The Movement toward Obligatory Standards for Fair Information Practices in the United States, VISIONS FOR PRIVACY IN THE 21st CENTURY (Colin Bennet & Rebecca Grant eds., forthcoming Univ. of Toronto Press)*1

Joel R. Reidenberg,  Associate Professor, Fordham University School of Law
E-mail:  reidenberg@sprynet.com

Varying jurisdictional approaches as well as different standards for the treatment of personal information will pose conflicts for the interrelated and international data processing arrangements of the 21st Century. The European Union's directive on data protection (the "EU Directive")*2 coupled with the Global Information Infrastructure raise the stakes for global solutions to the universally recognized need to maintain fair information practices in an Information Society. Yet, at the same time, the nature of 21st Century information processing arrangements will be complex and ill-suited for a single type of solution. This paper argues that data protection norms in Europe will create obligatory standards for fair information practices in the United States as a consequence of the provisions found in European law and in the EU Directive.

The European Pressure

The EU Directive exerts significant pressure on U.S. information rights, practices and policies. The EU Directive establishes a comprehensive legal foundation throughout Europe for the fair treatment of personal information and subjects international data flows from Europe to restrictions if the destination does not assure an "adequate" level of protection.*3 Over the last twenty years, U.S. law has provided sporadic legal rights and remedies for information privacy.*4 Most regulatory efforts have constrained the government, while existing private sector standards derive largely from company-specific practices.*5 The EU Directive and the GII, thus, present critical challenges for U.S. policies and practices. With the imposition by the EU Directive both of harmonized European legal requirements for the fair treatment of personal information and of limitations on transborder data flows outside of Europe, U.S. companies must recognize that they will have to respect European legal mandates and the U.S. government must recognize that American standards will be examined in Europe. Although there is uncertainty regarding the application of the EU Directive to particular contexts, multinational companies and the U.S. government will by necessity follow closely the implementation of the EU Directive.

While the EU Directive provides an impetus for introspection by the United States as well as other countries outside Europe, the GII is also forcing American scrutiny of the treatment of personal information. Public opinion polls show that Americans care about privacy and are concerned about the treatment of personal information. This concern is noted particularly with respect to the development of on-line services. Similarly, companies are increasingly fearful of becoming the next data scandal and are beginning to see pro-active data protection policies as a commercial strategy. Businesses also express a critical need for confidence and security in the treatment of network information.

Nevertheless, the United States is not likely to adopt a comprehensive data protection law in the next few years. Instead, a proliferation of legal and extra-legal mechanisms are beginning to converge in a way that will increase rules for the treatment of personal information within the United States. The nascent response, thus, to the twin pressures of the EU Directive and the GII is a movement toward obligatory standards of fair information practice within the United States.

Scrutiny and "Adequacy"

Since the EU Directive is now law, comparisons between European data protection principles and U.S. standards of fair information practice must be made.*6 The EU Directive requires that American standards of fair information practice be "adequate" in order to permit transfers of personal information to the United States.*7 Because the United States lacks directly comparable, comprehensive data protection legislation, the assessment of "adequacy" is necessarily complex. The context of information processing must be considered. A study of U.S. data protection conducted for the European Commission argues that the comparison should be made on the basis of "functionally similar" treatment.*8 This approach matches an aggregation of targeted legal privacy rights, non-specific legal rights that have an impact on the treatment of personal information as well as the actual practices of data collectors in the United States against a core set of European standards. The result offers important points of convergence as well as divergence.*9

In the context of the GII, data protection authorities will have significant difficulty applying European standards to trans-Atlantic data flows. As a practical matter, the diversity of activities, participants and information processing arrangements obscures clear analysis. The GII crosses sectoral and national regulatory boundaries and crucial aspects of the treatment of personal information depend on esoteric technical characteristics. Even if a data protection authority wanted to investigate all contexts in each sector, the specialized expertise and the necessary resources are unlikely to be both available.

Unless the European Union seeks to withdraw from international information flows, data protection authorities will face unexpected legal obstacles to export prohibitions. Restrictions on data flows applied against an entire country or against a specific sector within a country may violate the Uruguay Round GATT accords. Information flows come within the scope of the Annex on Telecommunications, and although certain restrictions for privacy are permissible, the general obligation of non-discrimination still applies.*10 Thus, to single out all information flows to a particular country without taking comparable action against other countries with similar privacy deficiencies may constitute impermissible discrimination. By contrast, a focus on particular contexts, such as the treatment of caller identification information or the treatment of particular information by a specific corporation, would be less likely to violate the non-discrimination obligation. Politically, the least problematic restrictions will thus come from case-by-case analysis and assessment.

Regardless of pressure from the EU Directive, fair information practices in the United States face increasing public examination. Data protection scandals have attracted attention. For example, within the last year, NYNEX, one of the major American telephone companies, was publicly exposed for failing to implement customer subscriptions for number blocking on its caller identification service, the direct marketing industry was criticized in the press for surreptitious data gathering activities on the Internet and for designing web sites to collect personal information from children and Netscape was revealed to contain features that allow Internet web sites to read browsing patterns from the user's own hard drive.

At the same time, businesses are also concerned with privacy issues. Industry wants certainty of standards for the fair treatment of information. And, business needs confidence in the integrity of information.*11 Data protection around the world will be an essential element of 'good business practice' because the treatment of personal information is now an issue of business competitiveness. Already in Belgium, financial institutions have fought each other over the use of bank payment records to cross-sell products of affiliated companies.*12 Companies based in the United States have also begun to recognize this key aspect of data protection. For example, Citibank has developed a data protection arrangement among affiliates for world-wide information processing that establishes a high competitive standard. Later this year, Citibank plans to release publicly the model contract it used implementing standards in the United States for the processing of railway card data originating in Germany.

In essence, the sufficiency of standards of fair information practice within the United States is now on the political and business agenda.

The Confusing U.S. Governmental Response

The U.S. government reaction, however, to the twin pressures from the EU Directive and the GII is confusing. Despite the EU Directive and the GII, the American regulatory philosophy remains wedded to targeted sectoral rules adopted in reaction to particular issues; the prospects for a comprehensive data protection law in the United States remain low. While the U.S. government, particularly the federal government, has tried to give fresh thought to fair information practice issues, the message from policy decisions are neither coherent nor consistent.

In 1993, while the EU Directive was still in draft form, Vice President Gore and the Clinton Administration launched the "National Information Infrastructure" initiative and created the Information Infrastructure Task Force ("IITF"). As part of the initiative, the IITF attempted an ambitious effort to define American standards of fair treatment of personal information for the information infrastructure. Because of the likelihood of increased foreign scrutiny of transborder data flows, the IITF examined the standards from the Council of Europe Convention, the O.E.C.D. Guidelines and the drafts of the EU Directive with the intent to develop an American position consistent with global norms. By the end of last year, the IITF issued a series of reports, non-binding policy statements and guidelines that appear to compete with one another and result in the preservation of the federal regulatory status quo.*13

More recently, individual states have begun to grapple with information infrastructure issues and there is a growing movement to increase legal standards of fair information practice, particularly with respect to marketing uses of personal information. Interestingly, the EU Directive is having an influence on the direction and drafting of proposals at the state level as legislative staff consult the EU Directive to find ideas and to strengthen support among representatives. In the coming election year, however, privacy issues are not likely to be a high priority.

Another more concrete response to the EU Directive and the GII may be a centralization of privacy policy within the federal government. The IITF is presently working on a white paper to address the issue of a data protection board. Because of the scrutiny of U.S. treatment of personal information, industry has a new incentive to seek international assistance from the U.S. government. If European regulators take the transborder data flow provisions seriously, the dispersion in the United States of jurisdiction for privacy issues coupled with inter-agency rivalries will ultimately encourage businesses to push for the creation of an executive branch data protection office. Otherwise, foreign data protection authorities will continue to have no appropriate U.S. counterpart to engage in problem-solving, constructive dialog. However, between budget pressures and ideological beliefs, a new independent agency with full regulatory powers has little chance of adoption. Instead, a consolidation of the dispersed functions in a single executive branch office is more likely to occur and any powers for the private sector are likely to be limited to an ombudsman role.

In the event that European data protection authorities begin to block flows of personal information to the United States, a more specific American response can be expected. The U.S. government and industry groups will certainly raise initial objections to the principle of actual data transfer prohibitions. Some will strongly disagree with any foreign judgments of U.S. law and practice. Yet, the American public reaction, and consequently the political pressure, will be much harder to anticipate. A data transfer prohibition that discloses a lack of fair treatment of personal information within the United States could greatly assist privacy advocates seeking additional U.S. protections. In addition, such decisions may split industry cohesion as those companies with strong global data protection will have a commercial incentive to see businesses with poor practices thwarted in their international activities. Alternatively, the restraints may not be perceived as an appropriate level of response by European regulators to any identified problem with data protection in the United States and business positions against regulatory protections for privacy may be strengthened politically.

For the long-run, bilateral negotiations between the United States and the European Commission may assist the development of consistent U.S. government policies. Although the U.S. government has little to offer initially given that domestic politics keep broad legislation off the negotiating table, the discussions themselves force the U.S. government and industry to confront the need to satisfy international privacy standards.

Concrete Solutions for Transborder Data Flows

The ambiguous state of fair information practice policy in the United States and the impending evaluation of U.S. processing activities, as required by the EU Directive, together force data protection regulators, global companies and their respective constituencies to achieve a workable consensus on satisfying fair information practice obligations for international data flows. As a preliminary solution, two concrete strategies may be offered to minimize conflicts over transborder data flows: (1) a new contractual model based on the liability of data exporters*14; and, (2) a technological approach based on the development and deployment of privacy conscious technical standards.

The contractual strategy offers a way to sustain European standards on the GII without the complexities of intensive regulatory intervention in a world of global distributed information processing. Under the EU Directive, an exporter of personal information could be held to violate the requirement of "fair and lawful" processing if the exporter fails to assure that adequate information practices follow the data.*15 This means, for example, that a French data exporter would be liable in France under the standards imposed by French law for the treatment of the exported personal information regardless of where the data is processed. Under this interpretation, if an exporter cannot show that European standards are applied to the foreign processing, the exporter does not comply with the "fair and lawful" processing requirements. Contractual arrangements, then, become the key for data exporters to minimize the risk of European liability; data exporters will need to develop contracts that assure protection by data recipients.*16 This contractual strategy avoids the problems associated with enforcement of inter-corporate agreements by individuals since it shifts the focus of contracts from protection of the individual to protection of the corporation itself.*17 At the same time, the liability approach maintains corporate responsibility and preserves local recourse for individuals against data exporters, rather than attempting to create rights against remote processors that will be hard to enforce.

This type of contractual strategy forces companies to assure fair treatment of personal information without the need for data protection regulators to make direct complex evaluations of foreign law. In the absence of contractual arrangements, data exporters will be unable to show "fair and lawful" processing. To meet the burden of liability, companies will impose data protection obligations privately on data recipients. In practice, the legal strategy will require a serious commitment to supervision of foreign processing activities by data exporters. Without supervision, the data exporter remains widely exposed to liability at the place of export. This suggests an important role for codes of conduct both as a device to define contractually imposed standards for specific contexts and as a benchmark to measure compliance.*18 With this strategy, "information audits" become a critical self-preservation device for companies while simultaneously avoiding the difficulties of extraterritorial inspection by data protection authorities and costly duplication of supervision by multiple data protection agencies. European data protection authorities may, for example, decide that an information audit certified by a trusted third party is the only way for a company to demonstrate "fair and lawful" processing when personal data is exported. In any case, with this contractual strategy, European data protection authorities might accomplish the goal of assuring adequate treatment of personal information without many of the difficulties inherent to the assessment of foreign law.

The second strategy, a technological approach based on the development and deployment of privacy conscious technical standards, also offers an opportunity to embed fair information practices in the GII.*19 Technological choices establish default rules. For example, Netscape allows Internet web sites to log visits on the user's computer hard drive and access that traffic information for profile purposes.*20 The feature is not publicized by Netscape, though technically savvy users can disable the logging capability without impeding their use of Netscape.

The use of "technologies of privacy" is essentially a business driven solution that can be used to promote data protection goals and implement European obligations. Standards and architecture planning may in effect create binding privacy rules. For example, Internet web pages may adopt a common opt-out protocol, such as a small green box that can be clicked to erase a visitor's traffic data and thus preclude its use for secondary purposes. Similarly, protocols may be developed that anonymize personal information whenever possible. The recognition and implementation of new technical strategies can reduce the potential regulatory conflicts for international information flows.

Conclusions

As information becomes the key asset of the 21st Century, the treatment of personal information and the verification of compliance with fair standards become critical for public confidence in network activities.*21 In spite of the confusing U.S. government response to the GII and the EU Directive, the possible solutions for international information flows exert a tremendous pressure toward obligatory standards. Liability coupled with contractual arrangements and network architecture impose significant rules on information processing. Narrow developments in U.S. government policy, greater corporate attention to fair information practices, new contractual arrangements and network system default rules will collectively decrease the divergent characteristics of fair information practice standards in the United States from those of the EU Directive. Yet, the more seriously European data protection authorities take international data flows and the more extensively the public debates the GII, the greater the pressure will be toward these obligatory standards in the United States.

Footnotes

* 1 (c) Joel R. Reidenberg. This paper was originally presented in at the conference "Visions for Privacy in the 21st Century: A Search for Solutions," May 9-11, 1997 organized by the Office of Information and Privacy Commissioner of British Columbia and the University of Victoria.

*2   Directive 95/46/EC, Eur. O.J. L281 (Nov. 23, 1996).

*3   See European Directive, art. 25-26.

*4   See Paul Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study of U.S. Data Protection (Michie: 1996).

*5   Id.

*6   Directive 95/46/EC, Art. 25.

*7   Id.

*8   See Schwartz & Reidenberg, supra note 3.

*9   Id.

*10   See Gen'l Agreement on Tariffs and Trade, Annex 1B: General Agreement on Trade in Services, Annex on Telecommunications, Art. XIV c(ii).

*11   Encryption controversies reflect this critical aspect of standards for fair information practices. In Congress, recent proposals seek to confront the encryption issues.

*12   See Aff. OCCH c. Générale de Banque, Trib. de comm. de Bruxelles, Chbre. des actions en cass., slle des référés, 15 sept. 1994 (Belguim) reprinted in 1994/4 Droit de l'informatique et des télécoms 46-50; Aff. Feprabel et Fédération des courtiers en Assurance c. Kredietbank NV, Trib. de comm. d'Anvers, 7 juillet 1994 (Belgium), reprinted in 1994/4 Droit de l'informatique et des télécoms 51-55. Significantly, individuals did not bring these cases. Instead, the bank competitors successfully sued based in part on the data protection prescriptions against secondary use of personal information.

*13   See, e.g., U.S. Dep't of Commerce, N.T.I.A., Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (Oct. 1995); I.I.T.F., Report of the Privacy Working Group, Privacy and the N.I.I.: Principles for Providing and Using Personal Information (Oct. 1995); U.S. Advisory Council, First Report: Common Ground (1995)(containing section on "Privacy and Security").

*14   For an extended discussion, see Schwartz & Reidenberg, supra note 3, § 14; see also Joel R. Reidenberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497, 545-550 (1996).

*15    See Schwartz & Reidenberg, supra note 3, § 14-4.

*16   Id.

*17   Id.

*18    For a discussion of usefulness of codes of conduct and standards, see Colin Bennett, Implementing Privacy Codes of Practice (1995).

*19   See Joel R. Reidenberg, Governing Networks and Rule-Making in Cyberspace, 45 Emory L. J. 911 (1996).

*20   Usually the data is stored in the Netscape directory in a file <cookies.txt>.

*21   See Joel R. Reidenberg & Françoise Gamet-Pol, The Fundamental Role of Privacy and Confidence in the Network, 30 Wake Forest L. Rev. 105 (1995).

... back to main page