The Directive 2002/58/EC is part of the "Telecoms Package" governing electronic communications, including four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service and repeals Directive 97/66 EC on Telecommunications Privacy.
Member states must ensure the confidentiality of communications made over a public communications network by prohibiting listening, tapping and storage of communications by persons other than users (Art. 5).
Regarding Data retention, member states may withdraw data protection to allow criminal investigations or safeguard national security, defence and public security, but only where it constitutes a "necessary, appropriate and proportionate measure within a democratic society." (Art. 15 (1))
The Directive takes an "opt-in" approach to unsolicited commercial electronic communications (SPAM), i.e. users must have given their prior consent before such messages are addressed to them. This system also covers other electronic messages (SMS) received on any fixed or mobile terminal (Art. 13).
Marketers must use legitimate addresses and include an easy way to opt-out in every message. (Art 6 (3) and 13 (2). Recordings of subscribers’ traffic must be erased when the information is no longer necessary for the purpose of communication billing. (Art. 6 (1))Online traffic and location data may only be held in the consumers' name for the duration of the billing period of the length of the contract. For further processing, or for further use in marketing, the data may only be used anonymously (Art. 9 (1)).
Subscribers must be informed of the purpose of any directory including private information. The ability to review and withdraw from any directory must be provided free of charge (Art. 12).
With regards to cookies, the Directive stipulates that users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. To that end, users must also be provided with clear and precise information on the purposes and role of cookies (Art. 14).
The Directive stipulates that European citizens will have to give prior consent in order for their telephone numbers (fixed or mobile), e-mail address and physical address to appear in public directories.
2.) Overview of the transposition in the member states
Concerning the 1995 Directive, implementation was a slow process. The Commission had to act against some of the member states before the Court to force them to implement the Directive.
The first report from the Commission on the implementation of the 1995 Directive shows, that the Directive could manage to establish a level of harmonisation, so the Internal Market is not inhibited further. But the former divergences survive in the different ways of the Directive's transposition in national laws, and according to the Commissions Report, although not violating EU law, gaps are still judged as too big. The overall policy objectives going beyond mere free movement, aiming to provide a level playing field for economic operators in different member states, to simplify the regulatory environment in the interests of both good governance and competitiveness and to encourage cross-border activity within the EU is not fulfilled. Representors of business interests continue to complain that disparities prevent multinationals from developing pan-European policies on data protection.
As to the 2002 Directive, it is too early to give an over-all estimation of the implementation process, the deadline having elapsed only last month. But according to the eighth report in the implementations regulatory package, action needs to be taken to improve the low level of harmonisation regarding the retention of traffic data in the member states, both for billing and other purposes, since it entails financial burden on operators and has an impact in particular on cross-border players.
- The Approach of the US : Sectoral approach and Self-Regulation
A general regime of data protection does not exist in the US. The patchwork regulations that constitute the US Data Privacy law consist of some sectoral state and federal laws, containing more exceptions than principles, and the encouraging of self-regulation, especially seal programs such as TRUSTe or BBBOnline. E-commerce legislation is a delicate topic in the US; therefore the administration traditionally concluded that a general regulation would be inappropriate, given how swiftly e-commerce is evolving, and has instead sought to encourage self-regulation in areas such as privacy, in the belief that self-regulation would be more flexible and responsive. At present, the US have therefore opted against a general regime. But some changes in the attitude can currently be seen, disused below.
1.) Constitutional Provisions
As mentioned, the Supreme Court has ruled that there is a limited constitutional right of privacy based on several provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a "reasonable expectation of privacy". But the right to information privacy does not seem to be included. The case Whalen v. Roe, in which the Supreme Court upheld a statute asking physicians to submit a copy of prescriptions for abused drugs to the state for inclusion in a centralised computer file, arguing that this experiment was a legitimate exercise of the state's police power, can be cited as an example. Data held not by the state but by third parties are only protected if a special law is enacted in the field and even then, they often collide with First Amendment rights of the holder and user of the records. The legislator often refrains from the enactment of such laws, relying on the self-regulating mechanisms of the free market. Some states within the country have incorporated explicit privacy protections into their state constitutions.
2.) A sectoral approach in the private sector: US federal and state laws
A patchwork of federal laws covers some specific categories of personal information. The Privacy Act of 1974 protects records held by US Government agencies and requires agencies to apply basic fair information practices. These principles are actually quite similar to the principles incorporated into the 1995 directive: Transparency, Finality, Access security, Data quality and Limits on Data collection. Then again, sectoral laws include the protection of financial records, health information, credit reports, video rentals, cable television, children's (under age thirteen) online activities, educational records,motor vehicle registrations, and telemarketing.
There is also a variety of sectional legislation on the state level that may give additional protections to citizens of individual states.The tort of privacy was first adopted in 1905 and 48 of the 50 states recognise a civil right of action for invasion of privacy in their laws.
- Self-Regulation
Self-regulation can take the form of seal programs such as Trustee. It can also lead to Industry Guidelines or Professional Monitoring Organisations other than seal programs. Also safe harbors, discussed in detail below, are based on self-regulation.
All different kinds of self-regulation mechanisms are widely spread in the US.
- Enforcement and Oversight
US Laws do not provide for an independent privacy oversight authority. The Office of Management and Budget plays a limited role in setting policy for federal agencies under the Privacy Act, but it has not been particularly active or effective. The Bush Administration has eliminated the position of the “Chief Counselor for Privacy” as an advisor within the Office of Management and Budget.
The Federal Trade Commission (FTC) has oversight and enforcement powers for some sectoral laws but has no general authority to enforce privacy rights. It can issue opinions if it receives complaints, but does not always do so. The agency has sought additional powers to pursue cross-border fraud, much of which involves privacy-invasive telemarketing or Spam.
The FTC's actions under federal "unfair and deceptive" practices law essentially have created a "common law" of privacy in the country. Thus, when the agency brings suit against a company for certain privacy-invasive practices, it can have industry-wide effect. For example, the recent case “American Student List” is likely to change many common industry practices. That case stands for the proposition that federal law is violated where companies conceal or omit material secondary uses of personal information, a common practice of many private-sector profilers.
5.) The current debate on state and federal level: comprehensive laws or self-regulation?
There has been significant debate in the US in recent years about the development of privacy laws covering the private sector.
The private sector seems to maintain that self-regulation is sufficient and that no general law should be enacted. Nevertheless, this usually categorically held position seems to undergo some changes. Several industry spokespeople, including Intel's Chairman Andrew Grove, have lately been supportive of federal Internet privacy legislation in order to stave off the states' recent efforts to enact such protections on their own. The government, receiving contradictory reports, is indecisive: Whilst in 1998 it was still arguing for self-regulation, in 2000, the FTC recommended in a report to the US Congress that legislation is necessary to protect consumer privacy on the Internet, but according to a recent speech of the FTC's new chairman, more study is necessary.. The academic world is of course divided. The Congress is trying hard to improve privacy: since January 2001, by introducing Bill after Bill to the House and the Senate.
On a state law level, Massachusetts and Hawaii have considered privacy bills for the private sector. Some states have passed privacy laws similar to European standards, for example Minnesota enacted a bill requiring Internet Service Providers to obtain user authorisation before using personal information for secondary purposes and North Dakota established opt-in protections for financial information.
6.) Examples illustrating the weakness of the US approach
In the recent past, several profitable companies, including eBay.com, Amazon.com and Yahoo.com have either changed users' privacy settings or have changed privacy policies to the detriment of users. A series of companies, including Intel and Microsoft, were discovered to have released products that secretly track the activities of Internet users. In several cases, TRUSTe ruled that the practices compromised consumer trust and privacy but did not violate its privacy seal program.
Significant controversy arose around “online profiling”, the practice of advertising companies to track Internet users and compile dossiers on them in order to target banner advertisements. The largest of these advertisers, DoubleClick, attached personal information from a marketing firm it purchased to about 100 million previously anonymous profiles it had collected. The company backed down due to public opposition, a dramatic fall in its stock price and investigations from the FTC and several state attorneys general. In July 2000 the FTC reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only the opt-out consent. In January 2001, the FTC dropped its investigation of DoubleClick.
These cases show, that self-regulation can only work, if it will cost the business more, either directly through damages or indirectly through declining competitiveness, to breach those rules than to respect them. This is the rule of the market. As long as there is no enforcement, this won't be the case.
In fact, legislative action would solve two consistent problems found in self-regulatory efforts: Lack of enforceability and thus of incentive.
V. Dataflow between the systems
One might think that Data protection laws could be circumvented by simply transferring personal information to third countries with none or less rigid data protection law where it could then be processed without any limitations. To avoid this phenomenon, most data protection laws include restrictions on the transfer of information to third countries unless the information is protected in the destination country, see for example, Article 12 of the Council of Europe's 1981 Convention. Article 25 of the 1995 Directive, for the same reason, imposes an obligation on Member States to ensure that any personal information relating to EU citizens is protected by law when it is exported to countries outside Europe. The Directive allows the export of Data under two circumstances: either the data is contractually protected, or the jurisdiction to which it is exported provides for “adequate” protection.
1.) Contractual Protection
Contractual protection is suitable only for some forms of data transfer (for example personnel records). The EU has finalised a set of model contractual clauses. By incorporating such clauses, personal data can flow from Member States to Non Member States.
The standard clauses can be found as an Annex of the Commissions Decision 2002/16/EC.
2.) Adequate Protection
The Data Protection Directive provides for the process by which adequacy or non-adequacy is to be determined. Substantive rules and methods of enforcement must be in place in the country in question. The Commission, under Article 25 (6) of the Directive, may find that a third country gives an adequate level of protection “by reason of its domestic law or of the international commitments it has entered into.” If the level of protection in the third country is inadequate, Member States are to prevent data transfers to that third country (Article 25(4)) and the Commission will enter into negotiations with the third country (Article 25(5)). The “international commitments” provided by a third country may result directly from these negotiations; indeed the language of the relevant clause seems to suggest that this is the primary sense of the term as employed in the Directive. In its negotiations with a third country, the Commission must also consult with the “Article 31 Committee” which is composed of representatives of the member states and chaired by the Commission. If Commission and Committee disagree, the Council will become involved. The Parliament observes the respect of the procedure
VI. The Safe Harbor Principle: A solution for the Data flow between the US and the EU?
- History and Main Principles
Despite the fact that the Commission never issued a formal opinion on the adequacy of privacy protection in the US, it was clear from the beginning that the US was unlikely to be considered an “adequate” jurisdiction. The EU commissioned two prominent US law professors to write an expertise, which highlighted many gaps in US protection.
The US first strongly lobbied the EU and its member countries to find the US system adequate but then in 1998, engaged into serious discussions and began negotiating with the EU in order to ensure the continued transborder flows of personal data. The idea of the "Safe Harbor", initially proposed by Ambassador David Aaron, Under-secretary for International Trade in the Department of Commerce was that US companies would voluntarily self-certify to adhere to a set of privacy principles worked out by the US Department of Commerce and the Internal Market Directorate of the European Commission. These companies would then have a presumption of adequacy and they could continue to receive personal data from the EU. Negotiations on the drafting of the Safe Harbor principles lasted nearly two years and were the subject of bitter criticism by privacy and consumer advocates.
Although the EU Parliament voted for re-negotiation, the Commission approved the agreement. The Commission did, however, promise to re-open negotiations on the arrangement if the remedies available to European citizens proved inadequate. EU member states were given 90 days to put the Commission's decision into effect and US companies began joining Safe Harbor in November 2000. As today, over 400 companies have joined.
The main principles of the agreement are:
All signatory organisations must provide individuals with "clear and conspicuous" notice of the kind of information they collect, the purposes for which it may be used, and any third parties to whom it may be disclosed. This notice must be given at the time of the collection of any personal information or "as soon thereafter as is practicable." Individuals must be given the ability to choose (opt-out of) the collection of data where the information is either going to be disclosed to a third party or used for an incompatible purpose. In the case of sensitive information, individuals must expressly consent (opt-in) to the collection. Organisations wishing to transfer data to a third party may do so if the third party subscribes to Safe Harbor or if that third party signs an agreement to protect the data. Organisations must take reasonable precautions to protect the security of information against loss, misuse and unauthorised access, disclosure, alteration and destruction. Organisations must provide individuals with access to any personal information held about them, and with the opportunity to correct, amend, or delete that information where it is inaccurate. This right is to be granted only if the burden or expense of providing access would not be disproportionate to the risks to the individual's privacy or where the rights of persons other than the individual would not be violated. Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current (Data integrity).
Enforcement of the agreement must be maintained by implementing a dispute resolution system that will resolve complaints and ensure compliance to the agreement.
2.) Enforcement
Enforcement of the safe harbor will take place primarily in the United States under U.S. law.
The private sector will be responsible to self-regulate itself under the seven principles set forth in the agreement. As part of their obligations in the agreement, organisations are required to have a dispute resolution system in place that will investigate and resolve individual complaints for all consumers and verify compliance with the agreement. Organisations may alternatively sign up to third party dispute resolution bodies, which should fulfil certain stated criteria, or commit to collaborate with data protection authorities within the EU member states; in future they may also be able to commit to work together with appropriate US regulatory authorities.
Government enforcement will come ultimately from the Federal Trade Commission. The FTC has oversight powers under the FTC Act: signing up to Safe Harbour is a public commitment, and firms which fail to abide by such commitments can be penalised. The same is true of third party dispute resolution bodies, insofar as they act on behalf of for-profit bodies. The FTC has undertaken to deal with complaints from third party dispute resolution bodies and from European data protection authorities on an accelerated basis. Under certain restricted circumstances, EU data protection authorities can still block the flow of data. Further, the Safe Harbor arrangement itself is a unilateral determination of adequacy on the part of the EU rather than an international agreement, which means that it can be suspended or abrogated unilaterally if it is clear that it is not working.
3.) Criticism
Privacy advocates and consumer groups both in the US and Europe are highly critical of the European Commission's decision to approve the agreement, which they say will fail to provide European citizens with adequate protection for their personal data. The agreement rests on a self-regulatory system whereby companies merely promise not to violate their declared privacy practices. There is little enforcement or systematic review of compliance. The Safe Harbor status is granted at the time of self-certification. There is no individual right to appeal or right to compensation for privacy infringements. There is an open-ended grace period for US signatory companies to implement the principles. The agreement will only apply to companies overseen by the FTC and Department of Transportation (excluding the financial and telecommunications sectors) and there are special exceptions granted for public records information protected by EU law.
In February 2002, the European Commission issued a report on the practical operation of the EU-US Safe Harbor Agreement. This was the first report to evaluate the success of the agreement. It concluded that all the essential elements of the agreement are in place and that a structure exists for individuals to lodge complaints if they feel their rights have been infringed. It did find, however, that there is not sufficient transparency among the organisations that have signed up to Safe Harbor and that not all dispute resolution providers relied on to enforce Safe Harbor actually comply with the privacy principles in the agreement itself. In July 2002, the working paper issued by the Art. 29 Working group expressed its intention to study the agreement in further detail with particular regard to "possible gaps between the principles... and the implementing practices" and also "the transparency requirements to be met by organisations." The Working Party called on all authorities, organisations and companies concerned to enhance compliance and awareness of the Agreement.
- Conclusion
The EU and the US approach both aim to not unnecessarily inhibit commerce, limit freedom of expression, or hamper law enforcement. Both systems provide for minimum standards. Nevertheless, the tools chosen to achieve that goal are completely different. The reason for this is a fundamentally different legal culture. The US liberalism entails a fear of over regulation, leading to a considerable lack of enforceable law. The US's fear of over regulation is contrasted by the need for regulation in the EU, in order to achieve the Single Market.
Another reason for the divergence in approach is, that different aspects of data protection are weighed in a different way: Privacy as a human right overweighs mere commercial interests according to the EU approach, whilst this is not necessarily the case in the US. Privacy not being an explicit fundamental right according to US law, this right is not on the same hierarchic level with the law to free speech or the law to property. Therefore, groups with strong commercial interests, as e.g. the data processing industry can hide behind arguments of the Bill of Rights itself.
The Safe Harbour agreement does not really achieve to balance out these differences. In addition, its implementation does not seem to work very well. But at least the negotiations have shown, that -and if it is only for pragmatic reasons- both the EU and the US are willing to make some sort of concession and willing to negotiate and re-negotiate.
Finally, some changes can be noticed in the internal debate in the US: It does not seem that a federal privacy law is categorically excluded. Future will show.
Cookies are hidden information exchanged between an Internet user and a web server, and are stored in a file on the user's hard disk. Their original purpose was to retain information between sessions, but they are also a useful and much decried tool for monitoring a net surfer's activity.
Jare Strauss & Ken Rogerson, Policies for Online Privacy in the US and the EU, Duke University;
Report of the Committee on Privacy and Related Matters, Chairman David Calcutt QC, 1990, Cmnd. 1102, London: HMSO, at 7. cited at
Jare Strauss & Ken Rogerson, supra FN 2.
Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, (ETS No: 005) open for signature November 4, 1950, entry into force September 3, 1950, available at .
Susan E. Gindin, Lost and Found in Cyberspace,
Andrew Charlesworth, Data Privacy in Cyberspace in: Law and the Internet (editors: Edwards and Waelde)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, available at .
Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
2439th Council meeting, Luxembourg, June 25, 2002. Transcripts of proceedings available at .
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), available at http://www.ceecprivacy.org/pdf/e-comun.pdf
Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (Directive), available at
EU member countries were required to enact implementing legislation by October 1998. As of the summer 2002, however, several are still pending.
Summary of the EU Spam provisions:
The Commission decided in December 1999 to take France, Germany, Ireland, Luxembourg and the Netherlands to the European Court of Justice for failure to notify all the necessary measures to implement Directive 95/46. In 2001 the Netherlands and Germany notified and the Commission closed the cases against them. France notified the data protection law of 1978 so that the proceedings for non notification against that state were dropped. France announced at the same time its intention to pass a new law that is not yet adopted. In the case of Luxembourg, the Commission action has led to this Member State being condemned by the Court of Justice for failure to fulfil its obligations. The Directive was then implemented with a new law that entered into force in 2002. Ireland notified a partial implementation in 2001; a complete bill has however recently been passed. The implementation status in Member States is available at:
Report of the Commission on the implementation of the 1995 Directive, May 2003,
Seal Programs establish criteria for judging privacy practices. Web sites can apply to these programs, and, if a site's privacy policy meets the program's requirements, the site can pay a fee to display the program's seal.
Henry Farrell, Negotiating Privacy across Arenas: The EU-US "Safe Harbor" Discussions,
Katz v. United States, 386 U.S. 954 (1967).
Susan E. Gindin, Lost and Found in Cyberspace,
429 US 589 (1977), cited by Charlesworth, supra FN9
The First Amendment states the freedom of speach
Charlesworth citing US v. Miller, 425 US 435 (1976).
Marc Rotenberg, The Privacy Law Sourcebook: USLaw, International Law, and Recent Developments cited at
Privacy Act, Pub. L. No. 93-579 (1974), codified at 5 USC § 552a, available at .
Right to Financial Privacy Act, Pub. L. No. 95-630 (1978); Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, promulgated under the Health Insurance Portability and Accountability Act of 1996, PL 104-191; Fair Credit Reporting Act, Pub. L. No. 91-508 (1970), amended by PL 104-208 (1996), available at Video Privacy Protection Act, Pub. L. No. 100-618 (1988); Cable Privacy Protection Act, Pub. L. No. 98-549 (1984), available at .; Family Educational Rights and Privacy Act, Pub. L.No. 93-380, 1974, available at Drivers Privacy Protection Act, Pub. L.No. 103-322 (1994), available at Telephone Consumer Protection Act, Pub. L.No. 102-243 (1991).
Robert Ellis Smith and Privacy Journal, Compilation of State and Federal Privacy Laws (2002 ed.) .
Lake v. WalMart Stores, Inc., 582 N.W.2d 231 (Minn. 1998), for a review of state adoption of common law privacy torts, cited at
the laws protecting children's online privacy, consumer credit information and fair trading practices
FTC's cross-border fraud workshop, .
Federal Trade Commission, High School Student Survey Companies Settle FTC Charges, Oct. 2, 2002 , cited on http://www.privacyinternational.org/survey/phr2003/countries/unitedstates.htm
http://www.privacyinternational.org/survey/phr2003/countries/unitedstates.htm
http://www.privacyinternatioal.org/survey/phr2003/countries/unitedstates.htm
Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), available at .
http://www.ftc.gov/speeches/muris/privisp1002.htm
http://www.privacyinternational.org/survey/phr2003/countries/unitedstates.htm
http://www.privacyinternational.org/survey/phr2003/countries/unitedstates.htm
http://www.privacyinternational.org/survey/phr2003/countries/unitedstates.htm
See Big Brother Inside Campaign .
Microsoft case sited by Charlesworth, supra FN 9; www.truste.com/users_w1723.html
See EPIC DoubleClick Pages .
Council of Europe, Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, 1981, available at
It states: “The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.”
Henry Farrell, supra FN 29
Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law (Michie 1996), cited at
Henry Farrell, supra FN 29
See, e.g., Public Comments Received by the USDepartment of Commerce in Response to the Safe Harbor Documents April 5, 2000, available at .
European Parliament Resolution on the Draft Commission Decision on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the USDepartment of Commerce, available at .
Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the USDepartment of Commerce, available at .
see http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm for the final text of the agreement
Henry Farrell, supra FN 29
See, e.g.the earlier Statement of the Transatlantic Consumer Protection Dialogue on USDepartment of Commerce Draft International Safe Harbor Privacy Principles and FAQs March 30, 2000, available at .
European Commission Staff Working Paper, February 2002, Working Paper SEC (2002) 196
http://reidenberg.home.sprynet.com/Safe_Harbor.htm
Working Document on the Functioning of the Safe Harbor Agreement," Article 29 Data Protection Working Party, 11194/02/EN, July 2, 2002, available at