In late March 2010, differences between European and
American privacy law again hit the press. Such differences have been
highlighted several times since 9/11, perhaps most publicly during the SWIFT
imbroglio of 2005, when the U.S. Treasury Department ordered that international
financial transaction clearing house to give it access to transactions in
violation of the European Union Constitution.
Privacy of air traveler information has also long been an area of
conflict between Europe and the U.S.
This time, it concerned Facebook, the social networking
site, which allows users to upload personal information about people who are
not registered on that site. This is an
especially sensitive issue for not only the European Union, but for member
countries such as Switzerland, which has especially strong privacy laws, and
Italy, where Google officials were criminally convicted after a video was found
to have been illegally posted by a user.
Coming on the heels of the U.S. Justice Department's March 8
disclosure[1]
that its Computer Crime and Intellectual Property Section monitors people on
social networking sites-not just criminals, but witnesses and experts[2]-and
that DOJ agents may assume false identities for that purpose in violation of
such sites' terms of service, the Facebook issue caused a media storm so
powerful that it briefly eclipsed the blogosphere's discussion of medical
privacy.[3]
So what are the fundamental differences in the American and
European approaches to privacy law? Can
they be resolved? According to the
Congressional Research Service,
The [commercially-] related issue of data privacy rights
has also been a source of some friction. While the EU supports strict legal
regulations on gathering consumer's personal data, the United States
has advocated a self-regulated approach. Controversy emerged when the EU in
1995 adopted a directive forbidding the export of personal information outside
EU member states unless the privacy laws in the country to which the
information is to be received are deemed "adequate" by the EU. The fact that
this list of countries did not include the United States, combined with the
need for U.S.
companies to be able to move date from Europe
to the United States,
prompted the creation of the "Safe
Harbor" agreement of
2000. This mechanism allows U.S.
companies within the jurisdiction of the Federal Trade Commission to comply
with the EU Directive if they enroll with the Commerce Department, publicize
that they will comply with the safe harbor rules, and recertify their
compliance annually. As of December 2005, 837 U.S. companies were certified to
the safe harbor program.[4]
The
Safe Harbor Agreement ("SFA") referred to in the quotation above attempts to
reconcile the European and American positions on privacy. According to Jesse Sowell of the
Massachusetts Institute of Technology.
Sowell suggests that fundamental tension is between the American
preference of economic efficiency and free information flow, and the European
concern for individual privacy rights. While the American privacy model is
"normatively liberal" or "reactive," Europe's
is "socially protective" and "proactive,"[5] Under the SFA, European privacy practices are
to be governed by "data authorities," while American practices are to be
subject to "self-regulation enforced by market and reputation."[6] offers three possibilities:
- Privacy policies will comply with the intentions of
the European model and the SFA;
- Privacy policies won't comply with the intentions of
the European model and the SFA; or
- Privacy policies will
comply with the black letter of the SFA but not its intent, making the SFA
an "empty formalism."
Which
is more desirable, the American or European model? The answer partly depends on the value
individuals place on their personal information. Sowell points out that the contract between
individuals and Internet providers is that individuals provide personal
information in exchange for the providers' services.[7] However, he says, the contract is not fair,
because providers don't disclose what they do with the personal information,
and have superior bargaining power, so that individuals can neither fairly
bargain nor verify if the trade is in their interests.
Then
too, one's answer may depend on whose ox is being gored. The American model exalts the free flow of
information-about other people. The case law databases are full of lawsuits
over allegedly confidential information.
And when CNET.com published an article disclosing some of Google
chairman Eric Schmidt's personal information in July 2005,[8] CNN
reported that Google had blackballed CNET reporters for a year.
What
do you think? Please let me know.
[1]
Available at http://www.eff.org/files/filenode/social_network/20100303__crim_socialnetworking.pdf. The document was disclosed pursuant to a
Freedom of Information Act lawsuit by the Electronic Frontier Foundation.
[2] DoJ's
preferred site for identifying experts is LinkedIn.com
[3]
Neilsen's Blogpulse, Mar.
27, 2010.
[4] Raymond
J. Ahearn, U.S.-European Union Trade
Relations: Issues and Policy Challenges,
a Congressional Research Service Issue Brief for Congress, Order Code
IB10087 (updated Jan. 26, 2006) at 11.
[5] Jesse
Sowell, "The Efficacy of the U.S. Safe Harbor Agreement," available at http://dig.csail.mit.edu/2009/Talks/0518-f2fLightiningTalk-js/pres1.pdf.
[6] Id.
[7] Id.
[8] Elinor
Mills, "Google Balances Privacy, Reach," CNET News (July 14, 2005), available at http://news.cnet.com/Google-balances-privacy,-reach/2100-1032_3-5787483.html.