One premise shaping the debate about privacy law in the United States is that the European Data Protection Directive is a more advanced model. A headline in the Government Computer News for October 26 of 1998 reads “Europeans Lead U.S. in Data Protection Policies.” Under Europe’s Data Protection Directive, the United States is considered to have inadequate protection for personal information, such as transactional data that companies might keep on consumer transactions. This finding touched off lengthy negotiations between Europe’s guardians of data and the U.S. Department of Commerce, to determine whether and when U.S. companies could store information about their clients, employees, and customers in Europe.
But why is the U.S. regime considered unacceptable? Should it be? This paper revisits that question, comparing the European approach to privacy with that of the United States, with particular attention to financial services.
The paper begins by outlining the Data Protection Directive, its history and many exemptions. Next, it explores privacy laws in the United States, identifying a key similarity between data protection and the 1974 Privacy Act — both attempt to restrain the danger of the growth of government databases, but neither strikes at the heart of the government’s power to tax or to control the criminal justice system. The paper goes on to assess the potential of a model of limited government to provide better protection for human rights than the data protection model. Finally, the paper assesses whether it is useful or beneficial to restrict the uses of data in the private sector, touching on economic and philosophical arguments.
In the end, restricting the uses of data in the financial services sector along European lines will severely damage the innovation economy without restricting dangers to human rights. The freedom of information is the sounder default rule.
The basic ground rules for privacy for members of the European Union are laid down in the European Union Data Protection Directive (95/46/ED). The Data Protection Directive applies to both electronic and old-fashioned paper filing systems, including (obviously) financial services. The “data” covered by the directive is information about an individual that somehow identifies the individual by name or otherwise. Each national government will implement the directive in its own way.
The Data Protection Directive begins by laying down basic privacy principles, starting with the idea that information should be collected for specific, legitimate purposes only, and be stored in individually identifiable form no longer than necessary.
The directive goes on to create specific rights for the person the information concerns — the “data subject.” The entity collecting the information must give the data subject notice explaining who is collecting the data, who will ultimately have access to it, and why the data is being collected. The data subject also is given the right to access and correct the data. Financial data is not treated in any special way by the Data Protection Directive, but is governed by these general principles.
The rules are stricter for companies that want to use data in direct marketing, or to transfer the data for other companies to use in direct marketing. The data subject must be explicitly informed of these plans and given the chance to object.
Stricter rules also govern sensitive information relating to racial and ethnic background, political affiliation, religious or philosophical beliefs, trade-union membership, sexual preferences, and health. To collect this information the data subject must give explicit consent. The law admits several exceptions, including exemptions for employment contracts, non-profits, or the legal system.