BY: ELLIOT WEISS
October 24, 1995 marked the official publication of Directive 95/46/EC of the European Parliament, a regulatory framework for the protection of individuals with regards to the processing of personal data and the free movement of such data. The regulatory text under directive (30) provides, “whereas, in order to be lawful, the processing of personal data must be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject.”[1. University of Iowa, Common Position (Ec) Adopted by the Council on February 20, 1995 with A View to Adopting Directive 94/ / Ec of the European Parliament and the Council on the Protection of Individuals with Regard to the Processing of Per, 80 Iowa L. Rev. 697, 703 (1995).] The European Union Data Protection and Privacy Directives have issued additional regulations over the years, such as Directive 2009/136/EC. This directive, often referred to as “The Cookie Directive,” requires that first or third party cookie dropping for advertising, or retargeting purposes, provides a higher degree of transparency, disclosure and opportunity to opt out.[2. Peter F. McLaughlin, Complying with the EU Cookie Directive for Email Communications, 17 No. 5 Cyberspace Law. 23, (2012).]
Since 1995, the two primary requirements of the European Union Data Protection and Privacy Directives have been transparency and consent. Corporations must obtain the prior consent of website users in order to use and exchange their personal data.[3. Eric Pfanner & Kevin J. O’Brien, European Privacy Regulators Warn Google on Data-Gathering Policies, N.Y. Times, October 17, 2012 at B1.] Experts have made recommendations to companies such as Facebook, Google and other data processors that their privacy policies include explanations as to how users can control the storage of and access to cookies on their devices, specifically by referring to the user browser interfaces for further information. To perform in accordance with the European Union directives, it has been recommended that companies provide users with links, user-friendly directions and a mechanism for refusing to permit personal data availability.
Established in October 1995, the Article 29 Data Protection Working Party is an independent government advisory body on privacy, whose recent work has focused on search engine operators.[4. Paul M. Schwartz & Daniel J. Solove, The Pii Problem: Privacy and A New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1814, 1883 (2011).] As the Data Protection Directive applies to businesses established in the European Union, application of the regulation to multinational corporations is not clear. In June of 2012, the European Protection authorities adopted a working document entitled, Binding Corporate Rules for Processors, issued by the Article 29 Data Protection Working Party.[5. Overview on Binding Corporate Rules, European Commission (Oct. 19, 2012), available at http://ec.europa.eu/justice/data-protection/document/international-transfers/binding-corporate-rules/index_en.htm.] The Binding Corporate Rules (“BCR”) are internal rules that apply to entities of a multinational company. These rules contain key legal principles, which cover the transfer of personal data from the European Union. BCR are internal codes of conduct, which cover data privacy and security. These internal codes of conduct are designed to assure clients of data processors that transfers made in relation to the performance of service agreements are adequately framed and protected in accordance with European Union protection laws.[6. Id.] The Article 29 Working Party provides a checklist, which describes the conditions that need to be met in order for a multinational data processor company to properly acquire and transfer client data under their third party agreements.[7. Id.]
Kamaal Zaidi’s piece, Harmonizing U.S.-EU Online Privacy Laws: Towards a U.S. Comprehensive Regime for the Protection of Personal Data, contrasts the European Unions’ approach to data protection with that of the United States.[8. Kamaal Zaidi, Harmonizing U.S.-Eu Online Privacy Laws: Toward A U.S. Comprehensive Regime for the Protection of Personal Data, 12 Mich. St. J. Int’l L. 169 (2003).] Zaidi sets forth the premise that “privacy regimes among various nations exist in either a comprehensive or sectoral fashion.”[9. Id at 171.] Under Directive 95/46/EC, the European Union employs a comprehensive approach, which requires all member states to implement adequate protection of person data used in commercial transactions. In contrast, the U.S. employs a sectoral approach that involves less privacy protections.[10. Id at 171.] This distinction means that U.S. companies engaging in online commerce with the European Union will face increasingly demanding compliance standards. If these standards are not met by a U.S. company, penalties can be imposed in the form of legal enforcement action.