Global commerce and the privacy clash: there are critical gaps in the privacy rights laws of Europe and the United States that pose a major challenge to companies embracing global commerce.

• Author: Fjetland, Michael
• Position: Global Outlook

A U.S. software company sets up operations in 25 countries worldwide: some in Europe, others in Asia, one in Australia. In the United States, there are no provisions the company must abide by regarding the use of customer personal data gathered by its Internet service provider as its customers shop. However, Australian law, specifically the Privacy Amendment Act of 2000, provides that personal information cannot be collected without the consent of the person giving it. It further provides that the information must be kept confidential and "cannot be transferred to another country that does not have privacy protection." This provision means that the U.S. company's Australian subsidiary cannot transfer the information it collects from consumers in Australia to the U.S. parent -- since there is no privacy protection in the United States.

This same clash is likely between the United States and countries that form the European Union (E.U.), which includes Austria, Belgium, Denmark, Finland, Germany, Greece, Ireland, Italy, France, United Kingdom, Luxembourg, Portugal, Spain, Sweden, and The Netherlands. Privacy rules are strikingly different in the European Union, and the differences threaten to hamper the ability of U.S. companies to engage in transactions with E.U. countries without risk of incurring penalties. Like Australia, European rules forbid the transfer of personal data to a country that does not provide a level of protection similar to its own. Therefore, the prospect looms that U.S. companies can be denied access to information from their own European subsidiaries or other companies located in Europe.

E.U. Directive 95/46/EC, which was adopted in 1998 and became applicable to the United States in 2001, was devised in Europe after it was recognized that some E.U. member states did not have privacy protection, while others had incompatible laws To address this problem, the European Parliament issued the directive so that member states could harmonize their laws, assuring that all states have the same provisions regarding protection of personal data.

The directive's significant feature is that the data subject (i.e., the person from whom data is collected) must unambiguously give consent for personal data to be collected after being informed about the purposes for which the data will be used. Otherwise, the European Union will allow personal data to be collected and processed only if

* the data is necessary for the performance of a contract

*its processing is required by a legal contract

* the data is critical to the person's life -- for example, taking blood from an unconscious person after an accident

* the data is necessary for a public interest, such as collection of taxes

* the controller or third party has a legitimate interest in doing so -- striking a balance between the business interests of the controller and the privacy of the person

However, the European Union expressly prohibits asking for "sensitive information," which is defined as the person's racial or ethnic origin, political opinions, religious beliefs, trade union membership, and sexual preference. Such data cannot be processed unless specific consent has been given. The E.U. directive also applies to invisible collection of personal data, such as "cookies" that collect information on...