COLUMBUS, Ohio -- Many U.S. companies face possible legal troubles and disruption of their business overseas because of a tough new European privacy law, according to a new book co-authored by an Ohio State University law professor.
In their book None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (1998, Brookings Institution Press), co-authors Peter P. Swire, Ohio State professor of law, and Brookings Institution economist Robert Litan detail effects of the European Union Data Protection Directive, which went into effect Oct. 25.
The EU directive imposes a minimum standard of data privacy protection in Europe for the EU's 370 million citizens. The directive broadly defines personal data as "any information relating to an identified or identifiable natural person," including phone numbers, e-mail addresses and any other information that can be linked to a specific person.
"The big rule is that after October, data can't be transferred to countries that lack "adequate" protection. And the EU will not make a finding that the United States has adequate protection," Swire said. "Nor has it said it is inadequate across the board. So all transfers to the United States are potentially at risk under the new law." Swire said the book's primary purpose is to alert American businesses about the effects of the new requirements.
"Although it is unclear how strictly these rules will be enforced under the directive," he said, "any company with European operations should examine its own privacy practices to make sure they comply with European laws." Industries such as health care, airlines, direct marketing, higher education and even the news media are likely to struggle the most with the new standards, Swire suggested. "Some U.S. marketing practices would be directly against the European Union law," he said.
Investment banking operations, auditing practices and human resources records -- even something as basic as the creation of e-mail or telephone directories -- also could be hit particularly hard by the new rules. U.S. reporters accustomed to First Amendment protections may encounter restrictions on reporting of personal information about people in Europe, including Americans. And European consumers may be prevented from buying products from U.S. World Wide Web sites.
"Europeans begin with the assumption that information belongs to individuals, and use of data involves the human rights of the individual," Swire said. "American businesses have often taken the position that they own rights to information and have the right to use it as they see fit."
Swire and Litan propose that affected organizations in the United States consider adopting self-regulatory measures designed to bridge the gap between European and U.S. privacy laws. Swire is part of a national team of legal experts developing model contracts that U.S. companies could use when they transfer personal data out of Europe. The contracts would serve as a guarantee that American companies would comply with the EU directive despite the less stringent approach to privacy protection in the United States.
"Without contracts, many transfers would violate the language of the law," Swire said. "We recommend to Europe that they support the model contracts approach. In the EU's first official statement on this, it said contracts would rarely be used. But more recently, the EU has recognized that contracts are an essential component to allowing companies to comply in good faith."
The authors also propose the creation of an Office of Electronic Commerce and Privacy Policy in the U.S. Department of Commerce to provide an ongoing institutional mechanism for handling the range of privacy and electronic commerce issues sure to develop in the Internet Age. For the time being they do not, however, recommend a comprehensive regulatory approach to data protection in the United States.
The EU directive was adopted three years ago and went into effect on Oct. 25, requiring each member state to pass national legislation that complies with the directive's minimum standards. It requires that individuals: be told how personal data about them will be used; receive an opportunity to see and correct data held by companies; be given notice before data is forwarded to a third party for marketing purposes; and may opt out of such marketing free of charge. The directive also calls for establishment of a national privacy agency in each of the 15 EU countries.
The regulations do not apply to information passing through Europe only in transit or to data used for entirely nonbusiness purposes. The directive allows for exceptions to the restrictions if the individual in question gives unambiguous consent in advance of the transfer; if personal information is needed to complete a transaction, such as a shipment into Europe; or if a contract between a U.S. and European business indicates European standards will be followed in the United States.
If companies improperly process data in Europe or send it abroad illegally, national authorities will be able to seek injunctions, fines and even criminal sanctions in extreme cases. The directive also requires that people whose data is mishandled be allowed to seek compensation.
Contact: Peter P. Swire
(614) 292-2547
Swire.1@osu.edu
http://www.osu.edu/units/law/swire.htm
Written by Emily Caldwell
(614) 292-8309
Caldwell.151@osu.edu