


The basic principles to be included are the following:


1.       the purpose limitation principle - data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions to this rule would be those necessary in a democratic society on one of the grounds listed in Article 13 of the directive.


2.       the data quality and proportionality principle - data should be accurate and, where necessary, kept up to date. The data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred or further processed.


3.       the transparency principle - individuals should be provided with information as to the purpose of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fairness. The only exemptions permitted should be in line with Articles 11(2) and 13 of the directive.


4.       the security principle - technical and organizational security measures should be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.


5.       the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all data relating to him/her that are processed, and a right to rectification of those data where they are shown to be inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to him/her.  The only exemptions to these rights should be in line with Article 13 of the directive.


6.       restrictions on onward transfers - further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted should be in line with Article 26(1) of the directive.[92]



Self-Regulation Through Privacy Seal Programs

Privacy Seal programs are third party companies that place tamper proof logos in a prominent place on a web site.  The seal lets visitors know that the site has a privacy policy in place and that the company follows the posted policy.  Furthermore, by “clicking” on the seal, the visitor is taken to the web site’s privacy policy.  In addition, the Seal Company provides for an oversight procedure and a dispute resolution process.


This section analyzes the two most popular seal programs, both of which were recommended by President Clinton recently.  He challenged AISs “to engage in effective self-regulation, with enforcement by organizations such as BBBOnLine and TRUSTe.”[93] 


I will take a three-step approach.  First I will summarize the organizations’ history.  Next I will review their privacy standards, oversight procedures and resolution processes.  Finally, I will compare each to the organization’s standards to that of the safe harbor, in order to determine if the standards may qualify as adequate protection under the Directive.



TRUSTe is the oldest and largest of the privacy seal programs.  The TRUSTe program was launched in 1997, with 18 licensed sites.[94]  In 1998 the number of participating sites climbed to 279.[95]  Recently, TRUSTe awarded its 1000th privacy seal to X-Collaboration, a Boston-based software company.[96] 



The idea for TRUSTe began during a lecture on "Trust" in March 1996.[97]  Lori Fena, Executive Director of the Electronic Frontier Foundation (EFF), and Charles Jennings, founder and CEO of Portland Software were attending that lecture.[98]  The two met at that meeting and discussed the need “for branded symbols of trust on the Internet similar to UL Labs or Good Housekeeping ‘seals of approval.’"[99]  The idea took hold and the two worked together to institute such a program.[100]


TRUSTe is a non-profit organization “whose mission is to build users' trust and confidence on the Internet and, in doing so, accelerate growth of the Internet industry.”[101]  To that end, TRUSTe awards its “trustmark” or seal “to Web sites that adhere to established privacy principles and agree to comply with [TRUSTe’s] oversight and consumer resolution process.”[102]


Privacy Policy

In order to be awarded a TRUSTe seal a web site must adopt a privacy statement that discloses, at a minimum:


¨            What personal information is being gathered.


¨            Who is collecting the information.


¨            How the information will be used.


¨            With whom the information will be shared.


¨            The choices available to users regarding collection, use, and distribution of their information: You must offer users an opportunity to opt-out of internal secondary uses as well as third-party distribution for secondary uses.


¨            The security procedures in place to protect users' collected information from loss, misuse, or alteration: If your site collects, uses, or distributes personally identifiable information such as credit card or social security numbers, accepted transmission protocols (e.g. encryption) must be in place.


¨            How users can update or correct inaccuracies in their pertinent information: Appropriate measures shall be taken to ensure that personal information collected online is accurate, complete, and timely, and that easy-to-use mechanisms are in place for users to verify that inaccuracies have been corrected.[103]


Oversight Procedure

TRUSTe uses a three tiered oversight procedure: initial and periodic review, “seeding,” and community monitoring.[104]  I will address each procedure separately.


(a) Initial and Periodic Review

Before a potential licensee can complete a TRUSTe application, the applicant must have a privacy policy in place.[105]  In order to assist the applicant, TRUSTe provides a “Privacy Policy Wizard.”[106]  The wizard tailors a policy based on answers to questions it poses regarding the specific privacy practices of the applicant’s web site.  Next, the applicant is asked to perform a self-assessment of their internal privacy and security practices.[107] 


After that, a TRUSTe representative conducts a review and certification process, to ensure that the stated policy is accessible to visitors and meets the stated requirements.[108]  Once an applicant’s site has been approved, a TRUSTe representative periodically reviews the site to ensure that it continues to comply with the posted privacy practices and program requirements.[109]  The representative also checks for changes to the site’s privacy policy.[110]


(b) Seeding

In order to verify that a site is compiling with its privacy policy, TRUSTe submits unique identifiers to the web site.[111]  The web site does not know which submissions are genuine and which is a “seed” planted by TRUSTe.[112]  Then, TRUSTe monitors the seeded identifier to ensure that the site is “practicing information collection and use practices that are consistent with its stated policies.”[113]


(c) Community Monitoring

TRUSTe also relies on visitors of the web site to “report violations of posted privacy policies, misuse of the TRUSTe trustmark, or specific privacy concerns pertaining to a licensee.”[114]  After all, the visitors of the web site are the parties that are protected by the TRUSTe program.[115]  If they want to voice a complaint or concern about the privacy practices of a licensed web site, they need only submit a “Watchdog reporting form” and TRUSTe will follow up on the report.[116]


Resolution Processes

A complaint or concern may arise because of a complaint from a visitor or from TRUSTe’s monitoring program.[117]  To address complaints, TRUSTe uses a three-tier approach.[118]  First, they rely on the licensee and the complainant to resolve the dispute per the posted privacy policy.[119]  Second, if the parties can not reach an agreement, TRUSTe acts as a “liaison between” parties to resolve the issue.[120]   This process entails:


¨      Notifying the licensee of the consumer's complaint and working with the site for a speedy, satisfactory resolution.


¨      Notifying the consumer of the resolution or other relevant findings.


¨      Pursuing the issue further if we are unable to reach a mutual resolution with the licensee.[121]



If TRUSTe determines that the licensee has violated its posted privacy practices or other TRUSTe program requirements, “we will conduct an escalating investigation.  This process may include an on-site compliance review by one of  TRUSTe's official auditors”[122]  Then TRUSTe will work with the licensee to bring the web site into compliance.[123]  Failing that, TRUSTe may:


¨      revoke the licensee’s use of the TRUSTe Seal,

¨      terminate the licensee from the program, or

¨      refer the matter to the appropriate government agency.[124]



BBBOnLine is a wholly owned subsidiary of the Council of Better Business Bureaus.[125]  The program was launched on March 17, 1999 and features a Privacy mark that is a padlock with a globe in the middle.  BBBOnLine quickly awarded 100 web sites a seal by September 1999.  Today, just over one year after launching the program, BBBOnLine has over 400 licensees. 


The Better Business Bureau hopes to leverage their 86 year history of assisting business with self-regulation and dispute resolution into a mark that will be trusted by the public.  In developing the program, BBBOnLine sought out e-commerce business leaders and representatives from major corporations.  The initial participants included leaders in the e-commerce arena.[126]


“BBBOnLine's mission is to promote trust and confidence on the Internet.”[127]  The BBBOnLine Privacy Program features verification, monitoring and review, consumer dispute resolution, and enforcement mechanisms.


Privacy Policy

In order to be awarded a BBBOnLine Privacy Seal, a web site must meet “the highest standards for the treatment of personally identifiable information in cyberspace.”[128]  Furthermore, the posted privacy statement must be easy to read, in clear and simple language, and it must disclose:


1.          the collector(s) of the information


2.          the type(s) and intended use(s) of the individually identifiable information being collected


3.          the choices individuals have about the way such information is used and to whom it is disclosed


4.          the collector’s commitment to data security


5.          an appropriate contact method regarding the web site’s privacy policy


6.          the seal participant’s participation in the BBBOnLine Privacy Program and information on how individuals may learn more about that program


7.          any corporate subsidiaries, operating divisions or related product lines which are excluded from seal coverage


8.          any individually identifiable information collected at the site which is shared with contractors, corporate affiliates or other third party agents not covered by a common privacy policy


9.          the choices available to users with regard to information shared with affiliates or third party agents not covered by a common privacy policy


10.     the steps the seal participant takes to assure the accuracy of individually identifiable information that it maintains in identifiable form


11.     the process available to individuals to obtain access to individually identifiable information collected from them online and the process available to correct factual inaccuracies in that information


12.     if access to any or all of the web site is conditioned on the disclosure of individually identifiable information, individuals must be informed of the consequences of refusing to disclose such data


13.     if the organization merges and/or enhances individually identifiable information with data from third parties for the purposes of marketing products or services to the individual


14.     if any other organization collects individually identifiable information at the site as the result of transacting business with the individual at the site


15.     that individuals must contact third party collectors of individually identifiable information directly for information on the use of their data


16.     any information collection that is not covered by the privacy policy, including, but not limited to, information collection where the individual submitting the information is clearly acting only in his/her business capacity



¨            Additionally, the correction process (#10) must employ an authentication mechanism, which is to be disclosed in the Compliance Assessment.[129]






Seal participants must have a process in place to make unaffiliated third parties or corporate affiliates not covered by a common policy practice aware of the site’s privacy policies when transferring individually identifiable information to such parties, and must describe that process in their Compliance Assessment.



Seal participants must require agents or contractors who have access to individually identifiable information and prospect information to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for the organization.



Seal participants may not rent, sell, exchange, or in any manner transfer information about a prospect submitted by another party to any third party, unless the third party is an agent or contractor involved in carrying out the transaction for which the prospect's information was submitted.  This prohibition on such transfers applies without regard to any choices about third party transfers made by the individual submitting the information.






A seal participant must allow individuals the opportunity to opt-out or otherwise prohibit unrelated uses of individually identifiable information about them, that is, uses not disclosed in the privacy policy at the time the information is collected.



A seal participant must provide individuals with a choice regarding the transfer of information to third parties for marketing purposes.  This may be accomplished through one or more of the following:



1.        an opt-out opportunity

2.        an opt-in opportunity

3.        through a technological tool for individuals to make choices about such transfers (The method(s) used must be disclosed in the Compliance Assessment.)



Where the site conditions the granting of access to some or all of its web site or online services based on the disclosure of individually identifiable information, the participant must inform individuals in its privacy notice or at the point of collection of the consequences of refusing to provide such information.






A seal participant must assure that information collected online is accurate, complete and timely for the purpose(s) for which it is to be used and must provide individuals with access to individually identifiable information collected from them online if such information is retrievable in the ordinary course of business and providing access does not impose an unreasonable burden.



A seal participant must establish effective and easy to use mechanisms to permit individuals access to correct inaccurate factual information.  A seal participant must take steps to help assure the accuracy of the individually identifiable information it is maintaining.[130]


A BBBOnLine web site is subject to an independent and random audit of their information practices.  Generally, BBBOnLine relies on the consumer to discover and report any web site that violates its stated privacy policy, because the Better Business Bureau is a well-recognized consumer advocate.


Before a web site is awarded a BBBOnLine seal, BBBOnLine reviews the company's privacy policy, conducts a comprehensive review, and evaluates the processes the company has in place in order to live up to the privacy policies they post.


Resolution Process 

The BBBOnLine Dispute resolution process provides for four levels of intervention.[131] 


1.       Self Help

First, the web site must publish a designated person associated with the web site a visitor (complainant) can contact with a complaint about their privacy policy or their failure to follow the posted policy.  The visitor must try to resolve the dispute directly with the web site operator.


2.       Privacy Policy Review Service

Second, if the complainant is unhappy with the result in the first step, or the web site does not answer the complaint, the complainant may contact the BBBOnLine Privacy Program Dispute Resolution Process (DRP).  The DRP provides for review of a complaint by the Privacy Policy Review Service (PPRS) of BBBOnLine.  PPRS forwards the complaint to the web site (respondent) and requests an answer to the complaint. 


The respondent’s answer is forwarded to the complainant for a reply.  If the respondent submits a reply, the respondent may respond to the reply.  In addition PPRS may request information from either party.  Using the information in the case file[132] the PPRS “shall formulate its judgment on the merits of the case in a statement of ‘findings, recommendations and conclusions’ including any necessary corrective action and a time frame for such action.” 


Each decision is provided to the parties, and made available to the public on BBBOnLine.


3.       Filing an Appeal

The complainant or respondent may seek an appeal by submitting a letter requesting an appeal to the Privacy Review Appeals Board (PRAB), “within 5 business days of receipt of the final case decision.”  The letter shall specify the issues the party wishes to appeal, state whether the appeal is sought as of right or on discretionary grounds, and explain how the appeal qualifies on such grounds. 


The appellant must send a copy of the request letter to the appellee.[133]  Then, PRAB will decide “whether the requested appeal is warranted and advise the parties of its decision.”[134]  Again, the decision is published.


4.       Notice of Intent

“If the decision is in favor of the complainant and the respondent fails to indicate . . . that it intends to take the required corrective action(s), the Chair shall issue a Notice of Intent to the respondent.  The Notice will advise the licensee that the matter will be referred to the appropriate government agency.  “PRAB shall also forward the decision to the other party and make the decision public.”


Applying the Standard

“[I]t is clear that any meaningful analysis of adequate protection must comprise the two basic elements: the content of the rules applicable and the means for ensuring their effective application.”[135]  Each of the privacy policies outlined above meet each and every principle outlined in the Directive’s Working Party document.  Furthermore, each provides for a resolution process that ensures that a complaint from a data subject will be addressed and resolved.



This paper has documented the complex and bureaucratic system that the European Union has imposed on its citizens in order to protect their privacy.  The EU has threatened to withhold data transfers to third countries that do not impose that system on the their own citizens, for the benefit of Europeans. 


So far, the US government has bought into the EU bluff.  The Commerce Department’s safe harbor program is described as self-regulation.  However, the only voluntary part of the program is doing business with EU citizens.  Once a company decides to sell to EU citizens the “self” prefix is gone, and all that is left is regulation.  Under the safe harbor proposals, a US company must submit to the EU Privacy Authority, individual Member States Privacy Commission, the United States Commerce Department, and the Federal Trade Commission, not to mention the various legal authorities should a dispute arise. 


Furthermore, the safe harbor plan would put the Executive Branch, by way of the Federal Trade Commission, in an awkward position.  A United States Federal agency would be in the job of protecting the “fundamental rights” of EU citizens to the detriment of American citizens.  In addition, the safe harbor proposal encourages AIS to set up a dual system of privacy protection, one for EU citizens and another for everyone else.


The American approach of true self-regulation is already working.  In two short years, the number of top sites that post a comprehensive privacy policy has increased thirty-fold.[136]   Two years ago an FTC study discovered that less than 2% of .com top level domains had a comprehensive Privacy Policy in place.  The most recent study conducted by, found that almost twenty-five percent now have such a policy in place.[137]


I have surveyed the top two privacy seal programs, but there are others, and more sites sign on with a seal program everyday.[138]


As I have illustrated here, the privacy policies and enforcement procedures offered by sites that are licensed by these two seal programs exceed the requirements of the EU to qualify for an exemption under Article 26(2).  In addition, because the privacy policy is easily accessible by clicking on the privacy seal, a visitor should be considered informed whether they choose to read the policy or not.  Therefore, should an EU citizen volunteer personally identifiable information to a site displaying a privacy seal, the submission should be considered “unambiguous consent” necessary to qualify under the Article 26 (1)(a) exception.


The self-regulatory market system has worked.  If visitors to web sites refuse to provide personally identifiable information unless a web site lives by a comprehensive privacy policy, even more sites will adopt such a policy.  There is no need for the heavy hand of government when the invisible hand of the market is at work.


[1] Flaherty and Lally-Green, The European Union: Where is it Now? 34 Duq. L. Rev. 923, 928 (1996).

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Roger J. Goebel, The European Union Grows: The Constitutional Impact Of The Accession Of Austria, Finland And Sweden, 18 Fordham Int'l L.J. 1092, 1094 (1995).

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] There was hope that there would be  “sweet sixteen.”  But the Norwegian people defeated a national referendum, and, therefore, did not become a European Union member state.  Id. at 1093.

[14] The United States only had one larger trading partner in 1999, Canada (nearly $370 billion).  See, Privacy Policies that Restrict Transborder Data Flow, at slide 3 (visited April. 29, 1999) <>.  Citing U.S. Census Statistics.

[15] Treaty on European Union, Article 2 (1993).

[16] Id.

[17] There are more than 3 institutions of the EU.  In addition to the European Parliament, The Council of European Union and The European Commission, there is the Court of Justice, the Court of Auditors, trhe European Investment Bank, the Economic and Social Committee, the Committee of the Regions, the European Ombudsman and the European Central Bank.  See, Europa, Institutions of the European Union (visited April. 29, 1999) <>.

[18] Id.

[19] Id. at European Parliament.

[20] Id. at European Parliament.

[21] Id.

[22] Id.

[23] Id. at Parliament.

[24] Id.

[25] Id.

[26] See, Council of the European Union, General Information (visited April. 29, 1999) <>.

[27] Id.

[28] Id. at Budget.

[29] Id.

[30] Id.

[31] Id. at Oversight Power.

[32] Id.

[33] How the European Parliament works, (visited April. 29, 1999) <>.

[34] Id.

[35] The members of the institutions of the Community, the members of committees, and the officials and other servants of the Community shall be required, even after their duties have ceased, not to disclose information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components. TEU Article 287 (ex Article 214).


[36] See, Council of the European Union, General Information, Composition (visited April. 29, 1999) <>.

[37] Id.

[38] Id.


[39] See, Council of the European Union, General Information, Composition (visited April. 29, 1999) <>.

[40] Id.

[41] Id.

[42] See, Council of the European Union, General Information, Presidency (visited April. 29, 1999) <>.

[43] The order of the Presidency:


1st  Half of Year

(Jan. – June)

2nd Half of Year

(July – Dec.)













(visited April 29, 2000)<http://>.  See also, Article 203 (ex Article 146).  The office of President shall be held in turn by each Member State in the Council for a term of six months in the order decided by the Council acting unanimously.  TER Article 203.


[44] See also, Article 203 (ex Article 146).The office of President shall be held in turn by each Member State in the Council for a term of six months in the order decided by the Council acting unanimously.  TEU Article 203.


[45] See, The Council of the European Union, (visited April 29, 2000) <>.

[46] See, The Council of the European Union, (visited April 29, 2000) <>.

[47] See, The Council of the European Union, (visited April 29, 2000) <>.

[48] See, The Council of the European Union, Legislation (visited April 29, 2000)

[49] See, The Council of the European Union, Legislation (visited April 29, 2000) <>.

[50] See, The European Commission, Role of the European Commission  (visited April 29, 2000) <>.

[51] Id.

[52] See, The European Commission, Role of the European Commission  (visited April 29, 2000) <>.

[53] See, The European Commission – The driving force for European union, Members of the Commission (visited April 29, 2000) <>.

[54] Id.

[55] Id.

[56] See, The European Commission – The driving force for European union, Guardian of the Treaties  (visited April 29, 2000) <>.

[57] Id.

[58] Id.

[59] The Commissions budget was almost 97 billion in 1999.

[60] The Structural fund’s main purpose is to even out economic disparities between the richer and poorer parts of the EU.

[61] The EU has agreements with more than 100 third countries.  See, Role of the European Commission, at As the Union's executive body, the Commission manages policies and negotiates international trade and cooperation agreements.  (visited April 30, 2000) <>.

[62] Id.

[63] Id.

[64] Treaty of European Union, Article 3 (1)(a) (1993).

[65] Treaty of European Union, Article 3(1)(h) (1993).

[66] Swire & Litan, None of Your Business World Data Flows, Electronic Commerce, and the European Privacy Directive. Brookings Institution Press at 23.

[67] Id.

[68] EU Directive: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.  Official Journal L 281 , 23/11/1995 p. 0031 - 0050

[69] Id.

[70] See,Directive 95/46/EC, Article 1.

[71] Swire & Litan, None of Your Business World Data Flows, Electronic Commerce, and the European Privacy Directive. Brookings Institution Press at 38.

[72] Id.

[73] See, Reidenberg, Restoring Americans' Privacy in Electronic Commerce, 14 Berkeley Tech. L.J. 771, 773 (1999).

[74] Heydrich, A Brave New World: Complying With The European Union Directive On Personal Privacy Through The Power Of Contract, 25 Brooklyn J. Int'l L. 407, 414 (1999).

[75] Heydrich, A Brave New World: Complying With The European Union Directive On Personal Privacy Through The Power Of Contract, 25 Brooklyn J. Int'l L. 407, 416 (1999).

[76] Id.

[77] See, Sinrod, Reyna, & Barak Enabling Electronic Commerce: Trademark, Privacy & Internet Business: The New Wave Of Speech And Privacy Developments In Cyberspace, 21 Hastings Comm. & Ent. L.J. 583, 596 (1999).

[78] Id.

[79] Ambassador David L. Aaron, Letter to Colleagues (Mar. 17, 2000) <>.

[80] Ambassador David L. Aaron, Letter to Colleagues (Mar. 17, 2000) <>.


[81] Ambassador David L. Aaron, Letter to Colleagues (Mar. 17, 2000) <>.

[82] European Privacy Directive Article 31(1995).

[83] European Privacy Directive Article 29(1995).

[84] Id.

[85] Id.

[86] Ambassador David L. Aaron, Letter to Colleagues (Mar. 17, 2000) <>.

[87] David Bicknell, EU Stalls On Us Data Privacy Deal, Computer Weekly (April 13, 2000) <

[88] See, Sylvia Dennis, EU/US Data Privacy Pact Continues to Ebb, Newsbytes April 6, 2000

[89] The working party was established under Article 29 of the Data Protection Directive

[90] See, Media, Information Society and Data Protection, at Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive. (July 24, 1998) <

[91] See, Media, Information Society and Data Protection, at Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive. (July 24, 1998) <

[92] See, Media, Information Society and Data Protection, Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive at What Constitutes Adequate Protection? (July 24, 1998) <

[93] President Clinton And Vice President Gore: America’s Agenda For The Information Age, (March 3, 2000) <>.

[94] TRUSTe Approves 1000th Web Site (visited May 1, 2000) <>

[95] Id.

[96] TRUSTe Approves 1000th Web Site (visited May 1, 2000) <>

[97] Id.

[98] Id.

[99] Id.

[100] Id.

[101] Frequently Asked Questions, What is TRUSTe? What is its mission?  (visited May 1, 2000) <>

[102] Id.

[103] See, TRUSTe Program Principles (visited May 1, 2000) <>

[104] TRUSTe Oversight at Seeding.  (visited May 1, 2000) <>.

[105] Id.

[106] Id.

[107] Id.

[108] Id.

[109] Id.

[110] Id.

[111] TRUSTe Oversight at Seeding.  (visited May 1, 2000) <>.

[112] TRUSTe Oversight at Seeding.  (visited May 1, 2000) <>.

[113] TRUSTe Oversight at Seeding.  (visited May 1, 2000) <>.

[114] TRUSTe Oversight at Community Monitoring.  (visited May 1, 2000) <>.

[115] Id.

[116] Id.

[117] See, Resolution Process (visited May 1, 2000) <>

[118] Id.

[119] Id.

[120] Id.

[121] See, Resolution Process (visited May 1, 2000) <>

[122] See, Resolution Process (visited May 1, 2000) <>

[123] Id.

[124] See, Resolution Process (visited May 1, 2000) <>

[126]   The companies included America Online, American Express, AMR Corporation (American Airlines & Travelocity), AT&T, BankAmerica, Dell, Dun & Bradstreet, Eastman Kodak, Equifax, Experian, Ford, Hewlett-Packard, IBM, Intel, J.C.Penney, MCI WorldCom, Microsoft, New York Times Electronic Media, Procter & Gamble, Reed Elsevier (parent company of LEXIS-NEXIS), Sony, US West, Viacom, and Xerox.

[127] <>

[128] See, BBBOnLine FAQs at BBBOnLine Privacy <>

[129] <>

[130] See, Eligibility Criteria for BBBOnLine Privacy Seal, Policy Content.  (visited May 1, 2000)



[131] See, BBBOnLine Privacy Program Dispute Resolution Process Procedures Privacy Policy Review Service and Privacy Review Appeals Board at § 1.1.  (Feb. 11, 1999) <>.


[132] The file includes the complaint, the answer, the reply, the response to the reply and any information requested by PPRS the is not confidental.

[133] 4.3.1 Filing an appeal

[134] 4.3.1 Filing an appeal

[135] See, Media, Information Society and Data Protection, Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive at What Constitutes Adequate Protection? (July 24, 1998) <

[136] The FTC conducted a survey in 1997 and concluded that less than 2% of all .com web sites had a comprehensive privacy policy compared to almost 25% in 1999.  See, Internet Privacy: a summary of privacy ratings research by  (visited May 1, 2000) <>.


[137] The FTC conducted a survey in 1997 and concluded that less than 2% of all .com web sites had a comprehensive privacy policy compared to almost 25% in 1999.  See, Internet Privacy: a summary of privacy ratings research by  (visited May 1, 2000) <>.


[138] In addition to TRUSTe and BBBOnLine there is CPAWebTrust , PrivacyBot, SecureAssure, and BetterWeb just to name a few.

 © Copyright 2000
NDR Information Services
Chicago, Illinois
All Rights Reserved