Thelen Reid Report No. 391: European Privacy Directive Threatens Data Transfers to US Businesses



Reprinted from Thelen Reid & Priest International Business Transactions Newsletter, August 1998

On October 24, 1998 the European Commission's Privacy Directive went into effect, a development which could have a dramatic effect on the way data is exchanged between European Union ("EU") countries and the United States. The directive requires EU member states to enact or modify their laws to provide privacy protection to data collected about individual "data subjects" far in excess of the requirements of United States law, and prohibits data transfers from the EU to third countries, including the US, that do not provide equivalent protection. Every company doing business in Europe, and especially those with substantial operations in Europe, will want to monitor the way the EU and its member nations implement the Directive to avoid its potential anticompetitive effects on non-EU companies.

Background Of Privacy Concerns. The amount of personal data being gathered by business entities, non-profits, research entities, and government itself is enormous. Records are routinely maintained, and exchanged, relating to individuals' employment, earnings, medical treatments and conditions, gender, age, personal characteristics, current and former telephone numbers and addresses, shopping behavior, charitable and political affiliations, and the like, by any organization that comes in contact with such information. Such information gathering is especially common on the Internet. Sales of databases containing such information have become big business.

United States law regulates privacy interests in personal data in a sporadic, sector specific manner, targeting credit reporting practices, government access to electronic records, videotape rental records, student loans, and other specific areas. But no overarching privacy law attempts to set out general rules governing the obligation of those controlling personal data to the persons to whom that data relates, the "data subjects." In Europe, however, the situation is much different. European nations such as Germany and France have had general laws on the books for years aimed at protecting the interests of data subjects in how their personal data is gathered, used, and transferred.

Adoption Of The Directive. In 1995, in the interest of establishing uniformity among EU members, the European Commission ("EC") and European Parliament adopted Directive 95/46/EC, "On the protection of individuals with respect to processing of personal data and the free movement of such data."

The Directive requires EU member states to adopt national laws with provisions paralleling those of the Directive by October 24, 1998. The Directive outlines a scheme of data protection far stricter, more sweeping and more bureaucratic than any thing existing or likely to exist in the United States. The Directive also provides that EU member states must prohibit transfers of personal data from entities within the EU to entities (or offices of the same entity) located in other "third nations" (like the United States) where "adequate protection" measures analogous to those imposed by EU members on themselves do not exist.

Obligations Imposed On Data Controllers. The Directive applies to any "processing" of personal data, i.e., any "operation ... performed on personal data" which is identifiable to an individual by name, likeness or otherwise. It covers all computerized data processing and even the manipulation of non-computerized paper files if the files are maintained in individually identifiable and searchable form. US companies will be affected by the law, first, because it extends to US companies that use processing equipment located in the EU, and second, because entities that are located in the EU, including EU branches of US entities, may be restricted in transferring data to US facilities.

The Directive requires controllers of data to abide by certain privacy principles. Personal data must be processed "fairly and lawfully"; it must be collected only for "specified," "legitimate" and "explicit" purposes and used accordingly; only data relevant to the identified purpose may be gathered; data must be kept accurate, and errors corrected; and personal data must only be kept in a form identifiable to individuals as long as is necessary. Even with the above restrictions the processing of personal data may only take place under one of the following conditions:

  • the data subject must unambiguously give his or her consent, or
  • the processing must be necessary to fulfill a contract requested by the subject, or
  • it is required by law, or
  • it is necessary to protect the subject's own "vital interests," or
  • it is necessary to public interest or government functions, or
  • a catchall provision, probably the most important of the six, which allows a controller of personal data to process it if the controller has a "legitimate interest" in doing so which is not outweighed by the rights of the subject.

The last category above obviously calls for a balancing analysis which, while providing flexibility, will also give rise to substantial legal uncertainty. Processing of especially sensitive personal data relating to race, political or religious beliefs, sexual conduct, trade union involvement, and the like is subject to even stricter limitations.

Data subjects are given certain parallel rights as well, including the right to learn if data about themselves is being processed, what it is being used for, to inspect the data, and to correct errors.

The above provisions, while not uniformly embodied in any general US privacy law, are recognizable in various best practices codes adopted by industry trade organizations and regulations adopted by the government for its own data processing functions. However the Directive goes further. It requires the data controller to inform the data subject whenever data about the subject is processed, including providing information about the identity of the controller, the purpose of the processing, and the use and distribution of resulting information. Further, it requires controllers to notify a government privacy official regarding each such episode of processing, and requires the states to maintain "registries" of such information. It also provides for sanctions for non-compliance.

It is anticipated that EU states will meet these requirements, which would otherwise be overwhelming, by issuing a form of blanket approval and exemption from notice and reporting for large categories of data processing functions where the risk of privacy injury is low.

Impact On Transmissions Of Data To The United States And Other Countries. Article 25 of the Directive provides that transfers to third countries such as the US may only be made if the transferee nation provides an "adequate level of protection." What categories of transfers can be made on this basis will ultimately be determined in proceedings before the European Commission, however EC officials have made it clear that the US's patchwork scheme of privacy legislation, which leaves many areas largely unregulated, will not meet this test as a general matter. However, even if the adequacy finding cannot be made as to an entire nation on a blanket basis, other provisions of the Directive may still allow transfers to occur under certain circumstances, such as where the data subject has given "unambiguous consent" or the transfer is being made from a register of information which is public as a matter of law.

In addition, member states can authorize the data controllers themselves to determine whether a particular transfer adequately protects the privacy interests of the data subjects, and make the transfer if appropriate, although such transfers must be reported to the EC and may be objected to by others. In making the determination that adequate safeguards exist under this section controllers can consider not only government laws and regulations but also any contractual provisions imposing privacy safeguards. As a result, a great deal of energy is presently being spent in both the EU and the US in determining how transfers can be allowed to take place with US industry sectors (banking, consumer credit reporting) where reasonably strict privacy laws and regulations already exist. Outside those areas, groups such as the International Chamber of Commerce and the Online Privacy Alliance are attempting to generate contractual language or industry codes which individual companies or trade organizations can adopt to meet the requirement of "adequate protection." The Commission is attempting to coordinate the approach of all member states to these questions through the use of an entity called the "Working Party" which issues guidance as to how "adequacy" may be assessed. It appears that over the coming years privacy regulators in the EC and in various EU member states will be required to rule on the permissibility of data processing and transfers in diverse circumstances and industry segments.

Numerous questions regarding implementation of the Directive remain unanswered, including the extent to which reasonable categorical exceptions will be made for less significant transfers, the extent to which industry self regulation or best practice codes in the US will be recognized as providing adequate protection, and the extent to which EU business will attempt to invoke the Directive and member state laws related thereto to obtain a competitive advantage over US and other non-EU firms. Any business entity that exchanges personal data with EU affiliates will want to monitor developments in this area and develop a compliance plan in the near future.

The Thelen Reid Report is published as an information service to clients and friends. Please recognize that the information is general in nature and does not constitute legal advice.