220 likes | 341 Views
Globalization and Social Protection:. The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards By Gregory Shaffer Assistant Professor of Law, University of Wisconsin Law School. Introduction.
E N D
Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards By Gregory Shaffer Assistant Professor of Law, University of Wisconsin Law School
Introduction • Much of the compilation and transfer of personal information that is daily in the US is in Europe illegal • In a globalizing economy, European law also constraints US domestic private policy and practices; in order to avoid EU data transfer restrictions, US businesses implement new internal data privacy practices, oriented at the EU criteria • The article examines the ongoing dispute between the US and the EU over the regulation of data privacy protection Globalization and Social Protection
I. EU Data Privacy Rules and their impact on businessTrading Up in the EU: The Link between Data Privacy Protection and EU Trade Liberalization • The EU Directive was negotiated in the context of the threat of data transfer bans from certain EU Member States with protective data privacy laws to other states with less stringent laws • Goal of protecting individual privacy and ensuring trade liberalization within the EU were inseparable for political reasons • The most powerful states in the EU (Germany and France) demanded greater data privacy protection and so the Directive was made accordingly strict • Art. 1 § 1: “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy...” • Art. 1 §2 : “Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1” • Only by ensuring the protection of fundamental privacy rights could the EU ensure the free transferability of data Globalization and Social Protection
I. EU Data Privacy Rules and their impact on businessRights and Obligations: The EU Directive’s Regulatory Controls over data processing • EU Directive covers all private sector processing of personal data • Ex ante controls, that requires controllers to inform the data subject of the identity of the controller of the data and the purpose of processing • The data can only be used for the specified purpose • Individuals must be informed before personal data are disclosed for the first time to third parties for the purpose of direct marketing • Individuals have a permanent right to access their data and to obtain copies of their records • The EU Directive grants individuals significant enforcement rights • Supervisory authorities are granted significant powers, including the power to investigate processing operations Globalization and Social Protection
I. EU Data Privacy Rules and their impact on businessPrivacy at a Price: The Costs of EU Requirements on European Business Operations • Privacy requirements impose costs on business operating and constraints the sovereignty of private business decision-making • Businesses are required to retain detailed information concerning the data’s use and to respond promptly to all inquiries concerning it • Where informed consent is required, individuals may refuse to grant it • Where individuals withhold consent, businesses seek to obtain information through more costly means (reduced efficiency) • Business forego revenue from data sale to direct marketing companies • The non-negotiability of rights both reduces efficiency and raises equity concerns; the possibility of any cost-benefit analysis is eliminated • Exceptions for concerns such as “public security, defense, State security and the activities of the State in areas of criminal law Globalization and Social Protection
I. EU Data Privacy Rules and their impact on businessExporting Privacy Protection: The EU’s Threat to ban Data Transfers to the US • All data transfer to a third country is prohibited if this country does not ensure an adequate level of protection of data privacy rights • EU internal requirements: processing must be limited to a specific purpose, the purpose must be made known to the individual, the individual must have access to the data and the right to object to its processing • The third-country recipient must be prohibited from transferring the information to countries, that do not afford adequate levels of protection Globalization and Social Protection
II. US Data Privacy Protection: Does it fail to meet the EU Criteria?US Protections against Data Processing by Government • Privacy Act of 1974 as the only federal omnibus act • It applies only to data processing conducted by federal government • The Privacy Act obliges federal agencies to collect information to the greatest extend possible directly from the concerned individuals, to retain only relevant and necessary information, to maintain adequate and complete records, to provide the right of access to review and have their records corrected • Majority of states lack omnibus privacy acts and offer instead scattered statutes applying to specific sectors or concerns Globalization and Social Protection
II. US Data Privacy Protection: Does it fail to meet the EU Criteria?US Protections against Data Processing by the Private Sector • US provides no generalized protection to individuals • Congress has limited federal privacy protection to discrete sectors and concerns • It may be adequate under EU standards in some sectors, but it was sought inadequate in most • Enterprises can freely compile, mix, match, buy and sell data • Individuals have little or no protection in unregulated sectors • US regulation of the private sector largely depends on industry norms and individual company policies • In the context of the EU-US negotiations these self-regulatory schemes remain voluntary, unenforceable and often ignored by the companies Globalization and Social Protection
II. US Data Privacy Protection: Does it fail to meet the EU Criteria?Problems with the Public-Private Distinction • As the importance of large private actors increases, it may seem odd that the private sector is subject to less regulation • The traditional distinction, that’s basis lies in liberal political theory has long been critiqued • Legal realists have long cast doubt on workability of the public-private distinction, given that so many private entities provide public functions Globalization and Social Protection
II. US Data Privacy Protection: Does it fail to meet the EU Criteria?Alternative Institutions: The Interaction of US Markets, Legislatures and Courts in Regulating Private Sector Use of Personal Data • Role of Markets: markets can be powerful regulators as companies value their reputation; by enhancing their privacy protection policies, companies can improve their market position compared to competitors • Role of Legislation: legislation creates default rules around which bargaining can take place; but US legislation has yet to change, because of problems concerning lobbying • Role of Courts: can complete market and legislative measures, but there are limits to relying on courts, because their resources are limited and needed for other purposes Globalization and Social Protection
II. US Data Privacy Protection: Does it fail to meet the EU Criteria?The limits of Single jurisdiction analysis: The need to account for Transnational Institutional Independence • Single jurisdictional analysis fails to account for the dynamics of regulatory change in a globalizing economy • US businesses are pressed to modify their data privacy practices from multiple directions, as we live in a time where it is less and less accurate to think solely in terms of national regulation and institution • Countries that trade goods can also import standards and procedures Globalization and Social Protection
III.The Transatlantic Context: Managing the Conflict over PrivacyPooling Sovereignty to Bolster Market Power: The Role of the EU market • EU is US’ largest trading partner and the site of most US foreign investment (1997: US exported $ 253.6 billion, imp. $ 270.3 billion) • EU market power provides its officials with considerable bargain leverage over privacy issues • In trading negotiating authority to the EU the member states have been able to speak with a single, more powerful voice • It is because that EU and US laws are not sufficiently harmonized that the EU can potentially block data transfer to the US Globalization and Social Protection
III.The Transatlantic Context: Managing the Conflict over PrivacyPublic and Private: The multiple means to restrict data transfer to the US • EU member states are instructed to ban all data transfers to countries that fail to ensure adequate data privacy protection • Determination can be limited to certain economic sectors, types of information or operations • Authorities can independently fine individual companies and enjoin them from transferring data; company officials can be imprisoned • Individuals can sue companies for damages before member state courts Globalization and Social Protection
III.The Transatlantic Context: Managing the Conflict over PrivacyConflict Management: US-EU Negotiations over Adequacy • Pressure from US firms make negotiations to a high profile issue for US administration • US commerce officials defend US practices, critiquing EU as bureaucrats • US officials prompt businesses to create “self-regulatory” • US proposes that both agree to a set of core data privacy protection Globalization and Social Protection
IV. The supranational Context: The Constraints of International Trade RulesWTO constraints on the European Union • There are arguably some protectionist motives behind the EU Directive, as US businesses are more advanced in the use of IT than EU companies might be • As personal data is a non-standardized product, it is seen as a service and its transfer should be covered under GATS (General Agreement on Trade in Services) • EU is obliged to treat US service providers no less favorably than EU service providers and to apply its domestic regulation in a “reasonable manner” Globalization and Social Protection
IV. The supranational Context: The Constraints of International Trade RulesWhy the US should not prevail • The EU Directive applies equally to transfers to all countries and thus should not violate the GATS most-favored-nations clause • EU has a legitimate public policy objective - to protect the privacy of EU residents • WTO panel will be wary of engaging in a delicate balancing of trade and privacy interests Globalization and Social Protection
IV. The supranational Context: The Constraints of International Trade RulesThe EU Directive Under the WTO’s new Criteria • EU regulation as “extra-jurisdictional” in its focus • Author compares it with a Asian Shrimp-Turtle Case • Conclusion: EU application of the Directive should meet theses Appellate Body criteria for permissible extra-jurisdictional measures Globalization and Social Protection
IV. The supranational Context: The Constraints of International Trade RulesReinforcing a Trading Up:WTO Rules as an EU Shield • WTO supranational trade rules offer the US only a limited check on the EU’s Directive’ application • Constraining EU’s ability to discriminate US companies • WTO rules do not relieve the pressure on the US to raise its standards Globalization and Social Protection
V. The EU Directive’s Extra-Jurisdictional effects in the US Enhanced US Regulatory Efforts • US administration is divided over data privacy issues • Department of Commerce has advocated a more market-based approach. Businesses should do self-regulation, EU Directive as a over-reliance on “big government” • Clinton administration and the FTC, the independent federal agency promote legislation to expand data privacy protection • Commerce: “Safe Harbor Principles” as self regulation in 1998 • EU has so far rejected the US proposals as inadequate • EU Directive has not only shaped the US baseline rules, it has spurred new institutional developments Globalization and Social Protection
V. The EU Directive’s Extra-Jurisdictional effects in the US An opportunity for public advocacy groups and public service providers • Data privacy advocates have attempted to use the US Directive to challenge lax business practices in the US • The Role of privacy advocates: “Repeat players” in ongoing negotiations over US data privacy rules; they believe that individuals must be able top control the commercial use of their data; they jumped on the opportunity to pressure the Department of Commerce to make its Safe Harbor Principles more stringent • The Role of Privacy Service Providers: EU Directive fosters the creation of a new service industry for the certification and monitoring of self-regulatory programs; Accountants have created a program entitled CPA WebTrust; also the development of new technology, that protects privacy interests is stimulated Globalization and Social Protection
V. The EU Directive’s Extra-Jurisdictional effects in the US Business Reaction to EU Pressures for privacy protection • US businesses have vehemently objected the EU data privacy demands • They lobby governmental representatives to leave this issue to self-regulation, so businesses are pressed to raise their internal standards • Commerce Safe Harbor Principles: On one hand the negotiations with the EU are strongly supported, because they protect businesses from EU data transfer restrictions, on the other hand businesses fear that these principle lead to more expensive data requirements in the US • Intra-European transfer should be subject to Directive, EU-US transfer, however, subject to the principles • In the US higher litigation risk, in Europe punishment more modest • Once US businesses adopt internal data privacy policies to avoid EU restriction, they subject themselves to potential FTC enforcement proceeding for failure to comply with proclaimed policies (spill-over effects) Globalization and Social Protection
VI. Conclusion • US-EU dispute is a story of foreign political pressure backed by foreign market power: • US businesses demand foreign market liberalization in order to exploit foreign markets • EU data privacy laws as luxury good consumed by EU citizens • EU privacy laws must affect foreign as well as domestic practices if they should accomplish their goals • EU Member States use their market power to satisfy their citizens’ demands and they increase their power in acting collectively • Supranational rules do not significantly constrain the EU’s application of its data privacy laws Globalization and Social Protection