NEGOTIATING PRIVACY: THE EUROPEAN UNION, THE UNITED STATES AND PERSONAL DATA PROTECTION

Vol. 16 No.1 (January 2006), pp.53-55

NEGOTIATING PRIVACY: THE EUROPEAN UNION, THE UNITED STATES AND PERSONAL DATA PROTECTION, by Dorothee Heisenberg. Boulder, CO: Lynne Rienner Publishers, Inc., 2005. 211pp. Cloth. $49.95. ISBN: 1-58826-380-0.

Reviewed by Lawrence E. Rothstein, Department of Political Science, University of Rhode Island. Email: LER [at] URI.EDU

NEGOTIATING PRIVACY is a pithy (no lisp intended), little book. It is chock full of information concerning the contents of and procedures used for formulating the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 1980, the European Data Protection Directive of 1995, the US-EU Safe Harbor Agreement of 2000 and, very briefly, the US-EU Passenger Name Record Agreement of 2004. For those unfamiliar with these documents and their origins, this book provides a good introduction. The main theme of the book, however, is an analysis of the politics that led to the negotiation of the Safe Harbor Agreement and an attempt to answer two questions: Why did the US and the EU disagree on privacy protection? Why, if the Safe Harbor Agreement seems to favor the US position of lesser privacy protection for personal data and a self-regulatory approach, may it be said that the EU is still the global leader in setting data protection standards? Dorothee Heisenberg does answer both of these questions, but, as I shall try to explain, the answers seem to gloss over deeper questions and are not fully convincing.

Both the US and the major EU countries had subscribed to the voluntary basic personal data protection principles of the OECD Guidelines which included many of the elements of the EU Directive to which US businesses and the US Safe Harbor negotiators objected. These common elements were the requirements that personal data held by a company be made available to the data subject, that only the minimum amounts of data, necessary for the stated purpose they were collected, be held, and that data flows to other countries or companies not compliant with the guidelines be prohibited. In any case, few US companies had endorsed the principles despite urging by the Reagan Administration.

Heisenberg notes the fundamental differences in US and EU approaches to data protection. First, the EU Directive, reflecting national practices in Western European countries, particularly France and Germany, mandates a comprehensive national regulatory scheme enforced by a national data protection commissioner. US data protection is piecemeal. Where regulation exists, there are differences between the handling of public and private sectors, state and federal regimes, and particular industries. Each company or agency is charged with enforcing its own guidelines. The EU Directive focuses on direct regulation of the collection and use of personal data, prohibiting “excess” data collection and restricting use to the original and stated [*54] purposes of the collection. Notification to the national authority and to the data subject of the collection and use of the data are required at several stages. The US framework assumes that most data collection and use is both acceptable and beneficial, that guidelines should be primarily voluntary, and that regulation should only address documented instances of abuse. Enforcement in the US depends on the initiation of action by a data subject rather than a government official.

Heisenberg looks at the political processes and effective interests by which the EU Directive and later the EU bargaining position on Safe Harbor were formulated and compares these to each other and to the formulation of the US bargaining position on Safe Harbor. She looks at several public opinion polls from the US and from Europe and concludes that the US and European publics similarly viewed privacy protection as an important government function and therefore that there were no fundamental cultural or historical reasons for the difference in the approaches to the protection of personal data. Rather, the difference could be attributed to the participation of different interest groups. The EU Directive was primarily formulated by a Working Party of privacy experts and particularly the national Data Protection Commissioners in a process that did not include business interest groups because they were already subject to extensive data protection regulation in member countries and because many had not yet recognized the profitable transfer of data made possible by the Internet. The US position on data protection was primarily formulated by business and technology interests under the guidance of the Department of Commerce. By the time of the Safe Harbor negotiations, however, the EU Commission, for whom the Working Party served only in a marginal advisory role, was more attentive to the demands of European business interests anxious to avoid stopping the lucrative flow of data between the EU and the US.

Here it seems to me that Heisenberg’s conclusion indicates a failure to probe the differences behind the interest group line-ups. There are fundamental historical and cultural reasons behind these differences, particularly if one looks at political and legal culture, not simply public opinion. Western European countries, such as France and Germany, which incidentally have no direct equivalent of the English word ‘privacy,’ have regulated the processing of personal data by both public and private entities under the rubrics of ‘human dignity’ and ‘liberty’ since the 1970s and these efforts have been furthered by the courts. The French have had a national regulatory commission in place since 1978. Secondly, US political culture seems to be more dependent on the financial contributions of business interests, and therefore more responsive to these interests, than the Western European political culture of parliamentary systems, multiple parties and limited election periods. In fact just as the EU Data Protection Directive was being developed, the Republicans having recently captured the Congress were solidifying their links to K Street lobbyists. Ira Magaziner, who helped to [*55] formulate the Clinton administration self-regulation position for the US Safe Harbor negotiations, had earlier experienced the power of economic interests who opposed his efforts at developing a regulatory scheme for health care.

Heisenberg concludes that, despite the Safe Harbor Agreement allowing for individual US company compliance and self-certification with privacy standards less strict than the EU Directive requirements, the EU is still the leader of a global privacy regime. Heisenberg suggests that no other countries have opted for a self-regulatory Safe Harbor type system. Those countries that have substantial commerce with the EU have moved forward on national regulation, centrally administered that reflects EU standards. But in reaching this conclusion, she seems to gloss over her own findings that few non-member countries have achieved adequacy certifications from the EU, yet data flows have not been halted. The Working Party and the European Parliament, rather than the EU Commission, have been strong advocates of maintaining data protection standards by stopping data flows to non-complying countries. Even among EU member states, however, national legislation fully embodying the Directive’s standards has been slow in coming. By mid-2004 only Germany, the Netherlands, Belgium, Ireland, Luxembourg and France had fully compliant legislation. Throwing further doubt on Heisenberg’s leadership conclusion is the fact that European airlines, despite the EU Commission’s warnings of possible violation of the data protection Directive, have generally turned over airline passenger information to the US government.

In sum, this book is valuable for its descriptions of the various data protection regimes and their origins. It also has an extensive and useful bibliography. It fails to provide a clear methodology, an insightful theoretical perspective or uncontradicted conclusions.

*************************************************