From the perspective of a non-European and, more precisely, an American observer, two aspects of Directive 95/46/EC merit particular attention. First, the legal approach to fair information practice in Europe has a structural significance for the treatment of personal information and, second, the terms of the Directive will push the substantive standards beyond the European Union's member states.

1. The Structural Significance of the Directive's Approach for Non-Europeans

• The cross-sectoral framework sets a consistent agenda for good business practices
• The cross-sectoral framework means that implementation decisions will be critical
• The basic principles of the cross-sectoral approach are technology neutral.
• Many are easier to apply with a centralized infrastructure, but no less relevant for a decentralized infrastructure.
• The obligatory character of the basic principles along with legal remedies for aggrieved citizens create an environment of trust for citizens that will be particularly important for electronic commerce
• The transposition of the Directive should provide greater coherence in European data protection policy and the Article 29 Working Group policies should smooth differences among interpretations in the laws of the member states.

2. The Directive's Internationalization of Fair Information Practice Standards

• The Directive transforms fair information practices into a global implementation issue for international companies as well as a business necessity.  Business will have a hard time justifying better treatment of the same personal information for the citizens of one country as compared to another.
• Article 4 imposes a choice of law rule that effectively provides jurisdiction to any European member state from which information is collected or processed. European member states must, for example, apply their national laws to any foreign entity that obtains personal information using any means located in the European member state.
• Article 25 prohibits the flow of personal information from European member states to countries that do not assure "adequate" protection of privacy. This will be a major problem for countries without framework laws, especially the US, where "adequacy" can only be established on a case-by-case basis.  For business to benefit from Article 26 exceptions, the European standards will have to be assured for the treatment of personal information outside the European Union.
• The Directive's choice of law provision and transborder data flow provisions will, in effect, require that global businesses regularly audit their information practices, incorporate technological infrastructure mechanisms to assure fair information practices and establish data protection contracts with agents and counterparties.  This is likely to create new private sector industries such as information auditors and quality control specialists as well as new privacy products such as data tagging devices.
• The definition and implementation of data privacy rules for electronic commerce will be influenced significantly by the Directive's standards because of the importance of the European marketplace and the existence of data protection authorities in each of the European member states.

back to home page