European Privacy Law May Threaten U.S. Businesses, Expert Says

October 30, 1998

COLUMBUS, Ohio -- Many U.S. companies face possible legal troubles and disruption of their business overseas because of a tough new European privacy law, according to a new book co-authored by an Ohio State University law professor.

In their book None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (1998, Brookings Institution Press), co-authors Peter P. Swire, Ohio State professor of law, and Brookings Institution economist Robert Litan detail effects of the European Union Data Protection Directive, which went into effect Oct. 25.

The EU directive imposes a minimum standard of data privacy protection in Europe for the EU's 370 million citizens. The directive broadly defines personal data as "any information relating to an identified or identifiable natural person," including phone numbers, e-mail addresses and any other information that can be linked to a specific person.

"The big rule is that after October, data can't be transferred to countries that lack "adequate" protection. And the EU will not make a finding that the United States has adequate protection," Swire said. "Nor has it said it is inadequate across the board. So all transfers to the United States are potentially at risk under the new law." Swire said the book's primary purpose is to alert American businesses about the effects of the new requirements.

"Although it is unclear how strictly these rules will be enforced under the directive," he said, "any company with European operations should examine its own privacy practices to make sure they comply with European laws." Industries such as health care, airlines, direct marketing, higher education and even the news media are likely to struggle the most with the new standards, Swire suggested. "Some U.S. marketing practices would be directly against the European Union law," he said.

Investment banking operations, auditing practices and human resources records -- even something as basic as the creation of e-mail or telephone directories -- also could be hit particularly hard by the new rules. U.S. reporters accustomed to First Amendment protections may encounter restrictions on reporting of personal information about people in Europe, including Americans. And European consumers may be prevented from buying products from U.S. World Wide Web sites.

"Europeans begin with the assumption that information belongs to individuals, and use of data involves the human rights of the individual," Swire said. "American businesses have often taken the position that they own rights to information and have the right to use it as they see fit."

Swire and Litan propose that affected organizations in the United States consider adopting self-regulatory measures designed to bridge the gap between European and U.S. privacy laws. Swire is part of a national team of legal experts developing model contracts that U.S. companies could use when they transfer personal data out of Europe. The contracts would serve as a guarantee that American companies would comply with the EU directive despite the less stringent approach to privacy protection in the United States.

"Without contracts, many transfers would violate the language of the law," Swire said. "We recommend to Europe that they support the model contracts approach. In the EU's first official statement on this, it said contracts would rarely be used. But more recently, the EU has recognized that contracts are an essential component to allowing companies to comply in good faith."

The authors also propose the creation of an Office of Electronic Commerce and Privacy Policy in the U.S. Department of Commerce to provide an ongoing institutional mechanism for handling the range of privacy and electronic commerce issues sure to develop in the Internet Age. For the time being they do not, however, recommend a comprehensive regulatory approach to data protection in the United States.

The EU directive was adopted three years ago and went into effect on Oct. 25, requiring each member state to pass national legislation that complies with the directive's minimum standards. It requires that individuals: be told how personal data about them will be used; receive an opportunity to see and correct data held by companies; be given notice before data is forwarded to a third party for marketing purposes; and may opt out of such marketing free of charge. The directive also calls for establishment of a national privacy agency in each of the 15 EU countries.

The regulations do not apply to information passing through Europe only in transit or to data used for entirely nonbusiness purposes. The directive allows for exceptions to the restrictions if the individual in question gives unambiguous consent in advance of the transfer; if personal information is needed to complete a transaction, such as a shipment into Europe; or if a contract between a U.S. and European business indicates European standards will be followed in the United States.

If companies improperly process data in Europe or send it abroad illegally, national authorities will be able to seek injunctions, fines and even criminal sanctions in extreme cases. The directive also requires that people whose data is mishandled be allowed to seek compensation.
Contact: Peter P. Swire
(614) 292-2547

Written by Emily Caldwell
(614) 292-8309

Ohio State University

Related Privacy Articles from Brightsurf:

Yale team finds way to protect genetic privacy in research
In a new report, a team of Yale scientists has developed a way to protect people's private genetic information while preserving the benefits of a free exchange of functional genomics data between researchers.

Researchers simulate privacy leaks in functional genomics studies
In a study publishing November 12 in the journal Cell, a team of investigators demonstrates that it's possible to de-identify raw functional genomics data to ensure patient privacy.

Some children at higher risk of privacy violations from digital apps
While federal privacy laws prohibit digital platforms from storing and sharing children's personal information, those rules aren't always enforced, researchers find.

COVID-19 symptom tracker ensures privacy during isolation
An online COVID-19 symptom tracking tool developed by researchers at Georgetown University Medical Center ensures a person's confidentiality while being able to actively monitor their symptoms.

New research reveals privacy risks of home security cameras
An international study has used data from a major home Internet Protocol (IP) security camera provider to evaluate potential privacy risks for users.

Researcher develops tool to protect children's online privacy
A University of Texas at Dallas study of 100 mobile apps for kids found that 72 violated a federal law aimed at protecting children's online privacy.

Do COVID-19 apps protect your privacy?
Many mobile apps that track the spread of COVID-19 ask for personal data but don't indicate the information will be secure.

COVID-19 contact tracing apps: 8 privacy questions governments should ask
Imperial experts have posed eight privacy questions governments should consider when developing coronavirus contact tracing apps.

New security system to revolutionise communications privacy
A new uncrackable security system created by researchers at King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Processes of Sciences (CUP Sciences) is set to revolutionize communications privacy.

Mayo Clinic studies patient privacy in MRI research
Though identifying data typically are removed from medical image files before they are shared for research, a Mayo Clinic study finds that this may not be enough to protect patient privacy.

Read More: Privacy News and Privacy Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to