Testimony
of
Joel R. Reidenberg
Professor of Law and Director of the Graduate Program
Fordham University School of Law
140 West 62nd Street
New York, NY 10023
Tel: 212-636-6843

Email: <reidenberg@sprynet.com>
Web: <http://reidenberg.home.sprynet.com>


before the 

Subcommittee on Commerce, Trade and Consumer Protection
Committee on Energy and Commerce
United States House of Representatives 

Hearing on the EU Data Protection Directive:
Implications for the U.S. Privacy Debate

March 8, 2001

Mr. Chairman and Members of the Committee,
 

I would like to thank you for the invitation to testify and to commend you for convening this hearing on the European Union’s Data Privacy Directive.My name is Joel Reidenberg.I am a Professor of Law and the Director of the Graduate Program at Fordham University School of Law.As an academic, I have written and lectured extensively on data privacy issues and have co-authored two books related to today’s hearing.[1]I am a former chair of the Association of American Law School’s Section on Defamation and Privacy and have also served as an expert advisor on data privacy issues for the European Commission, the U.S. Federal Trade Commission and, during the 103rd and 104th U.S. Congresses, the Office of Technology Assessment. I appear today as a scholar on data privacy law and policy and do not represent the views of any organization with which I have had affiliations.
 

My testimony will focus on four points: (1) the philosophy and content of the EU Data Protection Directive, (2) the implications of the European Directive for US privacy policy, (3) the false hope of the US-EU safe harbor agreement, and (4) recommendations for Congressional action.[2]


 
 

1. The EU Data Protection Directive


 

a)  Background and Underlying Philosophy of European Data Protection
 

While there is a consensus among democratic states that information privacy is a critical element of civil society, the United States has, in recent years, left the protection of privacy to markets rather than law.In contrast, Europe treats privacy as a political imperative anchored in fundamental human rights.European democracies approach information privacy from the perspective of social protection.In European democracies,public liberty derives from the community of individuals and law is the fundamental basis to pursue norms of social and citizen protection.This vision of governance generally regards the state as the necessary player to frame the social community in which individuals develop and information practices must serve individual identity.Citizen autonomy, in this view, effectively depends on a backdrop of legal rights.Law, thus, enshrines prophylactic protection through comprehensive rights and responsibilities.Indeed, citizens trust government more than the private sector with personal information.
 

In this context, European democracies approach data protection as an element of public law.Since the 1970s, European countries have enacted comprehensive data privacy statutes.Under the European approach, cross-sectoral legislation guarantees a broad set of rights to assure the fair treatment of personal information and the protection of citizens.In general, European data protection laws define each citizen’s basic legal right to “information self-determination.”This European premise of self-determination puts the citizen in control of the collection and use of personal information.The approach imposes responsibilities on data processors in connection with the acquisition, storage, use and disclosure of personal information and, at the same time, accords citizens the right to consent to the processing of their personal information and the right to access stored personal data and have errors corrected.Rather than accord pre-eminence to business interests, the European approach seeks to strike a balance and provide for a high level of protection for citizens.
 


 

b) Adoption of the Directive
 

As data protection laws proliferated across Europe during the 1980s, there were significant divergences among those laws and harmonization became an important goal for Europe.[3]In 1995, following the Maastricht Treaty of European Union, the European Union adopted Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data[4][the “European Directive”] to harmonize the existing national laws within the European Union.The European Directive soughtto assure that all Member States provided satisfactory privacy protection and to assure the free flow of personal information across Europe through the respect of basic, standardized protections.
 

Under European Union law, a “directive” creates an obligation on each Member State to enact national legislation implementing standards that conform to those defined in the directive.The European Directive requires that national law protect all information about an identified or identifiable individual whether or not the data is publicly available.The European Directive requires that an individual’s consent be obtained prior to processing personal information for purposes other than those contemplated by the original data collection.The European Directive allows Member States to further restrict the processing of defined “sensitive” data such as health information.[5]The European Directive restricts the collection and use of personal information not relevant for the stated purpose of processing.The processing of personal information must be transparent with notice provided to individuals for the treatment of their personal information.Organizations processing personal information must provide the data subjects with access to their personal information and must correct errors.The European Directive further requires that organizations maintain appropriate security for the processing of personal information.
 

For global information networks and electronic commerce, the comprehensive approach inevitably invokes some tension. Without the statutory authority to restrict

transborder data flows, the balance of citizens' rights in Europe could easily be compromised by the circumvention of Europe for processing activities. Consequently, the European Directive includes two provisions to assure that personal information of European origin will be treated with European standards.A choice of law clause in the European Directive assures that the standards of the local state applies to activities within its jurisdiction and a transborder data flow provision prohibits the transfer of personal information to countries that do not have "adequate" privacy protection.[6]

 

In terms of enforcement, each Member State must maintain an independent, national supervisory authority for oversight and enforcement ofthese privacy protections.[7]Significantly, the European Directive also mandates that Member State law require any person processing personal information to notify the national supervisory authority and the supervisory authority must keep a public register of data processors.[8]
 

c) Implementation Issues
 

The European Directive provided a transition period through October 1998 for Member States to transpose the standards into national law.However, as is not uncommon in the European system, nine Member States failed to comply strictly with the deadline.By January 2000, the European Commission began proceedings before the European Court of Justice against France, Germany, Ireland, Luxembourg, and the Netherlands for their delays in transposition.Although each of these countries had strong, existing data protection statutes, the European Commission argued that not all of the standards contained in the European Directive were satisfactorily addressed in the national laws.At present, proceedings before the European Court of Justice continue against France, Germany, and Luxembourg.
 

Notwithstanding the transposition delays, the harmonization achieved by the European Directive is significant, but does not remove all divergences and ambiguities in the European national laws..[9]By and large, the European Directive creates a strong baseline of protection across Europe.But, small divergences andambiguity will inevitably exist where the principles must be interpreted by different supervisory agencies in each of the Member States.These remaining divergences in standards can pose significant obstacles for the complex information processing arrangements typical in electronic commerce.For example, the European Directive requires that privacy rights attach to information about any “identifiable person”.[10]Yet, the scope of this definition is not the sameacross the Member States; what some Member States consider "identifiable" others do not.[11]Similarly, the disclosures that must be made to individuals prior to data collection may still vary within Europe.[12]These differences can distort the ability and desirability of performing processing operations in various Member States since potentially conflicting requirements might apply to cross-border processing of personal information.
 

The effect of this challenge to comprehensive standards is, however,mitigated by consensus building options and extra-legal policy instruments that are available in the European system.The European Directive creates a “working party” of the Member States’ national supervisory authorities.[13]The Working Party offers a formal channel for data protection officials to consult each other and to reach consensus on critical interpretive questions.


 

Compliance with the national laws has also been an issue in Europe.The notice and registration requirements, in particular, appear to have a spotty reception.One study conducted for the European Commission questioned whether data processors were adequately notifying their treatment of personal information to the national supervisory authorities[14] and a recent study by Consumers International found that European web sites were not routinely informing web users of their use of personal information.[15]Nonetheless, the existence of the national laws and the penalties do allow for enforcement actions to be taken in these cases of non-compliance.
 


 
 

2. Implications for the United States


 
 

The European Directive exerts significant pressure on U.S. information rights, practices and policies.The Directive facilitates a single information market place within Europe through a harmonized set of rules,but also forces scrutiny of US data privacy.In this context, the lack of legal protection for privacy in the United States threatens the flow ofpersonal information from Europe to the United States.At the same time, the EU Directive is having an important influence on privacy protection around the world and leaves Americans with legal protections as second class citizens in the global marketplace.
 

a) The Harmonized European Market Place
 

Despite implementation divergences, the overall harmonization effect of the European Directive creates a common set of rules for the information market place in Europe.Companies operating within the European Union have the benefit of common standards across the Member States rather than 15 diverse sets of conflicting national rules.This creates a large, level playing field for the treatment of personal information in Europe.With a high level of legal protection available on a cross-sectoral basis, Europeans do not face the same privacy obstacles for ecommerce that currentlythreaten the American experience.The culture of legal protection in Europe provides European companies with a competitive privacy advantage doing business in Europe over the many American companies that are unaccustomed to applying fair information practices to personal information.
 

b) Scrutiny of US Data Privacy and European Export Prohibitions
 

The European Directive requires the national supervisory authorities in each of the Member States and the European Commission to make comparisons between European data protection principles and foreign standards of fair information practice.[16]The European Directive further requires that foreign standards of fair information practice be "adequate" in order to permit transfers of personal information to the foreign destination.[17]
 

For the United States, this means that both national supervisory authorities and the European Commission must assess the level of protection offered in the United States to data of European origin.Because the United States lacks directly comparable, comprehensive data protection legislation, the assessment of "adequacy" is necessarily complex.The European Commission and national supervisory authorities recognize that the context of information processing must be considered to make any determination of “adequacy.”
 

Under the European Directive, the national data protection supervisory authorities and the European Commission must report to each other the non-European countries that do not provide adequate protection.This bifurcated assessment of foreign standards means that intra-European politics can play a significant role in the evaluation of US data practices.While a European level decision is supposed to apply in each Member State, the national supervisory authorities are independent agencies and will still have a degree of interpretive power over any individual case.
 

The end result for the United States and for American companies is that US corporate information practices are under scrutiny in Europe and under threat of disruption when fair information processing standards are not applied to protect European data.Some commentators have predicted that any European export prohibition might spark a trade war that Europe could lose before the new World Trade Organization.[18]While, in theory, such a situation is possible, an adverse WTO ruling is unlikely.[19]
 

c) International Influence of the EU Directive
 

Even with the difficulties of the European approach, countries elsewhere are looking at the European Directive as the basic model for information privacy, and

significant legislative movements toward European-style data protection exist in Canada, South America, and Eastern Europe.[20]This movement can be attributed
partly to the pressure from Europe arising from scrutiny of the adequacy of foreign privacy rights, but is also due in part to the conceptual appeal of a
comprehensive set of data protection standards.In effect, Europe through the European Directive has displaced the role that the United States held since the famous Warren and Brandeis article[21] in setting the global privacy agenda.

 

d) Second Class Privacy for US Citizens
 

With the imposition by the European Directive both of harmonized European legal requirements for the fair treatment of personal information and of limitations on transborder data flows outside of Europe, U.S. companies recognize that they will have to respect European legal mandates.Unless American companies doing business in Europe chose to flout European law, US multinational businesses must provide stringent privacy protections to data of European origin when processing that data in Europe or in the United States.
 

Concurrently, American law and practice allows those same companies to provide far less protection, if any, to data about American citizens.This is a particularly troubling aspect of US opposition to the European Directive’s standards.American companies will either provide Europeans with better protection than they provide to Americans or they will treat Americans in accordance with the higher foreign standards and disadvantages those citizens doing business with local US companies.
 

In effect, the proliferation of European style data protection measures around the world means increasingly that American citizens will be left with second class privacy in the United States and afforded greater privacy protection against American companies outside US borders.
 

3. The False Hopes ofthe US-EU Safe Harbor Agreement




In response to the risk that Europe would block data flows to the United States, the Department of Commerce entered into negotiations with the European Commission tocreate a ‘safe harbor’ agreement that would assure Europe of the adequacy of protection for data processed by US businesses.In the absence of statutory protection in the United States, the concept was that the European Commission would endorse a voluntary code of conduct that would meet the “adequacy” standard.American businesses could then publicly commit to adhere to this code for the treatment of European origin data and be assured of uninterrupted data flows from Europe.
 

The lengthy and troubled negotiations on the code began in 1998 between the Department of Commerce and the European Commission.Toward the end of the negotiations, several of the particularly difficult issues were the existence of a public commitment for companies adhering to the code, the access rights and enforcement in the United States.A final set of documents including an exchange of letters, the Safe Harbor Privacy Principles, Frequently Asked Questions setting out interpretative understandings of the principles, and various annexes and representations made to the European Commission by the Department of Commerce and the Federal Trade Commission (collectively the“Safe Harbor”) was released in July 2000[22] and approved by the European Commission.[23]

While the approval was an important short-term political victory for both the US and the European Commission, the safe harbor agreement is unworkable for both sides and will not alleviate the issues of weak American privacy protection.

 

a) The Political Dimension
 

For the European side, the United States posed a major problem.American law did not provide comparable protections to European standards and fair information practices in the United States were rather spotty.Yet, European regulators did not want to cause a disruption in international data flows.The prospect of change in US law seemed remote and the European Commission would have serious political difficulty insisting on an enforcement action against data processing in the United States prior to the full implementation of the European Directive within the European Union.Similarly, an aggressive enforcement strategy by a national supervisory authority while transposition remained incomplete could have hampered the national legislative debates on transposition.The Safe Harbor offered a mechanism to delay facing tough decisions about international privacy and, in the meantime, hopefully advance US privacy protections for European data.
 

On the US side, the Department of Commerce faced strong pressure fromthe American business community to block the European Directive.The United States was not prepared to respond to the Directive with new privacy rights and the United States wanted to prevent interruptions in transborder data flows.The Safe Harbor became a mechanism to avoid a showdown judgment on the status of American law and defer action against any American companies.
 

As such, the acceptance in July 2000 of the Safe Harbor by the European Union was a transitory political success.
 

b) The Dubious Legality of Safe Harbor
 

In the United States, however, the Safe Harbor faces a serious jurisdictional obstacle to its enforcement—one of the key European criteria for acceptance.The Department of Commerce issued the Safe Harbor documents “to foster, promote, and develop international commerce.”[24]The agreement is predicated on the enforcement powers of the Federal Trade Commission under Section 5 of the Federal Trade Commission Act.[25]Indeed, as part of the negotiations, the Federal Trade Commission represented to the European Commission thatit “will give priority to referrals of non-compliance with safe harbor principles from EU member states.”[26]Yet, the underlying legal authority of the FTC to enforce the Safe Harbor is questionable.
 

As originally enacted by the Federal Trade Commission Act in 1914, Section 5 applied only to unfair methods of competition.[27]Jurisdiction over any “unfair or deceptive act or practice” was extended to the FTC by the Wheeler-Lea Act of 1938.[28]The stated Congressional purpose was to enable the FTC to “restrain unfair and deceptive acts and practices which deceive and defraud the public generally.”[29]Indeed, contrary to the purpose of the Safe Harbor that protects US business interests in international trade, the Wheeler-Lea Act amendments sought to protect the general public from unscrupulous business practices.In fact, at the time of the enactment, the FTC’s jurisdiction expressly excluded foreign commerce not to mention the protection of foreign consumers as envisioned by Safe Harbor.
 

While the McGuire Resale Price Maintenance Act of 1952[30] expanded FTC jurisdiction into foreign commerce with respect to monopolistic pricing,the U.S. Supreme Court had specifically held that only Congressional amendments could expand the scope of the FTC’s authority under Section 5.[31]In Bunte Bros. v. FTC, the Commission unsuccessfully sought an expansion of its interstate commerce authority in the context of anti-trust enforcement.[32]Congress eventually responded with the Magnuson-Moss Warranty -- Federal Trade Commission ImprovementAct of 1975[33] that was, according to the Senate Conference Report, designed “to improve [the FTC’s] consumer protection activities.”[34]The 1975 amendments extended the jurisdiction to acts and practices “in or affecting commerce,” but at no time contemplated protecting American business interests or foreign consumers. 
 

Hence, the assertion by the Department of Commerce and the FTC that the Safe Harbor comes within the Section 5 jurisdiction is a radical departure from the stated legislative purposes of the statute and in direct opposition to the Supreme Court’s restrictive interpretation of Section 5 authority.
 

Within Europe, the legality ofSafe Harbor is also open to question.Under the European Directive, “adequacy” must be assesed in light of the prevailing “rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”[35]However, the Safe Harbor was not yet in existence at the time of the approval by the European Commission.The European Parliament specifically noted this problem shortly before the approval by the European Commission.[36]Similarly, according to the European Directive, the European Commission only has authority to enter into negotiations to remedy the absence of “adequate” protection after a formal finding that the non-European country fails to provide “adequate” protection.[37]Yet, in the context of the Safe Harbor negotiations, the European Commission never made a formal finding.[38]These would appear to be significant administrative law defects.Although the European Commission maintains that the European Parliament did not say that the Commission acted outside its powers and the Member States voted unanimously in the political committee to accept the Safe Harbor,[39] this administrative process problem remains an open question that only the European Court of Justice can resolve and gives the independent national supervisory authorities grounds to vitiate Safe Harbor through strict interpretations of the European Commission’s ruling.
 

In addition, the European Parliament pointed out:
 

“the risk that the exchange of letters between the Commission and the US Department of Commerce on the implementation of the 'safe harbour' principles could be interpreted by the European and/or United States judicial authorities as having the substance of an international agreement adopted in breach of Article 300 of the Treaty establishing the European Community and the requirement to seek Parliament's assent (Judgment of the Court of Justice of 9 August 1994: French Republic v. the Commission -- Agreement between the Commission and the United States regarding the application of their competition laws (Case C-327/91))”[40]
 

b) The Limited Applicability
 

Notwithstanding the validity in either legal system, the scope of the Safe Harbor is very narrow.First, Safe Harbor by its terms can only apply to activities and U.S. organizations that fall within the regulatory jurisdiction of the FTC and the Department of Transportation.As a result, many companies and sectors will be ineligible for Safe Harbor including particularly the banking, telecommunications and employment sectors that are expressly excluded from the FTC’s jurisdiction.[41]Second, the Safe Harbor will not apply to most organizations collecting data directly in Europe.Article 4 of the European Directive provides that if a data controller is located outside of the European Union, but uses equipment within the European Union, the law of the place where the equipment is located will be applicable. This provision establishes a choice of law rule that greatly reduces the availability of the Safe Harbor to international business.This provision of the Directive is especially significant in the context of web based businesses where interactive computing means that a European user will always make use of computing resources at the user’s location.The courts of Member States, such as France, have shown in other areas a clear willingness to apply the substantive law of the place where an Internet user is located.[42]Hence, in many cases, particularly in the context of ecommerce, the substantive law of a Member State will apply rather than the Safe Harbor.
 

c) Increased Risk to Non-Safe Harbor Transfers
 

By implication, the Safe Harbor raises the risks for data transfers by companies that do not subscribe to the code.The approval by the European Commission of Safe Harbor as an “adequate” basis to transfer personal information to the United States implicitly acknowledges that transfers outside the scope of the Safe Harbor will not be adequately protected.Consequently, non-Safe Harbor transfers must be covered by one of the other exceptions to the transborder data flow rules, such as a transfer pursuant to a contractual arrangement.[43]
 

Ironically, Safe Harbor simplifies the task for national supervisory authorities to block data flows to the United States.The national agencies will readily be able to identify those US companies that do not subscribe to Safe Harbor and have not presented a data protection contract for approval under the European Directive’s Article 26 exceptions.In such cases, the presumption must be that the protection is “inadequate” and the data flow must, under European law, be prohibited.
 

For the United States, the Safe Harbor approach might, thus, compromise many US businesses in a way that a legislative solution would not.
 

d)   Weakening of European Standards and Illusory Enforcement Mechanisms
 

For the national supervisory authorities in Europe, the Safe Harbor poses a weakening of European standards.[44]In particular, the permissible derogations from Safe Harbor without a loss of coverage are significant.The Safe Harbor exempts public record information despite its ordinary protection under European law.Similarly, the Safe Harbor exempts any processing pursuant to any“conflicting obligation” or “explicit authorization” in US law whether or not such processing would be permissible under European standards.The access standard set out in the Safe Harbor and FAQs also includes derogations that do not exist in European law.
 

Most importantly, however, the Safe Harbor weakens European standards for redress of data privacy violations.Under the European Directive, victims must be able to seek legal recourse and have a damage remedy.[45]The Department of Commerce assured the European Commission that Safe Harbor and the US legal system provided remedies for individual European victims of Safe Harbor violations.The European Commission expressly relied on representations made by the Department of Commerce concerning available damages in American law.[46]The memorandum presented by the Department of Commerce to the European Commission, however, made misleading statements of US law.[47]For example, the memorandum provides a lengthy discussion ofthe privacy torts and indicates that the torts would be available.The memorandum failed to note that the applicability of these tort actions to data processing and information privacy hasnever been established by US courts and is, at present, purely theoretical.Indeed, the memorandum cites the tort for misappropriation of a name or likeness as a viable damage remedy, yet all three of the state courts that have addressed this tort in the context of data privacy have rejected it.[48]The Safe Harbor is also predicated on dispute resolution through seal organizations such as Truste.Yet, only one seal organization, the Entertainment Software Rating Board, proposes any direct remedy to the victim of a breach of a privacy policy and other organizations’ membership lists look like a ‘Who’s Who’ of privacy scandal plagued companies.
 

Lastly, the enforcement provisions of the Safe Harbor rely on the FTC.Even if the FTC has jurisdiction to enforce the Safe Harbor, the assertion that the FTC will give priority to European enforcement actions is hard to believe.First, although the FTC has become active in privacy issues recently, the agency’s record enforcing the Fair Credit Reporting Act, one of the country’s most important fair information practices statutes, is less than aggressive.Second, were the FTC to devote its limited resources to the protection of Europeans’ privacy, Americans should and will be offended that a US government agency charged with protecting American consumers has chosen to commit its energies and US taxpayer money to the protection of European privacy in the United States against US businesses at a higher level than the FTC asserts for the protection of Americans’ privacy.
 

Sadly, though, for many American companies, even these weakened European standards impose substantially greater obligations than US law.In particular, the notice, choice, access and correction requirements are only sporadically found in US law.As a result, pitifully few American companies have subscribed to Safe Harbor;indeed, as of March 7, 2000 fewer than 30 companies have signed up.[49]
 

The upshot of these sui generis standards, unenthusiastic reception and enforcement weaknesses is a likelihood that the national supervisory agencies will be dissatisfied with the Safe Harbor and that the Member States will face great political pressure to suspend the Safe Harbor once transposition is completed.
 

4. Recommendations




The United States is rapidly on the path to becoming the world’s leading privacy rogue nation.Just a cursory examination of the data scandals over the last year and consumer privacy concerns for ecommerce suggest that our national policy of self-regulation will not work to assure public confidence and trust in the treatment of personal information, cannot work to guarantee citizens their political right to freedom of association and privacy, and will leave American businesses at a competitive disadvantage in the global information market place.At a time when Internet growth rates are greater outside the United States and non-US web content is becoming an absolute majority of available Internet content, United States interests are ill-served by avoiding the creation of clear legal privacy rights.


 

Congress needs to act to establish a basic set of legal protections for privacy in the United States.Any such regulation must recognize that technologies will be essential to assure privacy protections in the global environment across divergent sets of rules.In fact, technical decisions are not policy neutral.Technical decisions make privacy rules and, more often than not, these rules in the United States are privacy invasive.For technology to provide effective privacy protection, three conditions must be met: (a) technology respecting fair information practices must exist; (b) these technologies must be deployed; and (c) the implementation of these technologies must have a privacy protecting default configuration.Legal rights in the United States should provide an incentive structure that encourages these developments.


 

In conjunction with the establishment of a legal baseline in the United States, Congress should promote the negotiation of a “General Agreement on Information Privacy” within the World Trade Organization framework.[50]Whether desired or not by various interest groups and countries, the WTO will be unable to avoid confronting international privacy issues as a result of the biennial ministerial conferences and the inevitable trade-in-services agenda.Many of the core differences among nations on the implementation of privacy principles touch upon fundamental governance and sovereignty questions.These types of problems will only be resolved at an international treaty level like the WTO.


[1] Paul Schwartz and Joel R. Reidenberg, Data Privacy Law: A Study of US Data Protection Law and Practice (Michie: 1996); Joel R. Reidenberg and Paul M. Schwartz, Online Services and Data Protection and Privacy: Regulatory Responses (Eur-OP: 1998).These books were prepared with funding from the European Commission for DG XIII and DGXV,respectively.
[2] Parts of this testimony are based on excerpts from three articles that I have published:Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 STANFORD L. REV. 1315 (2000); A Movement toward Obligatory Standards for Fair Information Practices in the United States, in VISIONS FOR PRIVACY IN THE 21st CENTURY, Colin Bennet & Rebecca Grant, eds., (Univ. of Toronto Press: 1999);Restoring Americans' Privacy in Electronic Commerce, 14 BERKELEY TECH. L. J. 771 (1999)
[3] For a discussion of divergences in Member State law related specifically to online services, see Reidenberg & Schwartz, supra note 1.
[4] 1995 O.J. (L281) 31 (Nov. 23, 1995)
[5] For insightful discussions of the flaws in consent as a model of privacy protection, see the series of articles written by Paul Schwartz: Beyond Lessig’s Code for Internet Privacy: Cyberspace Filters, Privacy Control and Fair Information Practices, 2000 Wisc. L. Rev. 743; Internet Privacy and the State, 33 Conn. L. Rev. 815 (2000); Privacy and Democracy in Cyberspace, 52 Vanderbilt L. Rev. 1609 (1999)
[6] See European Directive 95/46/EC, at Art. 4 (choice of law) and Art. 25 (export prohibition).
[7] European Directive 95/46/EC, aArt. 28.
[8]Id., art. 18-19.
[9] For an analysis of these divergences, see Reidenberg & Schwartz, supra note 1; Peter Swire & Robert Litan, None Of Your Business: World Data Flows, Electronic Commerce, And The European Privacy Directive 188-196 (1998)
[10] European Directive 95/46/EC, at art. 2(a).
[11]See Reidenberg & Schwartz, supra note 1, at 124-126.
[12] Reidenberg & Schwartz, supra note 1, at 133-34.
[13]European Directive 95/46/EC, art. 29.
[14] Douwe Korff (ed.), Existing case-law on compliance with data protection laws and principles in the Member States of the European Union, Annex to the Annual Report 1998 of the Working Party Established by Article 29 of Directive 95/46/EC (Eur. Comm: 1998).
[15] Consumers Intenrational, Privacy@Net: An International Comparative Study of Consumer Privacy on the Internet (Jan. 2001).
[16] European Directive 95/46/EC, art. 25
[17] Id.
[18] See PeterSwire & Robert LitanNone Of Your Business: World Data Flows, Electronic Commerce, And The European Privacy Directive 188-196 (1998)
[19] See e.g. Gregory Shaffer, Globalization and Social Protection: The Impact of EU and International
Rules in Ratcheting Up of U.S. Privacy Standards, 25 Yale J. Int'l L. 1, 50 (2000).
[20]See, e.g., Council of Europe, Chart of Signatories and Ratifications <http://www.coe.fr/tablconv/108t.htm>(visited March 31, 1999) (listing countries that have ratified the treaty on data privacy); Industry Canada, Task Force on Electronic Commerce: The International Evolution of Data Protection (Oct. 1, 1998) (visited on March 31, 1999) <http://e?com.ic.gc.ca/english/fastfacts/43d10.htm> (justifying the Canadian proposal for a comprehensive privacy law by reference to the European initiative); Hong Kong, Personal Data (Privacy) Ordinance, Chap. 486 <http://www.pco.org.hk/ord/section_00.html>(Hong Kong statute following European comprehensive model); Hungarian Republic, The First Three Years of the Parliamentary Commissioner for Data Protection and Freedom of Information 68-72 (1998)(discussing the influence of the European Directive for Hungarian data protection law); Pablo Palazzi, Data Protection Materials in Latin American Countries (Dec. 2000) (http://www.ulpiano.com/DataProtection-LA-links.htm) (detailing the emergence of data protection legislation in Latin America.)
[21] See Samuel Warren & Louis Brandeis, The Right of Privacy, 4 Harv. L. Rev.193 (1890)
[22] Dept. of Commerce, Int’l Trade Adm, Notice: Issuance of Safe Harbor Principles and Transmission to European Commission, 65 Fed. Reg. 45665-45686 (July 24, 2000)
[23] Commission Decision of 26 July 2000,Eur. Comm. Doc. 00/520/EC, O.J. L 215 (25/8/2000)
[24] Letter, dated July 21, 2000, from Robert S. LaRussa, Acting Under Secretary for International Trade Administration, U.S. Department of Commerce to John Mogg, Director, DGXV, European Commission <http://www.export.gov/safeharbor/USLETTERFINAL1.htm>
[25] 15 U.S.C. § 45(a)
[26] Letter, dated July 14, 2000, from Robert Pitofsky, Chairman, Federal Trade Commission to John Mogg, Director, DGXV, European Commission.
[27] 15 U.S.C. 45
[28] Ch. 49, 52 Stat. 111 (Mar. 21, 1938)
[29] S. 1077: Report of the Senate Committee on Interstate Commerce, S. Rep. No. 221, 75th Cong., 1st Sess. (March 19, 1937).
[30] Ch. 745, 66 Stat. 632 (July 14, 1952)
[31] Bunte Bros. v. F.T.C., 312 U.S. 349 (1941).
[32] Id.
[33] Pub. L. 93-637, 88 Stat. 2193,§ 201, 15 U.S.C. § 45 (1970 ed., Supp. IV)
[34] Magnuson-Moss-Warranty-Federal Trade Commission Improvement Act, Pub. L. No. 93-637, Senate Conf. Report No. 93-1408 (Dec. 18, 1974)
[35] European Directive 95/46/EC, art. 25(2)
[36] European Parliament Resolution A5-0177/2000 on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce (C5-0280/2000 - 2000/2144(COS)) (July 5, 2000)
[37] European Directive 95/46/EC, art. 25(5).
[38] The procedure for a formal finding is established in European Directive 95/46/EC, art. 25(4).
[39] See Eur. Comm. Press Release: Frits Bolkestein tells Parliament Committee he intends to formally approve "safe harbor" arrangement with US on data protection,July 13, 2000 <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor5.htm>
[40] European Parliament Resolution A5-0177/2000 on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce (C5-0280/2000 - 2000/2144(COS)) (July 5, 2000) , § E(2).
[41] 15 U.S.C. § 45(a)(2)
[42] See e.g.UEJF c. Yahoo!, TGI de Paris, Ord. en référé du 22 nov. 2000.
[43] European Directive 95/46/EC, art. 26.
[44] See Working Party: Opinion 4/2000 on the level of protection provided by the "Safe Harbor Principles", Opinion 4/2000, Eur. Comm. Doc. DG MARKT CA07/434/00 WP 32 (16 May 2000)
[45] European Directive 95/46/EC, art. 22-23
[46] Commission Decision of 26 July 2000,Eur. Comm. Doc. 00/520/EC, O.J. L 215 (25/8/2000), Art. 1(b)
[47] U.S. Dept. of Commerce, Damages for Breaches of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law (July 14, 2000)
[48] See Shibley v. Time 45 Ohio App. 2d 69 (1975); Dwyer v. American Express 273 Ill. App. 3d 742 (1995); Avrahami v. U.S. News & World Report, 1996 Va. Cir. LEXIS 518 (1996).
[49] U.S. Dept. of Commerce, Safe Harbor List, http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (reflecting only 27 certifications)
[50] See Joel R. Reidenberg, Resolving Conflicting International Privacy Rules in Cyberspace, 52 Stanford L. Rev. 1315, 1359-1362 (2000)