Over the last few years, consumers, employees, the press, and government officials have all started paying closer attention to how businesses use, collect, and distribute personal information of individuals. In the United States, the Federal Trade Commission (FTC) took the lead on this around 1997 when it started holding hearings on how the “look-up industry” used personal information. These hearings focused on the major data companies in the United States (Lexis-Nexis, Trans Union, Equifax, Acxiom, and CDB Infotek) and a number of other credit bureaus and data companies. As a result of the hearings, the FTC convinced data companies that they should establish self-regulatory procedures. These major data companies formed the Individual Reference Services Group (the “IRSG”), which maintains a web site at http://www.irsg.org.
Following the efforts of the IRSG, there was the formation of the Online Privacy Alliance (hffp://www.privacyalliance.org), Trust-e (http://www.truste.orp), Better Business Bureau Online (http://www.bbbonline.org), and other similar organizations. All of these were established by businesses as an effort to fend off new privacy legislation. All of them are, to some extent, governed by the same businesses they purport to supervise. And all of them tend to take a passive approach to privacy regulation on the Internet.
Most of these organizations charge a nominal fee for membership. Most of them have on-line questionnaires that they ask the businesses to complete. However, these organizations do not maintain arty ongoing, regular supervision of the businesses they purport to supervise. And, most importantly, they all set the minimal standards for privacy protection rather than the standards imposed by 40 of the most developed nations, including most of the members of the Organisation for Economic Co-operation and Development (“OECD”) and the European Union (“EU”).
The European Union is comprised of about 15 member states (there are an additional 8 nations awaiting EU membership), including those that constitute most of Western Europe. The EU currently has approximately 365 million residents. And there are about 40 nations in total that are adopting privacy laws designed to meet the EU standards. This means that there are about 1 billion citizens in nations that are adopting the privacy laws of the EU.
The EU privacy laws are based upon the Directive on Data Privacy (effective October 1998). Under the EU Directive on Data Privacy, a country that does not provide “adequate protection” to ensure the privacy of its citizens can have all data flows from the EU shut off. The United States, for example, is not considered to be providing provide adequate protection. Unless certain procedures are adopted, American companies and/or Internet companies will not be able to process any personal data on individuals who are residents of the European Union—or any of the other countries that have adopted the same sort of procedures as the EU. An Internet company in the U.S., for example, could not take personal information from a citizen of the EU in order to ship goods to that customer in the EU. An American corporation with its headquarters in the United States would not be able to send personnel information to the U.S. for making decisions on staffing, etc.
The possibility of reducing data flow between the U.S. and Europe threatens almost $1 trillion per year in information and services between the U.S. and Europe. In order to avoid such a dire result, the U.S. and the EU have negotiated a “Safe Harbor” agreement that allows U.S. companies to certify that they will comply with the EU Directive on Data Privacy—without having to first register and comply with the bureaucratic procedures established by the EU Directive.
The U.S. and the EU announced a Safe Harbor Agreement on Dec. 15, 1999. The Safe Harbor program is not a way for U.S. companies to avoid the EU Directive on Data Privacy; rather, it is simply a way for U.S. companies to avoid having to comply with the bureaucratic application process required by the Directive. In short, American companies will be able to self-certify that they will comply with the requirements of the Directive on Data Privacy. This can still be challenged at a later date, but the self-certification carries with it a presumption that the U.S. company is in compliance.
The principles of the Directive on Data Privacy comprise the requirement that personal data shall be processed fairly and lawfully. This requirement has several components. The most important component for present purposes is that an individual must have given explicit consent to the processing of the individual's personal information. “Consent” is defined as “ . . . any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Another important requirement is that “[p]ersonal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level or protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
The Directive establishes a number of rights for individuals with respect to personal data about them held by others. Very briefly, these rights comprise: (1) right of access to data; (2) right to prevent processing likely to cause damage or distress; (3) right to prevent processing for direct marketing; (4) right to know certain information about automated decision-making; (5) right to take action for compensation for damages; and (6) right to take action to rectify, block, erase or destroy inaccurate data.
Most privacy seal programs are funded and run by the companies that are being supervised. This places in doubt the reliability and impartiality of such programs. Indeed, in two well-publicized privacy breaches by its member companies, one organization refused to intervene because of the relationships that the member companies had with the organization. Also, a recent joint project of the Office of the Information and Privacy Commissioner of Ontario and the Federal Privacy Commissioner of Australia noted numerous inadequacies of the current seal programs.