The EU Privacy Directive and the resulting safe harbor: the negative effects on U.S. legislation concerning privacy on the Internet.

• Author: Vitale, Angela

ABSTRACT

The rapid growth of the Internet and the importance of international business operations have thrust the issue of Internet privacy into the center of domestic and international political debates. Varying definitions of privacy have led to numerous--often inconsistent--legislative schemes to protect privacy on the Internet. These inconsistencies have made it difficult for companies to penetrate foreign markets and to maintain international operations. Of primary concern to U.S. companies is the EU Privacy Directive. The Directive requires U.S. companies that attempt to interact with potential customers or their own employees in the European Union either to qualify for a "Safe Harbor" or reach an individual compromise with each country from which data will be extracted. Not only do these requirements place additional costs on U.S. companies, they also place U.S. companies at a competitive disadvantage. More ominously, it appears that in the haste of the United States to implement privacy legislation, legislators are mimicking the EU Directive without considering the differences between the U.S. and EU legal systems, the historically different treatment of privacy as a fundamental right in the European Union, or shortfalls in the Directive itself.

1. INTRODUCTION

   The information superhighway has made geographic boundaries virtually obsolete. (1) The free flow of electronic data across borders has contributed to the growth of the "Information Age" and the global economy. (2) Internationally, however, governments have begun to restrict Internet use for various reasons, from political to religious to economic. (3) The protection of privacy on the Internet is one area in which the European Union has been a trendsetter. In an attempt to protect the rights of its citizens, the European Union has passed comprehensive legislation to protect personal data and privacy (4) on the Internet. The United States appears to be following the lead of the European Union. (5)

   As of yet the United States has no comprehensive privacy legislation. The current political debates raging in the United States suggest, however, that it is only a matter of time before Congress will pass such legislation. (6) One reason for the heated debates at both the federal and local level is the proactive stance the European Union has taken. (7) The fact that the EU Privacy Directive (8) is far more restrictive than any measures taken by the United States has dramatically impacted the U.S. approach to privacy regulation. (9) The Directive prohibits the transfer of information to and from countries not in compliance, and has therefore caused the United States to propose regulation to mirror the legislation of the European Union. Upon first impression, this creates a uniform standard for Internet operation. (10) Although a uniform standard may help to create bright-line rules, it ignores important differences between the EU and U.S. legal systems, their respective treatment of privacy, and the cultures that have developed around the Internet. Furthermore, as this Note argues, uniform standards may lead to unanticipated increased costs for global companies and anti-competitive effects for U.S.-based companies.

   In the United States, both sides of the privacy legislation debate have strong arguments. Prior to the EU Directive, the United States took a "sectoral" approach to privacy issues, crafting narrow policy laws that only applied to specific industries or types of information. (11) Because the European Union was the first to craft a privacy policy, the United States was forced to act hastily to ensure that U.S. companies had access to the European market and to their own EU-based subsidiaries or parent companies. During the last six months of 2000, Internet penetration of households in Europe increased fifty-five percent. (12) The pressure to ensure that U.S. companies would not be at a competitive disadvantage in the European market hastened the development of a U.S. plan to comply with the Directive.

   The solution to this need for haste was to create the Safe Harbor. (13) The perceived need for haste forced the United States to craft legislation without negotiation or debate. Consequently, the process failed to take into account the differences between the U.S. and EU legal systems and their different treatments of privacy issues. Furthermore, the fear--now justified--was that the Directive would not only keep U.S. companies from accessing European consumers, but would also hamper U.S. companies with European offices from engaging in trans-Atlantic communications. (14) U.S. legislators and companies were and remain primarily concerned with avoiding interruptions in business dealings, protecting U.S. companies from prosecution in the short term, and protecting the estimated $125 billion per year in trade between the United States and the European Union over the long run. (15) U.S. legislators and companies have failed to negotiate with the European Union to formulate a means of compliance that will foster the long-term growth of the Internet.

   This Note explores why the Directive and the resulting U.S. Safe Harbor are likely to prove injurious to the growth of the Internet in the United States. This Note argues that the Directive and Safe Harbor will inefficiently regulate a medium that would otherwise develop effective self-regulatory capabilities. The Note first considers the differences between the EU and U.S. treatment of privacy. These differences ultimately require different approaches to regulation.

   The history of the Directive and the resulting Safe Harbor is then traced. The Directive and Safe Harbor prove to have profoundly affected the treatment of privacy on the Internet in the United States. Prior to the Directive, the United States relied on self-regulation and market regulation. These types of regulation take time to develop and were in the process of perfecting themselves prior to the EU Directive and the resulting push for government regulation.

   Finally, the effects of the Safe Harbor will be considered. Public choice theories of agenda setting and herding support the argument that later U.S. regulations will mirror the Directive and Safe Harbor without considering differences between the United States and European Union or the different expectations of their respective citizens. Furthermore, the Directive, Safe Harbor, the activities of the Federal Trade Commission (FTC), and the resulting legislation will have negative effects on U.S. companies that have neither seriously contemplated their treatment of personal data and privacy, nor are capable of implementing the procedures and processes necessary to satisfy privacy regulation requirements.

2. INTRODUCTION TO THE INTERNET

   The Internet is "an appliance of everyday life" (16) and is accessible worldwide. (17) The Internet has changed business and economic paradigms. (18) Entrepreneurs and traditional businesses alike see the Internet as a means to improve business and reach the global market. Companies operating on the Internet have invested millions of dollars in an effort to entice customers to use and trust their Internet services. (19) To capitalize on customer use of the Internet, companies began collecting personal information on individuals who visited their websites. (20) Recent advances in technology have made it easier and cheaper to collect, store, retrieve, and organize consumer information. (21) Companies can use this information to target and maintain customers, or can organize this information into customer lists to be sold to third parties. (22) These customer lists have become valuable resources for companies. (23) This information enables web advertisements to target potential customers more efficiently than traditional advertisements. (24) The use of this information, however, has become the subject of regulation; it remains to be seen whether Internet companies will be able to capitalize on their investment.

   There are generally three methods used to collect information on the Internet: collection of personally identifiable information, cookies, and click trails. Personally identifiable information is information that can be traced back to an individual user, (25) and refers to data like the user's first and last name, home address, and e-mail address. (26) A cookie is a block of text placed on a user's hard drive by a website when the user visits the website. (27) These files are most commonly placed on hard drives through the use of banner advertisements. (28) These files track the user's online behavior but do not collect information such as name, address, or social security number unless the user volunteers this personally identifiable information. (29) Only then can the information gathered by a cookie be linked through software to personally identifiable offline data. (30) Cookies notify the website each time the user returns. (31) A click trail is a record of all the websites and pages within a website that a user visits. (32) Like cookies, this information cannot be traced to an individual user, unless the user volunteers personally identifiable information. (33)

3. PRIVACY ON THE INTERNET

   Along with the rapid growth of the Internet have come numerous legal issues. One of the more controversial and persistently debated is privacy and the treatment of personal data. This section examines the treatment of privacy by the United States and the European Union and how the different treatment of privacy in general leads to differing views of how to treat privacy on the Internet.

   1. United States Treatment

      "Americans treasure privacy, linking it to our concept of personal freedom and well being." (34) Interestingly, although Americans may value their privacy, a right to privacy does not appear in the Constitution. In addition to this curious anomaly, the issue of Internet privacy creates special problems when considered within the traditional...