Question: The European Union Data Protection Directive (B)

In 1995 the European Union enacted a Directive on Data Protection (95/46/EC) to protect the privacy of EU residents when using the Internet, telecommunications, and various commercial transactions (PII). The Directive protected personally identifiable information, defined as any information that pertains to an "identified or identifiable natural person." The Directive covered persons for data transferred within the EU and between the EU and outside countries. Those countries entered into agreements with the EU or adopted the Directive as their own law. The United States had very limited government regulation of online privacy relying on self-regulation and had negotiated a voluntary US-EU Safe Harbor agreement with the EU. The Directive was generally viewed as successful in protecting the privacy of EU residents, and the safe harbor agreement was also viewed as generally successful. By 2009 changes in technology and innovations had exposed shortcomings in the Directive.

The growth of e-commerce, the widespread use of GPS devices, the spread of mobile communications and wireless broadband, and cloud computing raised new issues some of which were in gray areas of the Directive. GPS devices, for example, gave location information which represented PII. Innovations such as social media, Internet search and advertising, and instant messaging also raised new issues. Moreover, identity theft, hacking, and terrorism raised security concerns that extended beyond personal information. Under the Directive the EU had been dealing with issues as they arose. For example, in 2011 Google was said to have violated EU law by maintaining a registry of residential Wi-Fi routers that could identify the location of cellphones and owners within range of the routers. Google conceded stating, "At the request of several European data protection authorities, we are building an opt-out service that will allow an access point owner to opt out from Google's location service. Once opted out, our services will not use that access point to determine users' locations."63 Google planned to offer the opt-out service worldwide. Similarly, the EU did not have an explicit rule about personal information processed through cloud computing, and since the processing could take place anywhere in the world, concerns were raised. In response Amazon established a data center in Dublin to host cloud computing.64 Microsoft had also established a data center in the EU for cloud computing. The EU embarked on the process of modernizing the Directive led by commissioner Viviane Reding of the DG for Justice, Fundamental Rights and Citizenship (JUST). A new Directive would have to be approved by both the Council of Ministers and the European Parliament. The Treaty of Lisbon had officially incorporated the Charter of Fundamental Rights as part of the EU treaties. The Charter established a right of privacy that was implemented by the Directive and could require broader protections. Reding pledged to "strengthen individuals' rights and enhance the Internal Market dimension of data protection" and to "ensure consumers of surfing and shopping online without worrying about the safety of their personal information." She also said, "Data should be collected and processed only under informed consent of a person to whom they relate."65

The implementation of the 1995 Directive differed across the member states, and JUST sought better harmonization of procedures. The modernization of the Directive could have broad ramifications for e-commerce, social media, and mobile communications companies. For example, the implementation of the present directive required storage of data for no longer than required for the purpose of the communication or transaction, and the EU had reached agreements with companies such as Microsoft and Google about data retention.66 JUST was considering a new "right to be forgotten" that would allow a person to remove the data that was stored by a company and a "right of portability" that would allow persons to move all of their personal content from one website to another. The latter would 63New York Times, September 14, 2011. 64International Herald Tribune, July 25, 2011. 65Viviane Reding, Press Release, September 22, 2010. reduce switching costs and make lock-in harder to achieve, whereas the former could limit the ability of websites to develop and maintain information to use for advertising placement.

The United States did not have a right to be forgotten. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said, "As a general matter, companies in the United States don't have to recognize your right to be deleted. They may choose to accommodate you, but they are not required to."67 JUST also was considering measures to clarify the EU's criteria for adequacy of data protection in third countries and to improve standards. A Working Party formed by the Commission and composed of the data commissioners of all the member states called for the EU "to ensure a strict and far reaching general privacy agreement with the United States."68 The Trans Atlantic Consumer Dialogue, composed of 80 consumer groups in Europe and the United States, sent letters to the European Commission and to Congress stating, "There is much the United States could learn from other countries about how to address such challenges and the EU Data Directive provides a very good starting point."69 A US House of Representatives subcommittee held a hearing in September 2011 on "The impact and burden of EU regulation," and witnesses were critical of the EU Directive. Professor Catherine Tucker of the Massachusetts Institute of Technology testified that the effectiveness of advertising fell by 65 percent as a result of the EU's privacy policies.70 The 1995 Directive articulated a number of specific rights: "the right to know who the data controller is, the recipient of the data and the purpose of the processing; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances."71

The latter right had been implemented by the provision of "opt out" opportunities. For example, in 2011 the industry association Interactive Advertising Bureau Europe (IAB Europe) had set up an opt out website that allowed individuals not to receive advertisements based on profiling. European consumer and privacy advocacy groups were pushing for an "opt in" requirement before any data could be processed. Kostas Rossoglu of the European Consumers' Organization explained, "We believe that by having consumers opt in, rather than opt out, they will be better protected and informed about what happens with their information."72 Stephan Noller, CEO of nugg.ad of Berlin and head of the policy committee of IAB Europe, disagreed stating that opt out "fits with the needs of today's Internet users. Information is provided contextually where relevant and is instantly available. We use the dynamism and interactivity of the Internet to provide pragmatic privacy control."73 The Working Party of member state data commissioners stated that opt out was inadequate and "Only statements or actions, not mere silence or inaction, constitute valid consent." Reding stated, "Companies must obtain prior consent before individuals' data is used."74 Kimon Zorbas, vice president of IAB Europe observed, "Consumer profiling is basic to any business, not just online business. I am afraid [banning profiling] would kill a significant part of the industry."75

France had introduced a voluntary charter for data protection and urged companies to sign it. Google and Facebook refused to sign. The companies argued that self-regulation was sufficient and that restrictions interfered with their right to freedom of expression. Referring to a right to be forgotten, Kevin Townsend, a UK writer and founding editor of ITsecurity.com, said, "If Google, Facebook, Microsoft and Apple, et al., simply say ‘no', what is the EU going to do? Some of these companies are financially as big or bigger than some EU nations. They could and should be responsible for removing personal data, but they won't do it."76 In November 2011 Commissioner Reding announced that she planned to add to the revised directive proposal an extension of the jurisdiction of EU data protection regulation. She said, "We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a ‘cloud'."77 This would have implications for the safe harbor agreement and more importantly for how foreign companies with users and customers in the EU conduct their businesses. The extended jurisdiction would also pose enforcement challenges.

1. What in electronic commerce is included in the EU's "personal information"?

2. Is opt in an appropriate granted right? What are its implications for electronic commerce? Should Google and Facebook support a right to be forgotten?

3. As Google would you useopt in worldwide for location services if the new Data Protection Directive required its use in the EU?

4. As Facebook would you support or oppose a US-EU agreement requiring the use of opt in for any processing of personal data of EU residents? Is there another alternative?

5. What are the implications of Commissioner Reding's proposed extension of EU jurisdiction?

6. Should companies oppose the establishment of a right to be forgotten?

7. Should the leading Internet companies join together to addresses the EU's modernization of the Data Protection Directive?