Management, compliance & auditing

Differences between the privacy laws in the EU and the US

Daniel Dimov
January 10, 2013 by
Daniel Dimov

Everything we do in the Internet leaves digital fingerprints. Therefore, it is only logical that many web users are worried about the issue of privacy. Their worry is not without reason. Because privacy laws differ from country to country, a company is not legally obligated to ensure that the processing of personal data will comply with the laws of all countries where the persons whose data have been collected reside. For example, if a company is incorporated in an offshore country, the company may not be obliged to observe any data protection laws. However, because of the global nature of the Internet, such a company may still offer online services to persons residing in countries with strict data protection laws.

Even large countries and organizations, such as the EU and the US, have different approaches in their attempts to regulate the use of personal information in the information society. The purpose of the present article is to briefly describe the data protection laws of the EU (Section 2) and the US (Section 3).

Finally, a conclusion is drawn (Section 4).

The Data protection laws of the EU

In the EU, two main legal instruments regulate the data protection in the information society. These legal instruments include the Data Protection Directive 1995/46/EC (Section 2.1) and the e-Privacy Directive 2002/58/EC (Section 2.2).

The Data Protection Directive 1995/46/EC

The EU Data Protection Directive 1995/46/EC is applicable to the automated processing of personal data and other processing of personal data that form a part of a filing system. The Directive defines personal data as any information that relates to an "identified or identifiable natural person." It should be noted that processing of personal data related to public security, defence, state security, and activities in areas of criminal law does not fall within the scope of the Directive. Below, the obligations of the person responsible for determining the purposes and means of the processing of personal data ("the data controller") and the rights of the person whose data is processed ("the data subject") are discussed.

Obligations of the data controller

Pursuant to the Directive 1995/46/EC, the data controller should ensure compliance with several principles relating to data quality. These principles include: (1) the collected data should be processed fairly and lawfully; (2) the collected data should be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (3) the collected data should be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed; (4) the collected data should be accurate and, where necessary, kept up to date, and; (5) the collected data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

The data controller should not only comply with the abovementioned principles, but also provide certain information to the data subject. In particular, the information that will need to be provided to the data subject include: (1) the identity of the controller and of his representative, if any; (2) the purposes of the processing for which the data are intended; (3) any further information such as (i) the recipients or categories of recipients of the data, (ii) whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, (iii) the existence of the right of access to and the right to rectify the data concerning him. The data controller is also obliged to implement adequate technical and organizational measures against unlawful access, accidental loss, destruction, alteration of the data.

Rights of the data subject

Pursuant to the EU Directive 1995/46/EC, the data subject has the following rights: (1) the right to access of the personal data related to him; (2) the right to judicial remedy; and (3) the right to object to certain data processing practices. It should be added that the right to access of the personal data includes the following rights: (i) the right to obtain copies of the data processed by the data controller; (ii) the right to receive from the data controller a statement indicating whether data relating to the data subject are being processed; (iii) the right to receive information on the purposes of the processing; (iv) the right to receive information on the categories of data concerned; and (v) the right to know the recipients to whom the data are disclosed, (vi) the right to obtain the rectification, erasure, or blocking of data the processing of which does not comply with the provisions of the EU Data Protection Directive 1995/46/EC.

Personal web sites should also comply with the EU Data Protection Directive 1995/46/EC

Processing of personal data by a natural person as part of purely private and household activities is exempted from the EU Data Protection Directive 1995/46/EC. However, in a landmark decision (Case C-101/01, Bodil Lindqvist, Judgment of 6 November 2003), the European Court of Justice found that a woman who identified and included information about fellow church volunteers on her personal web site was in breach of the Data Protection Directive. The reason was that the creation of a personal web site was not a personal activity falling outside of the scope of the EU Data Protection Directive 1995/46/EC.

The e-Privacy Directive 2002/58/EC

In addition to the EU Data Protection Directive 1995/46/EC, the EU adopted the e-Privacy Directive 2002/58/EC which was aimed at ensuring the protection of personal data in the field of telecommunications. The scope of the e-Privacy Directive includes publicly available electronic communications services in public telecommunications networks in the EU. In particular, the e-Privacy Directive 2002/58/EC regulates "traffic data" and "location data." The term "traffic data" refers to data necessary for the provision of communications. The term "location data" refers to data giving the geographic position of the device. The e-Privacy Directive also regulates unsolicited communications ("spam"), cookies, and spyware.

Pursuant to the e-Privacy Directive, the providers of communications services falling under the scope of the Directive should notify breaches to the corresponding national authorities. They also have to notify subscribers or customers likely to be adversely affected by a breach, which can be an identity theft, reputation loss, etc. Together with the notification, the provider should also submit a list of the proposed measures that will be used to counter the breach.

With regards to cookies, the e-Privacy Directive states that they can be installed on devices of subscribers only after an explicit consent of the subscriber or the user is provided. It should be noted that such a consent can be obtained only after the subscriber have been provided with the information required by the e-Privacy Directive and after having been offered the right to refuse such access. Regarding spam, the e-Privacy Directive states that remedies for infringements of the provisions on unsolicited communications can be obtained via legal proceedings.

Data protection in the US

Unlike the EU, the US does not have a single overarching privacy law. On a federal level, the United States maintains a sectoral approach towards data protection legislation where certain industries are covered and others are not. At a state level, most states have enacted some form of privacy legislation. Below, we quickly discuss three important federal data protection laws, namely, the Health Insurance Portability and Accountability Act (HIPAA), the Fair and Accurate Credit Transaction Act (FACTA), and the Children's Online Privacy Protection Act (COPPA).

HIPPA

The aim of the HIPPA is to ensure protection for individually identifiable health data. In particular, HIPPA defines who can have access to health information. In most cases, such information can be used only by health care professionals who are using it for treatment and care coordination purposes. Information that is subject to protection includes medical providers' notes and records, health insurer's computer records, billing information, as well as conversations between medics concerning the patient's care and treatment.

FACTA

The aim of FACTA is to help protect consumers' credit information from the risks related to data theft. Pursuant to FACTA, credit card and debit card receipts, with the exception of handwritten receipts, should not list more than the last five digits of the card number. It should be also noted that, under FACTA, a person making a request for a credit report has the right to request that the first five digits of his Social Security number not be included on the file.

COPPA

The aim of COPPA is to protect the privacy of children under the age of 13. The scope of the Act encompasses websites that are directed at children or that have knowledge that children are visiting the website. COPPA imposes an obligation on the operators of these websites to publish privacy policies specifying whether or not personal information is being collected, how this information is being used, as well as the disclosure practices of the operators of the websites. In order to collect this information from children, the websites' operators must obtain verifiable parental consent. Upon parental request, the provider should submit to the parent a description of the type of information being collected and stop collecting data from the particular child.

Conclusion

Under EU law, personal data can be collected only under strict conditions and for a legitimate purpose. The main component of the EU data protection law is the Data Protection Directive 1995/46/EC.

In the US, there is no all-encompassing law regulating the collection and processing of personal data. Instead, data protection is regulated by many state and federal laws.

The different approaches of the EU and US towards data protection probably stem from history. In Europe, where people have had dictatorships, data protection is declared as a human right and regulated by comprehensive data protection legislation. In this regard, it is worth mentioning that the STASI, the official state security service of the German Democratic Republic or GDR (informally known as East Germany), employed 500,000 secret informers. The task of 10,000 of these informers was to listen to and transcribe the phone calls of citizens. In contrast, in the US, the attitude towards data protection is governed mainly by market forces. It should also be noted that with the adoption of the US Patriot Act, which was adopted in response to the events on September 11, 2001, the US significantly reduced the restrictions in the collection of personal data by law enforcement agencies.

Sources

  • Allen, A., 'Unpopular Privacy: What Must We Hide', Oxford University Press, 2011.
  • Dixon, P., Gellman, R., 'Online Privacy: A Reference Handbook', ABC-CLIO, 2011.
  • Fischer, P., 'Will Privacy Law in the 21st Century Be American, European, Or Inernational', GRIN Verlag, 2012.
  • Hert, P., Poullet, Y., Gutwirth, S.,(Editors), 'Data Protection in a Profiled World', Springer 2010.
  • Levmore, S., Nussbaum, M., 'The Offensive Internet: Speech, Privacy, and Reputation', Harvard University Press, 2011.
  • Lloyd, I., 'Information Technology law', Oxford University Press, 2008.
  • Noorda, C., 'e-Discovery and Data Privacy: A Practical Guide', Kluwer Law International, 2011.
  • Rogosch, P., Hohl, E., 'Data Protection and Facebook: An Empirical Analysis of the Role of Consent in Social Networks', LIT Verlag Münster, 2012.
  • Rowland, D., 'Information Technology Law', Routledge, 2005.
  • Wild, C., Weinstein, S., MacEwan, N., Geach, N., 'Electronic and Mobile Commerce Law: An Analysis of Trade, Finance, Media and Cybercrime in the Digital Age', University of Hertfordshire Press, 2011.
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.