An earlier version of this article was published in INTERNET LEGAL PRACTICE NEWSLETTER (December 1997). 

AS THE CYBER-WORLD TURNS:
The European Union's Data Protection Directive and Trans-border Flows of Personal Data

Susan E. Gindin[*]
January 24, 1998

 In October 1998, the European Union's Data Protection Directive[1] takes effect. The Directive, which requires European Union (EU) member countries to enact statutes which regulate the processing of personal data within the EU, also may have vital global trade consequences.[2] This is due to the Directive's Article 25, which requires that personal information may only be transmitted outside the EU to a country which ensures an adequate level of protection for the subject of the data. EU officials recently suggested that those countries without legislation, or other formal enforcement mechanism protecting the information privacy rights of individuals, will be not be regarded as ensuring adequate protection.[3]Many of Europe's trading partners, including the U.S., Canada, Japan, and Australia, have data protection legislation regulating information processing by the federal governments, but they do not have comprehensive legislation which regulates information processing by the private sector as well as by state and local governments, and it seems unlikely such legislation will be enacted by next October when the Directive takes effect. Other countries have even more lax privacy protection policies.[4] Therefore, absent legislation, or other appropriate enforcement mechanism, which regulates private-sector as well as public-sector information processing, the European Union may prohibit personal data transfers to entities in the U.S. and other countries beginning next October.

Titled "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data", the Directive is intended to protect individual privacy by prohibiting the improper collection, use, and transfer of data relating to individuals, while at the same time encouraging the free movement of personal data among European Union member countries. Personal data is defined as any information which identifies or relates to a specific individual.[5] The Directive broadly covers all facets involved in the handling of personal information. Of particular concern is computerized information handling because of the ease with which computerized data may be collected, matched, and distributed. Further, concerns about the collection of personal information have intensified with the advent, and exponential growth, of the Internet because the Internet offers so many new ways of collecting and disseminating personal information. There are new concerns regarding the transactional information which is collected as the individual participates in online activities, as well as other concerns such as e-mail privacy, unsolicited commercial e-mail, and information security issues underlying electronic commerce.[6]

With regard to the Directive's Article 25 requirement that data may only be transmitted to countries ensuring adequate protection for the subjects of the data, the European Commission provided some guidance toward determining adequacy in a June 1997 policy paper, First Orientations on Transfers of Personal Data to Third Countries: Possible Ways Forward in Assessing Adequacy [hereinafter "Accessing Adequacy policy paper," or "policy paper"]:[7] Adequate protection is to be determined by evaluating 1) the content of the applicable privacy protection rules to ensure that they meet the requirements of the Directive, and 2) the enforcement procedures in place to enforce them.[8] With regard to enforcement procedures, the Commission indicated three objectives: 1) a good level of compliance 2) support and help for individual data subjects; and 3) appropriate redress.[9]

6) The transfer is made from a register which is intended to provide information to the public.[10]

In addition, under Article 26(2), a member state may authorize transfers to countries which do not meet the "adequate protection" requirement if the entity receiving the data provides adequate privacy protection guarantees. Article 26(2) specifically mentions that protections may be guaranteed by appropriate contractual clauses.[11]

Moreover, because the EU takes such an all-encompassing approach to data protection, the Directive would also seem to affect entities with Internet Web sites which collect personal data from Web site visitors, even if the entity does not actually transact business with anyone in the EU. In its Assessing Adequacy policy paper, the Commission indicated that it regards "transfers involving the collection of data in a particularly covert or clandestine manner (e.g. Internet cookies)" as transfers which "pose particular risks to privacy" requiring particular scrutiny in terms of "adequate protection."[12]

Other data transfers which the Commission indicated it considers "priority cases" requiring special scrutiny include those involving racial, political, religious, trade union, and health data; and those involving recruitment, promotion, and credit decisions. Also, repetitive transfers of massive volumes of data; and transfers where there is a risk to personal safety, a risk of serious embarrassment or tarnishing of reputation, a risk of financial loss, or a risk of intrusion into private life, such as unsolicited telephone calls, would receive particular scrutiny.[13]

In its Assessing Adequacy policy paper, the Commission indicated it may develop a "white list" of countries which ensure adequate protection.[14] The Commission also indicated that those countries which have ratified the Council of Europe Convention 108 on data protection[15] would be included on the "white list" as long as the country has an appropriate regulatory mechanism and the country is the final destination of the data transfer.[16] In addition to the EU member countries,[17] Norway, Iceland, and Slovenia have ratified the convention. [18] Other countries will be evaluated according to the privacy policies in place. However, only a few other countries, such as New Zealand[19] and Switzerland,[20] have data protection statutes which cover information handling by private as well as public entities,[21] and would seem to qualify for the "white list" as countries.

In the policy paper, the Commission also mentioned that countries with data privacy protection legislation covering certain sectors might merit a "partial white listing" or that regulated industries would be included in a "white list of sectors within countries."[22]Such partial listings would seem appropriate for transfers of data to certain industry or government entities within the U.S., Canada, Australia, and Japan, which all have data privacy protection policies covering information handling by the federal governments and certain industry sectors.

In the U.S. there is an assortment of federal and state constitutional, statutory, and case law which provide informational privacy protections. Congress has responded to the need for informational privacy and security protections by enacting statutes in a piecemeal fashion to address specific privacy needs. For example, the Privacy Act [23] regulates federal government record-keeping, and there are statutes which regulate specific personal data, such as credit reports,[24] bank records,[25] and videotape rental records.[26] Several bills addressing privacy issues have been introduced in the 105th Congress,[27] but there has been no action on them.

There is substantial interest in data privacy issues, on the part of the government, private industry, privacy advocates, and individuals. In 1997 alone, four separate federal government bodies issued lengthy reports on data privacy issues after extensive research.[28] The Federal Trade Commission (FTC) also held a four-day public hearing, in which privacy advocates and representatives of the information industry and of technology companies presented their views on the best means for protecting privacy.[29] Some proposed technological privacy protection measures have been endorsed both by industry groups and by some privacy advocates,[30] but these parties disagree on the most effective means for protecting privacy. In general, the information industry favors the use of self-regulatory measures for data privacy protection, which privacy advocates recognize as valuable components of privacy protection, but insufficient without some sort of enforcement mechanism.[31]

A number of information industry groups have issued voluntary codes of conduct and guidelines for fair information collection by their members.[32] Mandatory codes of conduct have recently been adopted by some industry groups.[33] For example, in December 1997, mandatory guidelines were issued by the Individual Reference Services Group (IRSG Group), which includes companies, such as LEXIS-NEXIS, which sell personal data via their online services; the three credit reporting companies--Equifax, Experian, and Trans Union; and other companies which sell personal information.[34] The IRSG guidelines require that annual compliance audits be conducted by independent third parties, and the guidelines prohibit members that are information suppliers from selling data to those found violating the guidelines.[35]

In July 1997, the Clinton Administration issued its A Framework for Global Electronic Commerce which generally favors a laissez-faire, market-driven approach to regulating the Internet in an effort to stimulate economic commerce.[36] The Administration indicated that it currently supports the use of self-regulatory codes of conduct by industry along with technological privacy protection measures as the preferred means for privacy protection.[37] In November 1997, an Administration official announced that the Administration will consider seeking data protection legislation if the private sector does not establish effective codes of conduct within eight months. The official stated that the Administration will look for codes of conduct that are backed up by an enforcement mechanism. This might take the form of a dispute resolution mechanism such as an arbitration process included in the code of conduct, or an audit system to verify compliance with codes.[38] The official also suggested that the Federal Trade Commission might have a role in enforcing codes of conduct, for example, by instituting unfair trade practice actions against companies that fraudulently claim to follow a code.[39]

The FTC has announced that it may institute such actions under Section 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce. . . ." [40] The FTC is also taking steps toward ensuring that U.S. Web sites follow fair information practices when collecting personal data. In March 1998, the FTC will conduct a comprehensive survey of U.S. commercial Web sites to determine how many provide privacy statements on their Web sites, and to evaluate the quality of the privacy statements. In evaluating quality, the FTC will use factors such as how prominently the privacy statement is posted, and whether Web site visitors can "opt-out" of any aspects of the information collection and handling process.[41] This follows a short survey of 126 child-oriented Web sites which the FTC conducted in October 1997, where the FTC found that most of those sites collect personally identifiable information from children without seeking parental permission and without providing a privacy policy statement.[42] In its report regarding the study, the FTC indicated that it would notify the owners of the offending sites that their data collection practices may constitute deceptive or unfair practices, in that it is a deceptive practice to misrepresent the purpose for which information is being collected from children, and that it is likely to be an unfair practice to collect the information "and sell or otherwise disclose that information to third parties without providing parents with notice and the opportunity to control the collection and use of the information."[43]

Privacy Policy in Canada[44]

Canadians are also concerned about personal data privacy issues, and particularly those related to computerized information handling.[45] Canada has a federal privacy act [46] which regulates federal government information handling, and Canada also has a Privacy Commissioner[47] whose office oversees data protection handling by the federal government. Also, several of the provinces have statutes regulating government information handling.[48] In 1993, the province of Quebec enacted a data protection statute[49] which took effect in 1994 and which has data protection provisions which are similar to the EU Privacy Directive. Canada also has some sectoral legislation. For example, Canada's federal Bank Act was recently amended to require that financial institutions adopt privacy codes,[50] and most of the provinces have statutes regulating credit reporting practices.[51]

In 1996, Canada's Justice Minister, Allan Rock, indicated the government's intention to enact private sector legislation by the year 2000[52]. As in the U.S., industry groups have established model codes of conduct designed to establish minimum privacy policies, and thus garner confidence in customers that their personal information will be handled fairly. For example, the Canadian Direct Marketing Association established compulsory guidelines which require members to ask permission before sending marketing e-mail, and to inform visitors to their Web sites as to what personal information is being collected, and how it will be used.[53] Moreover, the Canadian Standards Association established a Model Code for the Protection of Personal Information [54] recommended for adoption by all businesses.

Privacy Policy in Australia[55]

In 1988, Australia enacted a Privacy Act[56] which regulates the handling of personal information by federal government agencies, and also provides some protection for the use of credit information and tax file (taxpayer identification) numbers by the private sector as well as the public sector. Other commonwealth laws contain privacy provisions which regulate use of data-matching, criminal convictions, and Medicare information.[57] Australia also has a Privacy Commissioner, who "administers Commonwealth privacy legislation" and whose functions include "investigating complaints about interference with the privacy of personal information" with regard to tax file numbers, consumer credit reporting, old criminal convictions, data-matching, Medicare and medical research.[58]

It seemed that Australia was ready to enact comprehensive legislation regulating private sector information practices, until March 1997, when the government announced its preference for voluntary self-regulation to address private sector information handling issues "because of concerns about the costs of compliance with a legislatively based scheme."[59] At that time, the government also announced that the Privacy Commissioner would help businesses develop voluntary codes of conduct to meet privacy standards.[60] Thereafter, the Privacy Commissioner, met with businesses, consumer groups, privacy advocates, and government representatives, and in August 1997, proposed a self-regulatory National Scheme for Fair Information Practices in the Private Sector. [61] The August 1997 version of the Scheme has three components: 1) standards for the fair handling of personal information; 2) processes for businesses to "sign on" to the Scheme, and for promoting and monitoring compliance; and 3) mechanisms for handling complaints regarding breaches of the standards, and providing effective remedies for affected individuals.[62] Since August, the Privacy Commissioner has been holding a series a forums around the country to discuss the proposed scheme.[63]

Japan also has a privacy act[64] which regulates government data collection practices. With regard to private sector information handling, the government ministries which are responsible for industries involved in personal data collection have issued guidelines. These include:

Ministry of Posts and Telecommunications, which issued Guidelines on Personal Data Protection in Telecommunications in September 1991, and which issued Guidelines on the Protection of Subscriber Personal Data for the Audience of Broadcast Services in September 1996.[65]

Although the guidelines are not mandatory, the ministries will take appropriate measures where necessary.[66]

As stated in its Adequate Assessments policy paper, the European Commission indicated that without legislation or some other formal mechanism to enforce informational privacy rights, countries will not be regarded as providing adequate protection for the subjects of data transfers, and therefore when the Directive takes effect, transborder data transfers to those countries will be prohibited.[67] However, recent pronouncements from Commission officials indicate flexibility towards other countries' privacy policies, including possible acceptance of some non-legislative solutions,[68] as well as a desire to avoid a trade war or a disruption in commerce.[69]

Commission officials have taken a close look at U.S. privacy policy and have found it adequate in some respects, but deficient in others. For example, according to EuroInfoTech, Susan Binns, an official in the Commission's directorate-general for financial services and the internal market, recently said that U.S. laws regulating the banking and telecommunications industries are "'pretty good,'" but that there are problems with the insurance industry, and with the security of medical data. She also stated: "'Talks are on-going with the U.S. at various levels and we need some understanding before the directive comes into force. We are unlikely to bridge all the gaps but have to decide how to manage difficulties and avoid a disruption of commerce.'"[70] The Bureau of National Affairs (BNA) reported that John B. Richardson, deputy head of the European Commission's Washington delegation, said that the Commission is concerned about secondary uses of data, the sale of sensitive medical data without the consent of the data subject, and the aggregation of data from various sources to develop profiles of individuals, but that the EU is not looking for "'one hundred percent'" compliance with the Directive, but rather a "good level of overall compliance." [71] Richardson noted that protection is already high for certain types of information, such as credit data, and that legislation has been introduced to protect other types of information, such as medical data and the personal information about children. He also noted that industry is developing codes of conduct, and that there is support within the U.S. for some sort of privacy body.[72]

Although Commission officials seem optimistic about some aspects of U.S. privacy policy, many have reservations about certain shortcomings. Officials are particularly concerned that the U.S. lacks sanctions for privacy violations, lacks redress for aggrieved individuals, and lacks requirements that individuals have access to their personal data. As reported by BNA, for example, the Commission's President, Jacques Santer, stated: "'We do not . . . consider that codes of conduct and technology alone will be enough to ensure effective global protection for personal data. In particular there is a need for sanctions and individuals must have guaranteed access to their personal data and a means of redress if their rights are violated.'" [73]

As an answer to the need for sanctions and for redress, Commission officials have indicated that the adoption of a regulatory body, which would sanction privacy violations as well as provide aggrieved individuals with an opportunity for redress, is necessary. For example, Richardson's optimism about U.S. privacy policy was due in part to the fact that there is support with the U.S. for some sort of privacy body.[74] BNA reported that Ulf Brühann, head of the Commission's Free Movement of Information and Data Protection Unit, stated that the Directive's adequate protection provisions require "'a system of enforceable sanctions, a public consultation system, a complaints mechanism, an independent arbitrator like an ombudsman or oversight agency, and possibly a degree of self-regulation.'"[75] BNA also reported that Commission official, Binns, stated this Fall: "'We have not ruled out accepting a code of conduct for industry as a means of meeting our demands for protection of data transfers . . . But we are certainly concerned that if an individual had a complaint against a major corporation about the abuse of data transfer, then there is no watchdog group in the U.S. to turn to.'"[76] EuroInfoTech also reported that an unnamed senior EC spokeswoman [possibly Binns] stated that a "major step" for EU acceptance of U.S. privacy policy would be the setting up of a U.S. body to act as a link with EU data protection regulators and to deal with complaints.[77]

In the U.S., the Federal Trade Commission seems to have unofficially assumed the privacy watchdog role, at least with regard to the private sector.[78] The Federal Trade Commission (FTC) has taken a lead in studying privacy issues and has experience with similar issues, for example, in enforcing Fair Credit Reporting Act (FCRA)[79] provisions. In addition, according to EuroInfoTech, some EC officials are impressed with U.S. proposals to use FTC powers to sanction companies in lieu of a special privacy regulator. [80] However, if the FTC officially assumes the role of privacy watchdog, there should also be an alternate means of redress for aggrieved individuals, such as the private right of action which is provided by the FCRA in addition to the FTC administrative enforcement procedures. This is because the FTC does not act on behalf of individuals but rather takes action against a company or industry when it has received a sufficient number of complaints. Also, whether it is the FTC which is designated as privacy watchdog for the U.S., or it is another existing agency or one created specifically to address privacy concerns, that agency should be given responsibility for government as well as private-sector information handling so that U.S. data protection policy is comprehensive.

Even if the EU does not regard the countries of U.S., Canada, Japan, or Australia as providing the required adequate protection, it seems very likely that data transfers to certain segments within these countries will be permitted because of national legislation covering these areas.[81] For example, in the U.S., the FCRA[82] quite comprehensively regulates the credit reporting industry, and Australia[83] and most Canadian provinces[84] also have similar laws regulating the credit industry. 

Industries with codes of conduct containing enforcement provisions may also pass muster. As noted, some industry groups in the U.S. and Canada, have recently adopted codes of conduct which provide substantial penalties for noncompliance. For instance, members of the Canadian Direct Marketing Association will lose their membership status, if they violate the CDMA's compulsory Model Code for the Protection of Personal Information,[85] and the information sellers which violate the IRSG Group's fair information practice guidelines will lose their sources of personal data.[86]

Web sites which prominently post policies explaining their personal information collection practices may also be acceptable. TRUSTe, a non-profit organization founded by CommerceNet and the Electronic Freedom Foundation, has developed a system to facilitate the monitoring of Web site privacy policies, in which registered Web sites display a TRUSTe certification, or "trustmark", which indicates the level of privacy protection provided by the site. TRUSTe will also audit the site periodically to ensure compliance.[87]

For companies in industries or countries which do not meet the EU's adequate protection requirements, it is possible those entities will be permitted to receive data if they meet the requirements of Article 26. For example, transfers necessary for the performance of a contract between the data subject and the transferring entity, or where the data subject has consented to the transfer, will be permitted under Article 26(1).[88]

Other transfers may be permitted under Article 26(2) where the receiving entity contractually guarantees adequate protection for data subjects.[89] According to EuroInfoTech, German regulators have already approved one such contractual arrangement, which is between Deutsche Bundesbahn and Citibank.[90] 

In its Assessing Adequacy policy paper, the Commission indicated that contractual provisions might not be sufficient in meeting the provisions of Article 26(2).[91] However, it would seem that carefully-drafted contracts which ensure that data will be handled properly, and which give aggrieved individuals some sort of redress, possibly in the form of an arbitration opportunity, would be acceptable.

Owners of Web sites, whether or not they actually transact business with Europeans, should also heed the Directive. The personal information collected from on-site registration, e-mail communication, and online commerce is used by Web sites for various reasons, often without the knowledge of the affected individual. Even the most rudimentary Web server statistics sometimes reveal some individually-identifiable information, depending on the user's Internet service provider. Although, on one hand, there is certainly some question as to how the EU would enforce the directive against offending Web sites outside the EU, on the other hand, it is quite easy to post a privacy statement on the Web site[92] or to participate in a system such as TRUSTe's trustmark system.[93] Furthermore, the Web site posting of a privacy policy is a good business practice. Studies have shown that consumers are reluctant to transact business via the Internet due to privacy concerns, and also that many individuals have falsified information when registering to use Web sites because of privacy concerns.[94]

Susan E. Gindin is an attorney in Colorado who is particularly interested in electronic privacy and information security issues. Her article, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, will soon be published in 34 SAN DIEGO LAW REVIEW (Aug.-Sept. 1997 forthcoming), and is available online at http://www.info-law.com/lost.html. The author thanks Tom Onyshko of Smith Lyons in Toronto, Michael J. Hudson of Melbourne, and Youichi Yasunaka, of the Administrative Management Bureau, Management and Coordination Agency, Prime Minister's Office in Tokyo, for their assistance with privacy policy in Canada, Australia, and Japan, respectively.

Back to text

[1] Official Journal of the European Communities of 23 Nov 1995 No. L.281 p.31 [hereinafter "The Directive"]. An unofficial text of the Directive is available at http://aspe.os.dhhs.gov/datacncl/eudirect.htm. Back to text

[2] See, e.g., EuroInfoTech, Special Report: Protecting personal data . . . (Sept. 11, 1997) available for subscribers at http://www.hoise.com/eit/issues/eit0154c.html; and EC Officials Warn of Possibility of 1998 Trade Dispute Over Data Privacy, 2 Elec. Com. Law Rep. (BNA) 961 (Sept. 19, 1997). Back to text

[3] European Commission, First Orientations on Transfers of Personal Data to Third Countries: Possible Ways Forward in Assessing Adequacy, June 26, 1997, http://zeus.bna.com/e-law/docs/eudata1.html. Back to text

[4] See, e.g., Privacy International, Country Reports, http://www.privacy.org/pi/countries/. Back to text

[5] The Directive, Art. 2(a). Back to text

[6] Much personal information is available on the Internet and commercial online services, as well as in the computerized records of public and private sector entities. For a discussion of personal information which is available online, as well as transactional information which is collected as the individual participates online, see Susan E. Gindin, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 SAN DIEGO L. REV. (Aug.-Sept. 1997 forthcoming), http://www.info-law.com/lost.html. Back to text

[7] European Commission, Assessing Adequacy, supra n. 3. Back to text

[8] Id. Back to text

[9] Id. Back to text

[10] The Directive, Art. 26(1). Back to text

[11] The Directive, Art. 26(2). Back to text

[12] European Commission, Assessing Adequacy, supra n.3. Back to text

[13] Id. Back to text

[14] Id. Back to text

[15] Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Jan. 28, 1981, http://www.odpr.org/restofit/Legislation/Convention_108/contents108.html. Back to text

[16] European Commission, Assessing Adequacy, supra n.3. Back to text

[17] Member states are: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, The Netherlands, Portugal, Spain, Sweden, United Kingdom; see http://www.europa.eu.int/en/eu/states.htm. Back to text

[18] European Commission, Assessing Adequacy, supra n.3. Back to text

[19] The Privacy Act of 1993 (N.Z.), http://www.knowledge-basket.co.nz/privacy/legislation/legislation.html. Back to text

[20] Federal Law on Data Protection (June 19, 1992). For a copy of the law translated into English, see Business Guide to Privacy and Data Protection Legislation, 413 (Charles E.H. Franklin, ed., International Chamber of Commerce, 1996). Back to text

Hong Kong also has data protection legislation which regulates the private sector as well as the public sector. See Personal Data (Privacy) Ordinance (Hong Kong), http://www.pco.org.hk/ord/section_00.html. See also Harry Hammitt, Data Protection and Privacy in Hong Kong, GOV'T TECH., Oct. 1997, http://www.govtech.net/1997/gt/oct/international/international.shtm, which discusses the possible impact of Chinese rule on Hong Kong's privacy protection policy. Back to text

[22] European Commission, Assessing Adequacy, supra n.3. Back to text

[23] 5 U.S.C. § 552a et seq. Back to text

[24] Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. Back to text

[25] Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq. Back to text

[26] Video Privacy Act, 18 U.S.C. § 2710 et seq. For other U.S. laws regulating informational privacy, see Gindin, supra n.6. Back to text

[27] These include: Consumer Internet Privacy Protection Act of 1997 (H.R. 98, introduced by Rep. Bruce Vento of Minnesota); Social Security On-Line Privacy Protection Act of 1997 (H.R. 1287, introduced by Rep. Bob Franks of New Jersey); Children's Privacy Protection and Parental Empowerment Act (H.R. 1972, introduced by Rep. Bob Franks); Personal Information Privacy Act (S. 600, introduced by Sen. Dianne Feinstein of California; and H.R. 1813, introduced by Rep. Gerald Kleckzka of Wisconsin); Communications Privacy and Consumer Empowerment Act (H.R. 1964, introduced by Rep. Edward Markey of Massachusetts); and Data Privacy Act of 1997 (H.R. 2368, introduced by Rep. Billy Tauzin of Louisiana). Back to text

[28] National Telecommunications and Information Administration, Privacy and Self-Regulation in the Information Age, 1997, http://www.ntia.doc.gov/reports/privacy/selfreg1.htm; Federal Reserve Board, Report to the Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud, Mar. 1997, http://www.bog.frb.fed.us/boarddocs/RptCongress/privacy.pdf.; National Information Infrastructure Task Force, Options for Promoting Privacy on the National Information Infrastructure, April 1997, http://www.iitf.nist.gov/ipc/privacy.htm and Federal Trade Commission, Individual Reference Services: A Report to Congress, Dec. 1997, http://www.ftc.gov/bcp/privacy2/irsdoc1.htm.  Back to text

[29] Federal Trade Commission, Public Workshop on Consumer Information Privacy, June 10-13, 1997, http://www.ftc.gov/bcp/privacy2/index.html. Back to text

[30] For example, the Open Profiling Standard (OPS), proposed by Netscape and other Internet technology companies, which will give users control over the personal information they reveal online, and will also enable companies to gather personal information for marketing purposes and to personalize Internet services, has the support of about one hundred companies and some privacy groups). See http://home.netscape.com/flash4/newsref/pr/newsrelease411.html. Back to text

[31] See, e.g. Letter from representatives of the Center for Media Education, Privacy Rights Clearinghouse, Privacy Times, Electronic Frontier Foundation, Consumer Federation of America, Consumer Project on Technology, Electronic Privacy Information Center, and Privacy Journal to U.S. Sen. John McCain, Aug. 1, 1997, http://www.epic.org/privacy/databases/ftc_letter_0797.html. Back to text

Fair Information Practices Guidelines, Information Industry Association, http://www.infoindustry.org/ppgrc/doclib/grdoc003.htm;

Principles on Notice and Choice Procedures for Online Information Collection and Distribution by Online Operators, Interactive Services Association (June 1997), http://www.isa.net/about/releases/970611pr.html. Back to text

[33] See, e.g., Federal Trade Commission, Individual Reference Services: A Report to Congress, FTC Release, Dec. 17, 1997, http://www.ftc.gov/opa/9712/inrefser.htm.

See also Firms Not Abiding by Their Privacy Policies May Face Section 5 Action, FTC Official Says, 2 Elec. Com. Law Rep. (BNA) 1307 (Dec. 17, 1997), which reports that the Direct Marketing Association has adopted a mandatory code of conduct for its members which takes effect in July 1999.  Back to text

[34] See, e.g., Federal Trade Commission, Individual Reference Services: A Report to Congress, FTC Release, Dec. 17, 1997, http://www.ftc.gov/opa/9712/inrefser.htm. Back to text

[35] Id. Back to text

[36] http://www.iitf.nist.gov/eleccomm/ecomm.htm. Back to text

[37] Id. Back to text

The FTC has lauded the guidelines adopted by the IRSG Group, which require annual compliance audits. Federal Trade Commission, Individual Reference Services: A Report to Congress, FTC Release, Dec. 17, 1997, http://www.ftc.gov/opa/9712/inrefser.htm. Back to text

[39] Id. Back to text

[40] 15 U.S.C. § 45. See FTC Outlines Steps for Commission Action, FTC Release, July 31, 1997, at http://www.ftc.gov/opa/9707/congpri2.htm; and Firms Not Abiding by Their Privacy Policies May Face Section 5 Action, FTC Official Says, 2 Elec. Com. Law Rep. (BNA) 1307 (Dec. 17, 1997). Back to text

[41] Firms Not Abiding by Their Privacy Policies May Face Section 5 Action, FTC Official Says, 2 Elec. Com. Law Rep. (BNA) 1307 (Dec. 17, 1997). Back to text

[42] FTC Surfs Children's Web Sites to Review Privacy Practices: Most Are Collecting Data on Kids; Few Seek Parental Approval, FTC Release, Dec. 15, 1997, http://www.ftc.gov/opa/9712/kids.htm. Back to text

For an excellent discussion of issues relating to children's Internet privacy, including a description of the various tactics used by many child-oriented Web sites to obtain personal information from children, see Federal Trade Commission, "Children and Privacy Online," Consumer Privacy and the Global Information Infrastructure, 1996, http://www.ftc.gov/reports/privacy/privacy5.htm. Back to text

[44] See generally, Tom Onyshko, Smith Lyons, Privacy, Access to Information and Transborder Data Transfer, May 1997, http://www.smithlyons.ca/it/privacy/. Back to text

[45] See, e.g., Privacy Commissioner of Canada, Protecting Privacy on the Information Highway: Response of the Privacy Commissioner of Canada to Privacy and the Canadian Information Highway, Dec. 23, 1994, at http://infoweb.magi.com/~privcan/pubs/infohig.txt. Back to text

[46] R.S.C. 1985, c. P-21; http://canada.justice.gc.ca/STABLE/EN/Laws/Chap/P/P-21.html. Back to text

[47] http://infoweb.magi.com/~privcan. Back to text

[48] See Onyshko supra n.44. Back to text

[49] An Act respecting the protection of personal information in the private sector, S.Q. 1993, c. 17. Back to text

[50] Tom S. Onyshko, Privacy and Personal Information Collected Through Web Sites, Sept. 17, 1997 at 9. Back to text

[51] Id. at 8. Back to text

[52] Id. at 12. Back to text

[53] http://www.cdma.org/new/nr_internet.html. Back to text

[54] Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada, 1996, http://www.csa.ca/Q830tocg.htm. Back to text

[55] See generally Privacy Commissioner, Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector, Aug. 1997, http://www2.austlii.edu.au/itlaw/national_scheme/national-INFORMAT.html. [hereinafter, National Scheme]. Back to text

[56] Privacy Act 1988, http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/. Back to text

[57] Privacy Commissioner's Office, Privacy, Aug. 18, 1997, http://www.austlii.edu.au/hreoc/privacy/privacy.htm. Back to text

[58] Id. Back to text

[59] Overview, National Scheme, http://www2.austlii.edu.au/itlaw/national_scheme/national-OVERVIEW.html. Back to text

[60] Foreword, National Scheme, http://www2.austlii.edu.au/itlaw/national_scheme/national-FOREWORD.html. Back to text

[61] Id. Back to text

[62] What This Paper Contains, National Scheme,
http://www2.austlii.edu.au/itlaw/national_scheme/national-.html. Back to text

[63] Foreword, National Scheme, http://www2.austlii.edu.au/itlaw/national_scheme/national-FOREWORD.html. Back to text

[64] Act for Protection of Computer-Processed Personal Data Held by Administrative Organs, Law No. 95 of 1988. For a copy of the law translated into English, see Business Guide to Privacy and Data Protection Legislation, 285 (Charles E.H. Franklin, ed., International Chamber of Commerce, 1996). Back to text

[65] E-mail message from Youichi Yasunaka, Government Information Systems Planning Division, Administrative Management Bureau, Management and Coordination Agency, Prime Minister's Office, Japan, to Susan Gindin (Dec. 1, 1997) (on file with author). Back to text

[66] Id. Back to text

[67] European Commission, Assessing Adequacy, supra n.3. Back to text

[68] See, e.g., Senior EU official sees U.S. offering 'mozaic' of rules on data protection, EuroInfoTech (Nov. 20, 1997), available for subscribers at http://www.hoise.com/eit/issues/eit0159.html; and EU Delegate Optimistic Over Prospect of U.S. Meeting European Privacy Standards, 2 Elec. Com. Law Rep. (BNA) 1095 (Oct. 24, 1997). Back to text

[69] See, e.g., Senior EU official sees U.S. offering 'mozaic' of rules on data protection, EuroInfoTech (Nov. 20, 1997), available for subscribers at http://www.hoise.com/eit/issues/eit0159.html; and EU's Monti launches data protection talks with major trading partners, EuroInfoTech (Oct. 24, 1997), http://www.hoise.com/eit/issues/eit0134.html. Back to text

[70] Senior EU official sees U.S. offering 'mozaic' of rules on data protection, EuroInfoTech (Nov. 20, 1997), available for subscribers at http://www.hoise.com/eit/issues/eit0159.html. Back to text

[71] EU Delegate Optimistic Over Prospect of U.S. Meeting European Privacy Standards, 2 Elec. Com. Law Rep. (BNA) 1095 (Oct. 24, 1997). Back to text

[72] Id. Back to text

[73] EC Officials Warn of Possibility of 1998 Trade Dispute Over Data Privacy, 2 Elec. Com. Law Rep. (BNA) 961 (Sept. 19, 1997). Back to text

[74] See EU Delegate supra n.71. Back to text

[75] U.S. Move to Privacy Legislation Seen as 'Inevitable' Over Long Term, 2 Elec. Com. Law Rep. (BNA) 1018 (Oct. 3, 1997). Back to text

[76] See EC Officials Warn supra n.73. Back to text

[77] Bonn: EU sees 'big problem' with U.S. in personal data transmission regulations, EuroInfoTech (July 17, 1997), available for subscribers at http://www.hoise.com/eit/issues/eit0152.html. See also Berlin data privacy regulator says Internet users should not be tracked, EuroInfoTech (Sept. 25, 1997), available for subscribers at http://www.hoise.com/eit/issues/eit0155.html, for statements by a German data commissioner, echoing the need for an independent supervisory body. Back to text

[78] For a detailed discussion of the pros and cons of various potential privacy entities in the U.S., see National Information Infrastructure Task Force, Options for Promoting Privacy on the National Information Infrastructure, supra n. 28. Back to text

[79] 15 U.S.C. § 1681 et seq. Back to text

[80] See Senior EU Official, supra n.70. Back to text

[81] See generally Peter P. Swire & Robert E. Litan, "Preparing to Assess the Transborder Effects of the Directive [Chap. 3]," None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, (forthcoming 1998); Interim Report Issued for a Conference of the Brookings Institution, Oct. 21, 1997, http://www.osu.edu/units/law/swire1/noyb.htm. Back to text

[82] 15 U.S.C. § 1681 et seq. Back to text

[83] See text accompanying nn.57-58. Back to text

[84] See text accompanying n.51. Back to text

[85] See text accompanying n.53. Back to text

[86] See text accompanying nn.34-35. Back to text

[87] http://www.etrust.org. Back to text

[88] See text accompanying n.10. Back to text

[89] See text accompanying n.11. For a discussion of contractual privacy protection issues, see Paul M. Schwartz & Joel R. Reidenberg, DATA PRIVACY LAW, 1996, at § 14-4(b). Back to text

[90] Senior EU official supra n.70. Back to text

[91] European Commission, Assessing Adequacy, supra n.3. Back to text

[92] The Direct Marketing Association provides a Web site with a fill-in-the-blanks template for creating a privacy policy. Allow the DMA to help you set up your own Company's Privacy Policy Online, 1997, http://www.the-dma.org/ [under Privacy Action; Direct Marketers]. See also Privacy and American Business, Handbook of Company Privacy Codes, Oct. 1994. Back to text

[93] See text accompanying n.79. Back to text

[94] See TRUSTe, Privacy Studies and Research Reveal Concern, 1997, at http://www.etrust.org/ [under For Web Publishers; Privacy Pays] which reports the results of several recent privacy studies. For example, the TRUSTe Internet Privacy Study, conducted by the Boston Consulting Group in 1997, revealed that consumers' concerns regarding the privacy of personal information on the Internet greatly limits their commercial Internet activity. The Boston Consulting Group estimated that if consumers' concerns are resolved, Internet commerce revenues will increase by at least $6 billion by the year 2000. Another study conducted by A.F. Westin also indicated Americans' deep concerns about how personal information is being used. A 1997 study conducted by the Graphics Visualization and Usability Center at Georgia Institute of Technology also revealed that 40% of respondents had given false information at least once when registering at a Web site, mainly due to privacy concerns. Back to text

Return to Susan E. Gindin's Information Law home page