Privacy and Data Protection: IT Law

Authors Avatar

IT Law (Public Law Aspects)

Seminar 4: Privacy and Data Protection

Seminar Paper: The matter of transfer of personal data to a third country particularly in relation to the differences between the EU and the US; The Safe Harbor Principle

Teacher: Dr. Gerrit Betlem and Mr. Martin Truman

Student: Katharina v. Boehm-Bezing

  1. Introduction

1.) An old issue, growing in importance

Searching the web, one can see that privacy on the Internet is a big issue. Countless US or EU based human rights initiatives are fighting for the right to privacy. What is the reason for this?

Although concerns about consumers’ ability to protect their privacy have been in existence for decades, the Internet makes the issue more delicate: Businesses have access to a larger audience, which allows them to collect more data from more people. Furthermore, collection of more specific behavioural information is possible attaching cookies to a hard drive, reporting which websites someone enters. In addition, data collection and storage having become much easier, faster and cheaper, cost concerns do not limit data-collection practices. 

At the same time, the market for information about consumers and consumer behaviour is continuously growing, side by side with the expansion of e-commerce.

2.) Definition of the issue

Privacy can be defined as “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.”  This paper will focus purely on information privacy, also known as "data protection", which means the rules governing the collection and handling of personal data such as a person’s name, address, phone number, family status, social security or other identification number or even medical, financial or government records. Data protection concerns the process of gathering, storing, analysis and distribution of personal data. Privacy issues can be divided into relations with the public sector and with the private sector. In this paper, I will concentrate on the private sector, especially relevant because of the growing importance of e-commerce.

3.) Fundamentally different approaches in the US and the EU         

Europe and the US have very different approaches to data protection and privacy. In 250 years, nations on each side of the Atlantic have evolved their democracies into distinct forms of society and market economy. Differences in culture, policies and society are the consequence.

a.) Government Interference vs. Self-Regulation

As discussed in seminar one, there is an ongoing dispute regarding the approach in choosing an apt legal framework for the public and transnational sphere of cyberspace: Some scholars want governments to interfere as little as possible, others see the need for a unified legal framework. It seems that, concerning the privacy issue, the EU has chosen the latter option, by imposing a comprehensive, general law governing the collection, use and dissemination of data by public and private sector, whose enforcement is assured by an oversight body. The US tends to rely on sectoral laws, and on self-regulation for the rest.

b.) The Human Rights aspect

In most EU member states, the issue of privacy traditionally implies a human rights aspect. This approach has found its entry into the 1995 Directive: According to its Article 1, it aims to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data. The concept of privacy as a fundamental right can also be found in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950(ECHR)  and Article 8 of the EU Charter of Fundamental Rights of 7 December 2000.

Despite the fact that the “right to be let alone” is a principle of US law and the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments contain elements of privacy rights, the right to informational privacy as a fundamental right is not acknowledged in the US.  The data-processing industry argues against such a right by citing the Bill of Rights itself: The First Amendment, that guarantees free speech is often invoked as an argument, why the European approach would not work in the US: Since the freedom of speech is written down explicitly in the Bill of Rights, it is superior to the only implicitly mentioned right to privacy. The Supreme Court has judged though, that mere advertisement is lower speech and can be regulated, but the choice has to be given to the individual (opt-out). Data processors also invoke the Fifth Amendment, which guarantees the right to property, but this argument is even more controversial.

II. Privacy Law in Europe: a comprehensive, general law

1.) The Directives

The general opinion in Europe is that the legislator has a role in ensuring that individuals retain some degree of control over the use of their personal data. This role is played by balancing the interest that society has in protecting the privacy of the individual and the weight of commercial concerns. In addition, an interference of the European legislator was seen as necessary for economic reasons: In the beginning of the 90's, some member states, for example Greece and Italy did not have any privacy legislation at all, whilst in other member states personal data was strongly protected. This divergence threatened to inhibit the achievement of the Single Market. Therefore, the EU elaborated a framework constituting a comprehensive and general privacy law, to be implemented in the national laws of member states.

a.) The 1995 Directive

The drafting process of the Directive illustrates the conflicting ideas of member states. Despite the existence of the Council of Europe's Convention on the Automated Processing of Personal Data of 1981, it took member states 5 years to agree on a suitable legal framework: The initial Draft was introduced in 1990, and a redrafting took place in 1992. Divergences occurred between Germany's very strong human rights approach on the one side, and the UK, Denmark and Ireland, not wanting to go further than the Council's Convention of 1981 on the other side. Heavy lobbying of the banking sector and the medical research sector did not make things easier. Not till 1995 did the EU manage to enact the Data Protection Directive. The Directive aims to harmonise member states' laws, providing for a consistent level of protections for citizens in order to ensure the free flow of personal data within the EU. It applies to personal information in electronic as well as in manual files (Art. 2 c) It does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (Art. 3) or in the course of an activity falling outside the scope of Community law, such as operations concerning public security, defence or State security. The terms “personal data” and “processing” are broadly defined, as can be seen in Article 2(a) and 2(b). Data subjects have rights established in explicit and enforceable rules. Every EU country has a data protection commissioner or agency enforcing the rules (Art. 28). The Directive also provides for remedies in case of its breach.

The basic principles established by the Directive are:

The right to know where the data originated;

The right to have inaccurate data rectified;

A right of recourse in the event of unlawful processing;

The right to withhold permission to use data in some circumstances.

In addition, individuals have the right to opt-out free of charge from being sent direct marketing material (Art. 14). Sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs is specifically protected (Art. 8).

Member states have to ensure that the personal information relating to European citizens has an adequate level of protection when it is exported to, and processed in, countries outside the EU (Art. 25). In relation to the US, this has lead to the so-called “Safe Harbor” agreement, discussed below.

b.) The 2002 Directive

Originally, the Directive's sole aim was to strengthen privacy rights for individuals by extending the existing protections to a broader category of "electronic communications." But during the process, the Council of Ministers brought up the issue of data retention provisions for law enforcement purposes: Internet Service Providers and telecommunications operators should store logs of all phone calls, e-mails, faxes, and Internet activity. After initially strong opposition from Parliament, the political climate's change after September 11, 01 enabled the EU to adopt the new Privacy and Electronic Communications Directive including the data retention provisions, on June 25, 2002.  

Join now!

The Directive 2002/58/EC is part of the "Telecoms Package" governing electronic communications, including four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service and repeals Directive 97/66 EC on Telecommunications Privacy. 

Member states must ensure the confidentiality of communications made over a public communications network by prohibiting listening, tapping and storage of communications by persons other than users (Art. 5).

Regarding Data retention, member states may withdraw data protection to allow criminal investigations or safeguard national security, defence and public security, but only where it constitutes a "necessary, appropriate and proportionate measure within a ...

This is a preview of the whole essay