Privacy and Data Protection: IT Law
1.) An old issue, growing in importance
Searching the web, one can see that privacy on the Internet is a big issue. Countless US or EU based human rights initiatives are fighting for the right to privacy. What is the reason for this?
Although concerns about consumers’ ability to protect their privacy have been in existence for decades, the Internet makes the issue more delicate: Businesses have access to a larger audience, which allows them to collect more data from more people. Furthermore, collection of more specific behavioural information is possible attaching cookies to a hard drive, reporting which websites someone enters.1 In addition, data collection and storage having become much easier, faster and cheaper, cost concerns do not limit data-collection practices.2
At the same time, the market for information about consumers and consumer behaviour is continuously growing, side by side with the expansion of e-commerce.
2.) Definition of the issue
Privacy can be defined as “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.”3 This paper will focus purely on information privacy, also known as “data protection”, which means the rules governing the collection and handling of personal data such as a person’s name, address, phone number, family status, social security or other identification number or even medical, financial or government records. Data protection concerns the process of gathering, storing, analysis and distribution of personal data. Privacy issues can be divided into relations with the public sector and with the private sector.4 In this paper, I will concentrate on the private sector, especially relevant because of the growing importance of e-commerce.
3.) Fundamentally different approaches in the US and the EU
Europe and the US have very different approaches to data protection and privacy. In 250 years, nations on each side of the Atlantic have evolved their democracies into distinct forms of society and market economy. Differences in culture, policies and society are the consequence.
a.) Government Interference vs. Self-Regulation
As discussed in seminar one, there is an ongoing dispute regarding the approach in choosing an apt legal framework for the public and transnational sphere of cyberspace: Some scholars want governments to interfere as little as possible, others see the need for a unified legal framework. It seems that, concerning the privacy issue, the EU has chosen the latter option, by imposing a comprehensive, general law governing the collection, use and dissemination of data by public and private sector, whose enforcement is assured by an oversight body. The US tends to rely on sectoral laws, and on self-regulation for the rest.
b.) The Human Rights aspect
In most EU member states, the issue of privacy traditionally implies a human rights aspect. This approach has found its entry into the 1995 Directive: According to its Article 1, it aims to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data. The concept of privacy as a fundamental right can also be found in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950(ECHR)5 and Article 8 of the EU Charter of Fundamental Rights of 7 December 2000.6
Despite the fact that the “right to be let alone” is a principle of US law and the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments contain elements of privacy rights, the right to informational privacy as a fundamental right is not acknowledged in the US.7 The data-processing industry argues against such a right by citing the Bill of Rights itself: The First Amendment, that guarantees free speech is often invoked as an argument, why the European approach would not work in the US: Since the freedom of speech is written down explicitly in the Bill of Rights, it is superior to the only implicitly mentioned right to privacy.8 The Supreme Court has judged though, that mere advertisement is lower speech and can be regulated, but the choice has to be given to the individual (opt-out).9 Data processors also invoke the Fifth Amendment, which guarantees the right to property, but this argument is even more controversial.10
II. Privacy Law in Europe: a comprehensive, general law
1.) The Directives
The general opinion in Europe is that the legislator has a role in ensuring that individuals retain some degree of control over the use of their personal data. This role is played by balancing the interest that society has in protecting the privacy of the individual and the weight of commercial concerns.11 In addition, an interference of the European legislator was seen as necessary for economic reasons: In the beginning of the 90’s, some member states, for example Greece and Italy did not have any privacy legislation at all, whilst in other member states personal data was strongly protected. This divergence threatened to inhibit the achievement of the Single Market. Therefore, the EU elaborated a framework constituting a comprehensive and general privacy law, to be implemented in the national laws of member states.
a.) The 1995 Directive
The drafting process of the Directive illustrates the conflicting ideas of member states. Despite the existence of the Council of Europe’s Convention on the Automated Processing of Personal Data of 198112, it took member states 5 years to agree on a suitable legal framework: The initial Draft was introduced in 1990, and a redrafting took place in 1992.13 Divergences occurred between Germany’s very strong human rights approach on the one side, and the UK, Denmark and Ireland, not wanting to go further than the Council’s Convention of 1981 on the other side. Heavy lobbying of the banking sector and the medical research sector did not make things easier.14 Not till 1995 did the EU manage to enact the Data Protection Directive.
The Directive aims to harmonise member states’ laws, providing for a consistent level of protections for citizens in order to ensure the free flow of personal data within the EU.15 It applies to personal information in electronic as well as in manual files (Art. 2 c) It does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (Art. 3) or in the course of an activity falling outside the scope of Community law, such as operations concerning public security, defence or State security.16 The terms “personal data” and “processing” are broadly defined, as can be seen in Article 2(a) and 2(b). Data subjects have rights established in explicit and enforceable rules. Every EU country has a data protection commissioner or agency enforcing the rules (Art. 28). The Directive also provides for remedies in case of its breach.17
The basic principles18 established by the Directive are:
The right to know where the data originated;
The right to have inaccurate data rectified;
A right of recourse in the event of unlawful processing;
The right to withhold permission to use data in some circumstances.
In addition, individuals have the right to opt-out free of charge from being sent direct marketing material (Art. 14). Sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs is specifically protected (Art. 8).
Member states have to ensure that the personal information relating to European citizens has an adequate level of protection when it is exported to, and processed in, countries outside the EU (Art. 25). In relation to the US, this has lead to the so-called “Safe Harbor” agreement, discussed below.
b.) The 2002 Directive19
Originally, the Directive’s sole aim was to strengthen privacy rights for individuals by extending the existing protections to a broader category of “electronic communications.” But during the process, the Council of Ministers brought up the issue of data retention provisions for law enforcement purposes: Internet Service Providers and telecommunications operators should store logs of all phone calls, e-mails, faxes, and Internet activity. After initially strong opposition from Parliament, the political climate’s change after September 11, 01 enabled the EU to adopt the new Privacy and Electronic Communications Directive including the data retention provisions, on June 25, 2002. 20
The Directive 2002/58/EC is part of the “Telecoms Package” governing electronic communications, including four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service and repeals Directive 97/66 EC on Telecommunications Privacy.21
Member states must ensure the confidentiality of communications made over a public communications network by prohibiting listening, tapping and storage of communications by persons other than users (Art. 5).
Regarding Data retention, member states may withdraw data protection to allow criminal investigations or safeguard national security, defence and public security, but only where it constitutes a “necessary, appropriate and proportionate measure within a democratic society.” (Art. 15 (1))
The Directive takes an “opt-in” approach to unsolicited commercial electronic communications (SPAM), i.e. users must have given their prior consent before such messages are addressed to them. This system also covers other electronic messages (SMS) received on any fixed or mobile terminal (Art. 13).
Marketers must use legitimate addresses and include an easy way to opt-out in every message. (Art 6 (3) and 13 (2). Recordings of subscribers’ traffic must be erased when the information is no longer necessary for the purpose of communication billing. (Art. 6 (1))Online traffic and location data may only be held in the consumers’ name for the duration of the billing period of the length of the contract. For further processing, or for further use in marketing, the data may only be used anonymously (Art. 9 (1)).
Subscribers must be informed of the purpose of any directory including private information. The ability to review and withdraw from any directory must be provided free of charge (Art. 12).22
With regards to cookies, the Directive stipulates that users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. To that end, users must also be provided with clear and precise information on the purposes and role of cookies (Art. 14).
The Directive stipulates that European citizens will have to give prior consent in order for their telephone numbers (fixed or mobile), e-mail address and physical address to appear in public directories.
2.) Overview of the transposition in the member states
Concerning the 1995 Directive, implementation was a slow process. The Commission had to act against some of the member states before the Court to force them to implement the Directive23.
The first report from the Commission on the implementation of the 1995 Directive shows, that the Directive could manage to establish a level of harmonisation, so the Internal Market is not inhibited further. But the former divergences survive in the different ways of the Directive’s transposition in national laws, and according to the Commissions Report, although not violating EU law, gaps are still judged as too big. The overall policy objectives going beyond mere free movement, aiming to provide a level playing field for economic operators in different member states, to simplify the regulatory environment in the interests of both good governance and competitiveness and to encourage cross-border activity within the EU is not fulfilled. Representors of business interests continue to complain that disparities prevent multinationals from developing pan-European policies on data protection. 24
As to the 2002 Directive, it is too early to give an over-all estimation of the implementation process, the deadline having elapsed only last month. But according to the eighth report in the implementations regulatory package, action needs to be taken to improve the low level of harmonisation regarding the retention of traffic data in the member states, both for billing and other purposes, since it entails financial burden on operators and has an impact in particular on cross-border players.25