Professor Joel R. Reidenberg
Fordham University School of Law
140 W. 62nd Street New York, NY 10023
Home page: <home.sprynet.com/sprynet/reidenberg>
International Privacy Conference
(Montreal: September 23-26, 1997)
Summary Comments Workshop
No. 2401 on the European Directive
From the perspective of a non-European and, more precisely, an American
observer, two aspects of Directive 95/46/EC merit particular attention.
First, the legal approach to fair information practice in Europe has a
structural significance for the treatment of personal information and,
second, the terms of the Directive will push the substantive standards
beyond the European Union's member states.
1. The Structural Significance of the Directive's Approach for Non-Europeans
- The cross-sectoral framework sets a consistent agenda for good business
- The cross-sectoral framework means that implementation decisions
will be critical
- The basic principles of the cross-sectoral approach are technology
- Many are easier to apply with a centralized infrastructure, but
no less relevant for a decentralized infrastructure.
- The obligatory character of the basic principles along with legal
remedies for aggrieved citizens create an environment of trust for citizens
that will be particularly important for electronic commerce
- The transposition of the Directive should provide greater coherence
in European data protection policy and the Article 29 Working Group policies
should smooth differences among interpretations in the laws of the member
2. The Directive's Internationalization of Fair Information Practice
- The Directive transforms fair information practices into a global
implementation issue for international companies as well as a business
necessity. Business will have a hard time justifying better treatment
of the same personal information for the citizens of one country as compared
- Article 4 imposes a choice of law rule that effectively provides
jurisdiction to any European member state from which information is collected
or processed. European member states must, for example, apply their national
laws to any foreign entity that obtains personal information using any
means located in the European member state.
- Article 25 prohibits the flow of personal information from European
member states to countries that do not assure "adequate" protection
of privacy. This will be a major problem for countries without framework
laws, especially the US, where "adequacy" can only be established
on a case-by-case basis. For business to benefit from Article 26
exceptions, the European standards will have to be assured for the treatment
of personal information outside the European Union.
- The Directive's choice of law provision and transborder data flow
provisions will, in effect, require that global businesses regularly audit
their information practices, incorporate technological infrastructure mechanisms
to assure fair information practices and establish data protection contracts
with agents and counterparties. This is likely to create new private
sector industries such as information auditors and quality control specialists
as well as new privacy products such as data tagging devices.
- The definition and implementation of data privacy rules for electronic
commerce will be influenced significantly by the Directive's standards
because of the importance of the European marketplace and the existence
of data protection authorities in each of the European member states.
back to home