I. INTRODUCTION
Internet users in the United States and the European Union ("EU") often debate the state of international data privacy, while scholars and companies also present questions to the Internet community regarding the regulation of data privacy and the amount of regulation required in the U.S. Inquiries range from how to determine the necessary degree of regulation and how to implement regulations to how to enforce any regulations that the U.S. lawmakers2 may pass. Historically, the EU and the U.S. approach data3 privacy regulations in diametrically opposed ways.4 While the EU relies primarily on legislation and heavy regulation, the U.S. has adopted a market-based, self-regulatory approach to data privacy.5 The EU further distinguishes itself from the U.S. by implementing an approach that guarantees its citizens protection of their "fundamental rights."6 Such protection allows for strict governmental control of information flow. The U.S., on the other hand, does not recognize data privacy as a fundamental right, employing instead a less prophylactic approach than that taken by the EU.7
Despite these ideological differences, the EU codified its "fundamental right" principle in 1998 when it enacted Directive 95/46 (the "Directive"). With the Directive, the EU created a broad, overarching piece of legislation that gives significant power to the individual with regard to use of her personal information. First, it purports to create uniformity in EU data practices by requiring companies to inform consumers of what they plan to do with the personal information which they collect from their websites.8 Second, in so doing, the Directive requires the respective companies to secure affirmative consent from consumers to collect, use, and disseminate this information.9 Third, once companies obtain consent, they must document and register the consent with local "data authorities" who retain the information in their own databases.10 Fourth, during this process, the Directive allows individuals to access their information and allows them to request amendments and/or corrections to their data.11 Finally, the Directive also allows individuals to know the identity of the companies collecting their data.12 Assuming that the company uses the information consistent with its stated purpose, the Directive then requires the company to relinquish information that has already been used.13 In the international context, the Directive explicitly bars data transfers to other countries that do not provide "adequate" data protection, as defined by the Directive.14
In promulgating the Directive, the EU broadened the distinction between the U.S. and EU approaches to Internet privacy, ultimately presenting global companies with a conundrum concerning the appropriate method to use.15 The competing U.S. and EU ideologies create a unique yet frustrating problem for Internet companies around the world,16 including both brick-and-mortar stores as well as "virtual" companies.17 Business globalization, together with e-business growth, creates situations in which one country's laws may have substantial effects upon those of another country.18
This Note focuses on the Directive's effect on the United States. This Note argues that implementing a similar omnibus system in the U.S. is not feasible.19 The Directive is a facade rather than an actual, workable solution to privacy concerns. Although some scholars offer significant policy arguments in favor of implementing more regulation in the U.S., the inquiry should be limited to whether the U.S. really needs stricter privacy regulations and, more importantly, whether the U.S. legal framework places constraints on implementing such broad legislation instead of self-regulation. U.S. policymakers should strive to find a workable, reasonable solution that fits within the constructs of existing values and norms in the privacy arena rather than institute an extremely rigid and an unworkable solution. From a practical standpoint, this Note also contends that the EU Directive 95/46, from a practical standpoint, is not a feasible solution for the U.S. Further, the Directive is not what it purports to be, because the Directive is not as uniform as its proponents claim, nor does the EU strictly enforce it. Ultimately, EU and U.S. privacy advocates who encourage similar legislation in the U.S. appear naked without their clothes much like the ill-fated emperor-because they encourage legislation that will never function in reality.
Prior to analyzing this question, it will be helpful to understand its relevance. Therefore, Part II of this Note provides background to the U.S. and EU systems and outlines faults in the EU system. Part III of this Note focuses on the inherent value of information to companies, and the reasons why data transfer restrictions create considerable problems for on-line companies. In Part IV, this Note details the EU approach to on-line data privacy, the traditional U.S. approach of market-based self-regulation and the Safe Harbor approach. Parts V through VII of this Note address the fact that a true EU-style model will not function properly within the U.S. legal framework. In addition, Parts V, VI, and VII contend that a carbon-copy EU-style model will: (1) interfere with the free flow of information, (2) lack uniformity, and (3) lack appropriate enforcement mechanisms. Finally, in Part VIII, this Note argues that, because of the concerns raised, an EU-style regulation is not a real solution for data privacy concerns in the U.S.
II. BACKGROUND ON THE U.S. AND EU APPROACHES TO DATA PRIVACY
The Directive's introduction prompted U.S. privacy advocates to encourage similar legislation in this country as part of a more active stance toward privacy regulation.20 Many of these privacy advocates look to the Directive as the "code" to which all companies should conform their privacy practices.21 Other advocates argue that the current U.S. market-based approach is unsound and ineffective.22 Finally, some U.S. privacy advocates foresee an EU-style system functioning effectively in the U.S. and conforming to the U.S. legal infrastructure.23
As a result of this debate among privacy advocates, the Federal Trade Commission, representing the U.S., negotiated with the EU to create some semblance of compromise.24 These negotiations produced the "Safe-Harbor" Principles25 (the "Safe Harbor"), a voluntary set of guidelines under which U.S. companies can certify to consumers26 that they will follow certain articulated guidelines for Internet privacy. Proponents heralded the Safe Harbor27 as a means for U.S. companies to conduct business in Europe without adhering to each of the Directive's provisions,28 because it essentially created a backdoor route for U.S. companies to fulfill the Directive's "adequacy" requirement.29 Seven fundamental principles comprise the Safe Harbor30: (1) notice, (2) choice, (3) onward transfer, (4) security, (5) data integrity, (6) access, and (7) enforcement.31
Through the Safe Harbor, the FTC tried to create a quasi-EU regime, while still providing companies with some leverage in utilizing consumer information for marketing purposes.32 Despite the long negotiations between EU representatives and their U.S. counterparts and their attempts to create a set of regulations that strikes a balance between the two approaches to data privacy, scholars and companies have debated the effectiveness and functionality of the Safe Harbor approach.33 These debates reflect concerns that joining the Safe Harbor often creates more problems than not joining.34 Certification under the Safe Harbor automatically subjects U.S. companies to FTC jurisdiction, along with the jurisdiction of the EU and each member state.35 Theoretically, the FTC, the EU, or any member state can all raise claims against members of the Safe Harbor.36 This increased potential for litigation constitutes an obvious disincentive for any company to join the Safe Harbor despite the attempt to retain some flexibility for companies under the Safe Harbor provisions.37
Substantial ramifications arise from this disincentive to join the Safe Harbor. Although the Safe Harbor purports to encourage a more respectful on-line environment, the reality is that an insignificant number of U.S. companies certify themselves under the Safe Harbor.38 Even with industry giants such as Microsoft and Hewlett-Packard certified under the Safe Harbor, the number of U.S. companies currently certified remains small.39 Consequently, the Safe Harbor's future remains unclear as to whether more companies will join its ranks. This lack of participation creates a problem because certified companies must compete on unequal planes, thereby creating a substantial adverse economic effect on companies and their direct marketing strategies.40
However, in the new economy, the access and use of consumer data are invaluable,41 because many U.S. direct marketing corporations rely on the ability to collect and analyze data for their economic viability.42 The value proposition43 for many companies lies in the fact that consumers allow them to collect, disseminate, and mine44 their customer information.45 In some cases, these data are the company's only asset.46 Thus, the costs of compliance with an EU-style regime endangers the economic success of many American companies.47 In addition, a dearth of hard evidence exists that the alleged "abuse" by corporate America adversely affects consumers so as to necessitate broad regulation.48
In spite of these concerns, data collection practices constitute the lifeblood of the direct marketing industry in the U.S.49 Following the EU's lead would therefore essentially put this country one step closer to George Orwell's vision in 1984, not only from a business perspective, but also from a perspective of greater government influence over personal privacy.50 This government control would occur because the central provisions of the EU legislation give the government greater control over personal data, despite information privacy being characterized as a fundamental human right.51 The Directive effectively expands government influence rather than curtails it, which directly conflicts with widely held American values regarding personal privacy.52 Historically, U.S. citizens distrust the government with their personal information more than they distrust individuals.53 Consequently, it seems counterintuitive that advocates seek to vest additional power in the government to control their personal data via an EU-style regulatory framework.54 Implementing an EU-style regulation in the U.S. as a binding provision on companies makes little sense. U.S. companies already face significant consequences for joining a nonbinding approach like the Safe Harbor, and implementing such a system like the Directive in the U.S is therefore likely to prove problematic.55
III. THE INHERENT VALUE OF INFORMATION
Information possesses inherent value for companies. In the digital age, companies collect and process massive amounts of information in previously unavailable ways,56 as the Internet makes the collection of personal information much easier via cookies,57 click stream data,58 on-line surveys,59 and registration forms,60 in addition to other data collection tools. As a result, companies can collect information in a quicker, more efficient, and less expensive manner.61 This information collection provides invaluable benefits to both Internet companies and brick-and-mortar companies62 due to the high premium for information on the open market. In other words, the essence of effective business in the information economy is in efficient information control practices.63 Timely, refined customer information gives companies a strategic advantage in the virtual marketplace because it provides companies with a powerful weapon over competitors in developing marketing strategies.64 In fact, the future of an on-line business depends on its ability to secure information.65 As one commentator has noted:
Companies engaging in electronic commerce have a significant interest in personal data, and its transfer online. Transborder data flow has become indispensable to the very existence of transnational enterprise and to the currently flourishing global marketplace. . . . [I]nformation is the lifeblood that sustains political, social, and business decisions. 66
Quality information control practices remain pivotal to customer service. For example, information gathering gives companies the ability to target products and advertisements specifically to their customers.67 Additionally, free-flowing information allows companies to profile its customers more effectively in order to provide the goods and services that consumers want.68 All of these benefits keep the direct marketing industry alive. As noted above, however, while the marketplace places a high value on information, the EU and the U.S. take very different paths in the procurement, propagation, and most importantly, the protection of personal information collected on the Internet.69
IV. FRAMEWORK OF THE EU AND U.S. MODELS FOR DATA PROTECTION
A. The EU Approach
The EU approaches data privacy in a much more robust fashion than its U.S. counterpart.70 Instead of relying on social norms or on a market-based laissez-faire system, the EU enacted broad legislation and promulgated regulations that significantly affect data flow across national borders.71 Unfortunately for its U.S. counterpart,72 the EU regulations impose stricter standards than the morals of the marketplace. Ultimately, the EU system rests on the foundation that information privacy is a fundamental human right,73 and it also allows individuals to control the way in which companies collect and use their information. As one commentator noted:
The EU Directive recognizes privacy as a fundamental human right. The EU Directive's guidelines for information privacy are: personal data is collected for specific legitimate purposes; the data must be relevant, accurate, current, not excessive and kept no longer than necessary; personal data may be processed only if the Internet user has unambiguously given consent (or under specified exceptions); member states must establish supervisory bodies, (e.g., commissions, regulatory agencies) and remedies for a breach of privacy rights; and, transfer of data to a third country is restricted unless the third country has an adequate level of protection for data privacy74
At a conceptual level, Europeans are traditionally more apprehensive about free transfer of personal information to companies or other individuals.75 Accordingly, the EU uses a prophylactic approach with regard to abuse of personal information.76 As part of this approach, the Directive provides exacting standards that the member states and companies must meet before companies in those states can collect and use personal information from EU citizens.77 It requires: 1) that personal ownership of information and consent to use this information be shown, 2) that the information be used for its specified purposes, and 3) that companies provide an "adequate" level of protection.
1. Personal Ownership and Consent
The Directive provides for personal ownership of data, individual access rights to data from data controllers, and individual consent to the use of personal data.78 Member state laws must allow data subjects to "correct, erase or block the transfer of inaccurate or incomplete data," and they must allow for the erasure of personal data without cost.79 The Directive requires that companies use personal information only for "specific and clearly stated purposes" when conducting business in the EU.80 It further mandates that companies obtain individual consent before information may be collected.81 The Directive requires that companies must not only obtain consent from each individual, but also that they verify this consent with a data authority82 before processing the information. Once a company collects personal information, the Directive imposes additional constraints on the use of this information and the length of time a company may retain this information.83
2. Data Can Be Used Only for Specified Purposes
The Directive imposes additional controls by requiring that companies use data for only those purposes that the business previously identified.84 Ultimately, the specific use requirements of the Directive impose stricter data controls on data transfer than those currently applied in the U.S. While this does not pose a significant problem within the EU, it creates substantial problems in the international context, particularly in information transfers between the EU and the U.S., because any collected information must be destroyed immediately after its use. This practice deprives companies of valuable information and causes tensions in the international context when one analyzes the "adequacy" requirement.
3. The Adequacy Requirement
The Directive states that countries outside of the EU must provide an "adequate" level of protection before they can collect and disseminate information gathered from EU citizens.85 The Directive does not, however, provide a bright-line definition of "adequate." Because the term is open to extensive interpretation, the Directive ultimately forces companies to attempt to conform their behavior to a highly subjective standard.
The Directive grants member states a certain amount of autonomy in deciding what level of privacy protections they may invoke to meet the adequacy requirement. Provided that the protections remain at a level at least equal to the minimum requirements of the Directive,86 member states remain free to institute policies and regulations that are more demanding than those required by the Directive.87 At least in theory, the Directive's adequacy requirement creates the potential for ten to fifteen independent data privacy policies within the EU, rather than a single cohesive piece of legislation.88
B. The U.S. Approach
Reconciliation between the EU and the U.S. approaches to privacy regulation remains difficult because of their contrasting core values regarding personal privacy over the Internet.89 Both the EU and the U.S. recognize the privacy needs of consumers. The U.S. system, however, balances personal privacy interests against the competing legitimate economic interest in collecting and utilizing public information for business purposes.90
Unlike the EU, the U.S. adopts a self-regulatory approach to Internet privacy regulation, dictated by the morals of the marketplace.91 Grounded primarily in industry norms and industry reactions to market pressures, the U.S. has not adopted the same broad, prophylactic rule92. Generally, the U.S. prefers less government interference with privacy rights and prefers less overarching legislation.93 Because U.S. history indictates a disdain for broad, omnibus data privacy legislation, this country arguably views overarching legislation as the least-preferred method in most situations.94 Therefore, privacy advocates clash with the industry leaders who argue that larger government influence is inapposite to American values.95 Couched in distrust of large government and the belief that the government should first show actual interest in regulating privacy, the U.S. system differs from that of the EU.
1. Distrust of Large Government96
The possibility of the government surreptitiously monitoring individual behavior or controlling personal information concerns many Americans.97 The general distrust of a large and powerful government,98 with unfettered discretion to monitor potential impositions on privacy, leads courts to scrutinize proposed privacy regulations carefully.99 Relying more on market controls and self-regulation, a less-is-more approach to governmental control over private information underlies American privacy law.100
2. The Government Must Show Some Actual Interest in Regulating Privacy
Whether infringement arises from actual monitoring of behavior or via strict regulations or laws, courts generally require the government to show more than a modicum of interest in regulating privacy.101 Instead, the government must demonstrate a compelling government interest to infringe these rights.102 Hastily passing legislation may prove harmful in the cyber age.103 Many advocates seek a middle ground, as the risk of maintaining two competing privacy regimes creates a precarious situation.104 With these considerations in mind, the FTC and the EU negotiated a common ground-the Safe Harbor, a voluntary method for U.S. companies to comply with the Directive-a solution which stands in stark contrast to strict, overarching, binding regulation sought by privacy advocates.
3. The Safe Harbor Solution
As the U.S. and the EU disagree on how to regulate Internet privacy, extensive negotiations between the two entities produced the Safe Harbor, which provides a voluntary alternative for U.S. companies that want to do business in Europe in spite of the dictates of the EU Directive.105 Seven fundamental principles are embodied in the Safe Harbor. The specific provisions are: (1) notice, (2) choice, (3) onward transfer, (4) security, (5) data integrity, (6) access, and (7) enforcement.106
Three main concerns cause companies to hesitate joining the Safe Harbor: (1) the cost of joining, (2) the jurisdictional hook, and (3) the fact that, to date, only a small number of companies have certified. Safe Harbor presents another set of problems, however, for U.S. companies that certify themselves under its provisions. In order to comply, companies must incur substantial costs to ensure that their data management processes meet threshold requirements.107 Companies view these entry and transaction costs as a major impediment to joining.
Further, certifying companies subject themselves to an entirely new set of regulations and a new jurisdiction, because they must still adhere to member state law if they maintain a physical presence there.108 In addition, by certifying, companies consent to FTC jurisdiction.109 Companies that participate view this broadened jurisdiction as a disincentive because they involuntarily subject themselves to higher scrutiny than under current U.S. law, while the FTC does not subject non-Safe Harbor companies to these additional constraints.110 Finally, many companies see no upside to joining the Safe Harbor because an insignificant number of companies have certified to date.111 In sum, certification under Safe Harbor does not create a long-term value proposition112 for many companies. As the Directive and similar regulations like the Safe Harbor fail to garner industry support, EU-style regulations also face strict constitutional challenges-for example, under the First Amendment principle of free flow of information.
V. THE EU DIRECTIVE AND THE FIRST AMENDMENT
The EU Directive clashes directly with the First Amendment principle of free flow of information and vests power in the government rather than in the individual. Justice Brandeis defined privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and what extent information about them is communicated to others."113 While this definition sufficed in a world that dealt only with actual physical contact or intrusion into people's homes, it fails to explain fully the privacy concerns in an on-line environment.114 As the status of privacy law on the Internet remains in flux, many privacy advocates argue for a broader, more omnibus legislative solution.115 However, this approach conflicts with the bedrock First Amendment116 policy concerning the free flow of information.117
Alhough it is not absolute, American citizens cherish this right to privacy118 and are suspicious of government.119 Adopting an all-encompassing privacy regulation would contravene these First Amendment rights.120 As Solveig Singleton recognized, "[a]n omnibus system of privacy regulation would mark an extremely radical change in the legal framework for the flow of information through the economy."121 Many privacy advocates, however, tend to downplay this principle when analyzing the EU Directive.
Citing consumer respect and consumer safety, many U.S. privacy advocates lobby for legislation tightening on-line privacy controls yet tend to ignore the current "free-flowing" infrastructure in which U.S. companies operate. These advocates also ignore the constitutional hurdles that limit the passage of broad legislation. The First Amendment certainly does not preclude all legislation or regulation in the privacy context, but it does pose a significant hurdle to overarching information privacy legislation, or regulation similar to the Directive.122 Courts generally subject any type of regulation encroaching on First Amendment values to the highest level of scrutiny.123 However, many consumers and privacy advocates believe that the sheer amount of information that companies collect about individuals and the way in which they use this information is cause for alarm, and in turn, greater regulation.124
It therefore seems that support for change in on-line business practices is growing as privacy advocates contend that the U.S. also needs a comprehensive approach to the regulation of data privacy, rather than its current method of post hoc reactions to market demands.125 As one scholar notes, "reliance on self-regulation is not an appropriate mechanism to achieve the protection of basic political rights. Self-regulation in the U.S. reduces privacy protection to an uncertain regime of notice and choice."126 Indeed, companies and legislators face a legal issue unique to the Internet, because companies and the government can accumulate vast stores of personal information with minimal effort and cost.127
Given this capacity to collect information in a previously unimaginable way, jurisprudential guideposts in the U.S. and abroad are shifting to create scenarios in which companies must watch over their shoulders before they use personal information. As cyberlaw scholar Pamela Samuelson noted:
Work must continue on evolving norms about appropriate and inappropriate uses of personal data, on persuading firms that the trust necessary for electronic commerce to flourish requires the interests of individuals in information privacy to be given appropriate deference, and on adapting the technological infrastructure of cyberspace so that information privacy becomes easier to achieve. The principal challenge of these multifaceted endeavors is not to recreate in cyberspace some preexisting zone of privacy from the physical world, but to articulate values inhering in information privacy that should constrain and structure social, economic, technological, and legal relations.128
Fortunately, broad legislation, such as the EU Directive,129 has not been passed in the U.S., but many American privacy advocates still push for such legislation.130 Some advocates even argue for a reasonable limit on the "seemingly ceaseless forward march of modernity."131
A. How Much Government Involvement?
Even if the public acquiesces to a curtailment of the free flow of information, a threshold question concerning the role of the government in privacy regulation lingers as the subject of heated debate.132 "The critical question is whether 'new wine can be poured successfully into an old bottle,' or whether new legal norms must be devised for the governance of the Networld."133 On their face, these proposals for broad legislation appear benign and purportedly represent the best interests of Americans despite their curtailment of the free flow of information. Congress and agenices should not institute broad regulation, however, without an appreciation of the historical balance between the interests of government and the individual.134 The value added from data collection regulation must be weighed against the value of free flow of information.135
This principle applies both when the U.S. government seeks to collect information and, in the situation of the EU Directive,when it seeks to interfere with the collection or dissemination of information by private parties.136 Although the government might not be the entity collecting the information, the government still interferes with the free flow of information when it enacts broad legislation that curtails information collection.137 Thus, because courts subject regulations affecting the free flow of information in the private sphere to heightened scrutiny,138 courts should also require that the government show a strong interest in the enactment of broad legislation.139 This argument for heightened scrutiny is not to say that proposed privacy regulation will never pass muster under constitutional standards, but it is indicative of the hurdle that privacy advocates must overcome to enact such legislation or regulation.140
B. Privacy Versus the Ability to Learn About Your Neighbor
If a regulation similar to the EU Directive were implemented in the U.S., the regulatory framework would face serious problems under the First Amendment when the issue is analyzed from another angle. The First Amendment also historically protects the ability to freely learn about other people in ordinary business interactions and in day-to-day contacts.141 Contrary to privacy advocates' claims, the collection of information actually helps one learn about her neighbor, which can prevent false information from being spread. However, when addressing the Directive, many privacy advocates appear to seek a virtual world of complete anonymity in on-line transactions-a world in which one cannot link personal information back to an individual.142 This solution not only runs counter to protecting the free flow of information, but it can actually cause problems with individual accountability.143
To support this proposition, Judge Richard Posner notes that privacy can sometimes impose serious costs on society.144 He acknowledges that, in many cases, misleading people with whom one conducts business creates a motive to conceal information.145 Posner argues that private information, if revealed, actually serves to correct misapprehensions about individuals.146 Indeed, too much privacy can facilitate the promulgation of false information and can impose substantial costs on society.147 Furthermore, Posner questions the actual harm of "casual prying," which he posits does not necessarily create a substantial threat (within reasonable limits).148 According to Posner, "[p]rying enables one to form a more accurate picture of a friend or colleague, and the knowledge gained is useful in one's social or professional dealings with him."149 Under this view, too much privacy can be detrimental to society. The Directive's ramifications actually include lower quality of information being transferred, because the Directive grants consumers a veto power over others' ability to learn about them.150 Unfortunately, this veto power could cause adverse effects on the market.151 In sum, regulation of information disclosure often creates positive effects, but major problems do exist when regulating the actual collection of information. Recent scholarship has noted that requiring companies to disclose how information is used would meet applicable constitutional standards but that other restrictions, such as data collection restrictions, may not square with sound First Amendment policy.152
The traditional U.S. theory posits that each industry knows the best regulatory framework to implement with regard to data privacy in that industry's respective field.153 In contrast, EU policymakers are concerned that this will ultimately incentivize companies to inject their consumers' information into an unregulated market, which could lead to exploitation of the consumers' information.154 An EU-style regulation in the U.S would invade the private sphere by preventing individuals from learning about each other, because the thrust of such legislation would regulate business entities rather than curtailing government influence. In contrast, individuals should be free to learn about each other in the marketplace, because, as Posner notes, this knowledge encourages accountability and helps to prevent promulgation of false information.155
C. Regulation of the Private Sphere Versus Constraints on Government
While some concern exists regarding business encroachment on individual privacy, most Americans view the government as a greater threat156 to individual liberty than other individuals or companies.157 In addition, the Constitution does not explicitly grant individuals a right to privacy, but the Supreme Court has interpreted certain provisions of the Constitution to provide some protection from government encroachment on individual privacy.158 As a result, many Americans prefer decentralized authority and remain apprehensive about regulation of the private sphere.159 Even when countries pass statutes regulating privacy, this regulation typically restrains the government, not private actors.160 Without a compelling governmental interest, courts typically prefer the free flow of information over such broad regulation.
D. Can More Government Control Really Be the Answer?
The guiding principle of U.S. privacy norms lies in a less-is-more approach to government regulation of personal information.161 Americans rarely favor broad legislation, and view governmental control over personal information as contrary to American values.162 In contrast, the Directive requires each member state to create a national supervisory authority, known as a data authority,163 to control personal data that companies seek to process.164 The Directive requires companies to secure documented consent from individuals and present this information to the data authority before they can use the collected information.165 In practice, the government authority (data authority) retains the information in its databases, and the individual actually loses control of her information to the government.166 This loss of control effectively gives the government control over personal information, which contravenes traditional U.S. privacy norms and policies, thus creating further tension between the Directive and the traditional U.S. approach.
The EU's creation of data authorities actually gives the government more power over individuals' information.167 Under the infrastructure established by the EU Directive, the government, through the data authorities, stores personal data.168 Under this system, the data authority therefore acts as a surrogate for the EU, because the Directive requires that each member state create an independent public authority that supervises data flows, retains investigative power over data processing, and retains the ability to access the data.169 The system aims to create uniformity, but the Directive in fact grants the government the power to store the information. This transfer of power would create a problematic situation in the U.S., because the EU method of registering data processing activities does not align with American values of minimal government intrusion into the private sphere.170 Because the Directive requires that companies or persons who wish to "collect, process, use, store, and disseminate personal information" register with a government entity, the Directive contravenes the U.S. constitutional framework.171
Member states' differing laws only exacerbate the problem.172 EU countries remain free to establish varying levels of privacy. For example, Italy's provisions are stricter than those provided in the Directive.173 Italian laws state that individuals must give consent in writing, but "such processing must be specially authorized by the national government's supervisory authority."174 This scenario results in uncertainty in the law-even more so when different member states enact varying levels of protection.175 In sum, many privacy advocates push for broad legislation under the guise of civil liberties without acknowledging a long-standing U.S. maxim: Strong distrust of a centralized government with unfettered discretion over personal privacy counsels against vesting greater authority to regulate on-line privacy in a centralized government body.176 Implementing an EU-style regulation in the U.S. poses a difficult challenge under First Amendment principles.177 In addition to these problems, a closer look at the Directive and the infrastructure that it supports reveals that the Directive fails to achieve its articulated goal of uniformity in the regulatory framework.178
VI. THE EU DIRECTIVE AND THE STATED GOAL OF UNIFORMITY
The Directive does not achieve the goal of uniformity for two reasons. First, the standards179 vary among member states. Second, deference to the interpretations of multiple, member state-specific data authorities erodes uniformity. These two issues work in tandem to cause the Directive to fail in its stated goal of uniformity in the regulatory frameworks of EU member states. A similar system here in the U.S. would also likely fail in the same regard.
The Directive seeks to provide uniformity in data practices throughout the EU.180 This goal is similar to the U.S. federal system, in which there exists an overarching goal to create and maintain predictability and uniformity among various state bodies of law. Uniformity allows individuals and companies to rely on existing laws and not be concerned with varying standards in different states or countries. However, the Directive fails to provide uniformity along these lines.
Implementation of an EU-style regulation in the U.S. is unlikely to fulfill the desire for uniformity: much like the emperor's weavers touted their magical cloth, the EU praises the Directive's "uniformity," even though the Directive is not uniform. Many U.S. privacy advocates "see" this new set of clothes, so to speak, but refuse to acknowledge its shortcomings, such as the lack of uniformity. The fundamental problem lies in the fact that the Directive allows for individual member states to enact their own privacy laws, so long as these laws do not provide less than Directive's threshold protections.181 Under the Directive, member states provide the actual substantive law for data transfer, not the EU.182 On its face, this requirement does not appear to pose an insurmountable problem, but a closer analysis reveals the Directive's failure to provide for any real uniformity.183 Because each member state applies its own substantive law, different member states create varying data protection levels.
This variation creates a dilemma, because the system results in agencies that operate independent of one another, which gives power back to the government by giving these authorities a "degree of interpretive power over any individual case."184 Since the Directive affords them this broad interpretive power, it follows that their own legal traditions will taint their adjudications. This discretion allows agencies to inject member state law as well as national norms and interpretations into the mix rather than interpreting the Directive itself.185
For example, France and Germany require higher and stricter levels than Italy requires.186 The Directive provides that no country may enact laws lower than the EU threshold, but it allows member states, at their discretion, to enact laws much stricter than the underlying EU rule of "adequacy."187 This flexibility causes the EU to fall short of its intended goal of uniformity; indeed, the local laws of the member states display everything but uniformity-thus dismantling the facade that the Directive creates.188
As a result of this variation, companies operating in more than one EU member state must follow the strictest country's law, not the EU's law.189 This instability defeats the purpose of a "uniform" system.190 As the level of uniformity decreases, so does the law's predictability. While many argue that the Directive's uniformity is its greatest virtue, it may, in fact, be its weakest element. One scholar even noted, "[t]his is a far cry from the uniform data protection standards anticipated by the Directive's proponents."191
The EU Directive inevitably facilitates nonuniformity by virtue of its infrastructure as described above. This nonuniformity results because, as a practical matter, if a business wants to engage in on-line trade within any EU member state, the business must comply with that member state's data privacy rules, regardless of whether that state imposes stricter rules than other member states or than the Directive itself.192 Under this system, one member state can effectively trump the laws of the other member states and consequently force other member states to raise data standards to the strictest level.193 Delegating to member states a quasi-veto power over the laws of another member state creates friction between the member states because any member state could hypothetically raise the bar to an arbitrary level.194 Thus, the degree of data protection a country is able to invoke is limitless.195 In the event that other member states do not raise the bar to this level, nonuniformity results, and the stated purpose of the Directive is undermined.196
Sweden serves as an example of a country that fosters such nonuniformity. Swedish national law makes it illegal to mention information about any identifiable individual on the Internet without prior permission.197 Clearly, this is a stricter standard than other member states impose. The application of this law led to inconsistent results across the EU.198 When the Swedish government arrested fur protesters, after they advertised a boycott of certain fur producers and identified those fur producers by name, conflict resulted. This variance occurred because identifying fur protesters by name is not problematic in other member states.199 While it is debatable whether mentioning fur producers by name raises any real privacy concerns, the practical result is that, under the Directive, other countries must conform their data practices with Sweden's regulatory framework. This requirement either will create a situation of maximum privacy or it will erode uniformity, but neither outcome represents an optimal solution. With respect to this particular issue, Sweden holds the proverbial "queen of hearts" in that it can effectively force, or at least exert substantial pressure upon the other member states, to increase the level of regulation. The EU institutes these policies at the risk of arbitrary lawmaking, which destroys rather than facilitates uniformity, because "small divergences and ambiguities will inevitably exist where the principles must be interpreted by different supervisory agencies in each of the member states. These remaining divergences in standards can pose significant obstacles for the complex information processing arrangements that are typical in electronic commerce."200 Even the EU officials have even stated that the Directive is "ill suited to a far flung, inherently global medium such as the Internet."201
According to this analysis, the Directive creates a recipe for arbitrariness and may erode the stated goal of uniformity in on-line privacy regulations among EU member states. Again, the practical effect of this procedural framework is the erosion of uniformity.202 Even if lawmakers overcome this problem and achieve uniformity, serious implications still exist if member states do not enforce their regulations or enforce them to differing degrees. As a result, U.S. companies likely will not adopt the Directive's principles, unless all of the member states adopt them as well.203
VII. THE EU DIRECTIVE LACKS ADEQUATE ENFORCEMENT MECHANISMS
While creating stringent regulations for data collection and dissemination, the Directive lacks a coherent enforcement structure.204 Without effective enforcement mechanisms, the substantive law of on-line privacy regulation lacks practical applicability and fails to protect the public in any meaningful way. Without enforcement mechanisms, the law also provides little incentive for companies to adhere to its dictates.205 While the EU created broad regulations and legislation, it does not enforce its provisions in the way that privacy advocates are led to believe.206 In some cases, member states either do not enforce their national laws or enforce them to varying degrees.207 In certain instances, member states do not enforce their national laws for business reasons; in other situations, the member states do not yet have an infrastructure to enforce the Directive or even have existing national law.208
This lack of enforcement begs the questionof why U.S. privacy advocates encourage the adoption of similar provisions.209 Moreover, U.S. companies view the lack of enforcement in Europe as a disincentive to conform to the EU Directive. As one scholar has noted, "[t]he lack of resources for government enforcement, especially when confronted with such widespread data processing, further diminishes the likely role of the [D]irective as an effective means of protecting privacy on-line."210 This lack of enforcement in the EU makes the Directive an ineffective solution to privacy concerns in the EU, and, more importantly, in the U.S.211
This deficient enforcement mechanism weakens the ability of the European Union to regulate companies outside of Europe, because "[u]ntil it gets its own house in order, the EU would have a tough time trying to enforce the Directive against companies overseas."212 Further, while more of the member states enact legislation in compliance with the Directive, neither the level of implementation nor the enforcement213 is completely effective. As a result, U.S. companies halted their sudden rush to comply with the Directive, because they became aware of the significant enforcement problems in the EU.214
Many possible reasons exist to explain the Directive's lack of enforcement. One possibility is that in the EU, "there are disincentives to litigation. If a plaintiff files and loses, the plaintiff generally pays the costs for both sides."215 This actually creates a disincentive for private individuals to bring claims. However, regardless of the reasons, the EU does not effectively enforce the Directive.216
VIII. CONCLUSION
The EU Directive represents an on-line privacy system that clashes directly with the U.S. data privacy infrastructure. Like the public who could clearly see the emperor's nakedness but who pretended not to, many U.S. privacy advocates push for a similar system in this country. A piece of legislation similar to the Directive will not work in the U.S. because of the potential First Amendment violations. Simply put, legislation similar to the Directive contradicts traditional American privacy values and interferes with the touchstone of First Amendment principles-the free flow of information. Further, the Directive does not achieve its articulated goals of uniformity and the protection of fundamental rights. Instead, its procedural framework erodes uniformity.
The Directive's weavers, while claiming that they possess a cure-all for privacy concerns, advocate the implementation of a similar system in the U.S. The Directive, however, is a facade-an unfortunate truth that privacy advocates refuse to recognize. The emperor paraded through the town wearing nothing, yet the crowd looked beyond the emperor's folly and praised his "new clothes." Likewise, privacy advocates appear naked without their clothes, because they adamantly encourage identical legislation in the U.S. that cannot function.
The children, however, unmoved by public sentiment, recognized the truth and spoke their mind. Likewise, opponents recognize the shortcomings of broad, EU-style privacy legislation and therefore seek to tear down the facade for the sake of finding a real, workable privacy solution.
[Author Affiliation]
David Raj Nijhawan*
* J.D. Candidate, Vanderbilt University Law School, 2003. Special thanks to God, my parents, Pradeep and Bev Nijhawan, my sister, Sunita Renee Nijhawan, my brother-in-law, Christopher Blanford, my grandparents, Bal Raj and Pushpa Nijhawan, my aunt and uncle, Pramodh and Nancy Nijhawan, John Raj Nijhawan, Phoebe, the Honorable Randy J. Holland, the Vanderbilt Law Review, Elizabeth TeSelle, Professor Steven Hetcher (for the title and the idea), Professor Patrick Duparcq (for encouraging me to consider law school), Mary Miles Prince (for teaching me how to Bluebook), Brenda Phillips, Thomas Francis Lombardi (for his red pen), Thomas Wedeles (for his time spent editing this Note), James Frank Cirincione (for providing valuable comments throughout this process), Jeffrey Bush, Evan Bennett, Debbie Reule and Russ Miller (for editing earlier drafts), Stephen Larson (for bouncing ideas back and forth regarding the intersection of law and technology), Laura Domm, Kirsten DeBarba, Jean Blackerby, Trish Luna, Michelle Lyons (my moot court partner, for teaching me how to write-again), Meg Pattison, Eric and Carrie Eisnaugle, Linda Lam, Jason Cincilla (for defending our country as a member of the U.S. Special Forces), J.D. Blair (for praying for me during law school), Lisa Bamford (also for praying for me to survive Law Review), James Andrew Beard (for teaching me how to walk), Heather Siukola, Allison Overdeck, Patrick Flanagan, Rich Padgett (for teaching me to believe in myself and to pursue this goal), Elizabeth Karavitis, Beverley Pugh, Sue Deason (for teaching me the value of hard work), Louise Freeman, Bruce Parkinson, Mike Parker, Joseph Fonte, Christopher Thomas (for the inspiration), Stuart Meyer of Fenwick and West LLP, Lou Holtz (for the 1988 championship season), Tyrone Willingham, Arthur Guinness, Neil Peart (for inspiring me to always strive to do my best, even if I burn my wings a little), and finally, Bono.
Комментариев нет:
Отправить комментарий