14 Mar 2014 Europe and America’s take on privacy
My friend @RyanMcCrimmon and myself prepared the report below while we both worked as credentialed reporters for @medillonthehill at the United States Capitol. I remember telling Ryan about this new law that was making motions and was going to completely revamp the right to privacy for EU citizens. Ryan wasn't aware Americans were guaranteed significantly less privacy. He was becoming increasingly interested. We took on to systematically compare and contrast the statues which guarantee privacy on the two sides of the Atlantic.
Our goal was to objectively sketch the big picture and make the read accessible to a general audience, while also providing enough references to those who want to dig deeper. We reviewed laws, directives, official guidances and archival documents of the U.S. Federal Government, U.S. Congress, U.S. Supreme Court, European Commission, European Parliament, European Court of Justice and the European Court of Human Rights.
The publication went live on March 14th, 2014 to coincide with European Parliament's adoption of the General Protection Data Directive, or GDPR, voted two days earlier in plenary by the European Parliament with 621 votes in favour, 10 against and 22 abstentions.
Different Takes on Privacy
On Wednesday, the European Parliament passed a measure to unify existing E.U. data protection directives into a single document which adds tighter privacy measures like the so-called “right to be forgotten.” The measures illustrate the contrasting approaches to protecting data privacy in the European Union and the United States.
The General Data Protection Directive would grant customers the power to have companies remove their personal data. The law would also expand E.U. data protection requirements to all foreign company that do business in Europe — including Silicon Valley giants like Facebook and Google, which have gotten into trouble recently for noncompliance. If the directive is passed by the European Council of Ministers, it could impose noncompliance penalties of over $100 million for the biggest companies.
This proposed tightening of the screws is the latest step in a debate over data protection between Europe and the U.S., and it highlights the vastly different approaches the two governments take when protecting the data privacy rights of citizens.
The differences between U.S. and E.U. privacy law are rooted at the foundation of each governing body. The European Convention on Human Rights, signed by all E.U. member states, recognizes a right to respect for one's "private and family life, his home and his correspondence.” The U.S. Constitution does not contain an explicit right to privacy. In Griswold v. Connecticut (1965), rather, the Supreme Court established an implicit right to privacy defined as the “right to be left alone.”
This intricate difference has led to a divergence in legislative approach.
The U.S. has taken a sectoral approach, regulating privacy protection with a smorgasbord of highly specific legislation which mostly address a specific area, like financial information or medical records. One act protects the privacy rights of students, for example, while another regulates the sharing of medical records. This allows for more stringent and specific protection in some areas, but leaves gaps in others.
In Europe, two overarching directives — the Data Protection Directive and the E-Privacy Directive — regulate all areas of privacy concern. These directives list the principles which each member state has to codify into its national legislation. Unlike in the U.S., the principles are applied to all fields, including emerging areas like social media and cloud computing. The European Court of Justice has the power to determine whether a state has complied with a directive and to impose sanctions until the country adopts such laws.
In general, the E.U. tends to legislate proactively, while the U.S. is largely reactive. Privacy theory in the U.S. assumes that information is public until a specific law is passed to protect that information. In Europe, privacy is the default. And Europe is bolder about holding private companies accountable for protecting customer data, while the U.S. relies more heavily on companies to self-regulate.
The U.S. and E.U. both provide strong and specific framework for protecting health information.
In the U.S., the Health Insurance Portability and Accountability Act of 1996 gives patients the right to see medical records (although some parts may be exempt) and rectify any mistakes. Patients also have the right to know how their information is being used. Without patient permission, a doctor can only share details for statistical purposes or with colleagues for advice. Details can’t be revealed to employers.
In the E.U., personal health data are considered “sensitive” under Article 8.1 of the Data Protection Directive and under Article 6 of Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). The Data Protection Directive allows processing of medical data (online or offline) only by healthcare professional subject to professional secrecy. The data may be transferred to law enforcement if “sufficient safeguards” exists.
European law even has provisions for protecting genetic data and the personal data of unborn children. Fetuses are awarded the same privacy rights as a minor, deferring to a parent to grant consent. Genetic data can be processed in only the most special circumstances, to assist in either the diagnosis of a patient or the proceedings of a trial. E.U. law also places a limit on storage of medical information; data for scientific purposes may be kept longer, but usually has to be rendered unidentifiable.
The U.S. has no law to address the privacy rights of unborn children. Genetic data, like other health data, can be shared with law enforcement under certain conditions and precautions. HIPAA does contain the specification that data regarding patients brought in for emergency treatment is not to be shared, no matter what.
Recent legislative changes in both the U.S. and the E.U. have been aimed at cracking stringent privacy laws which allowed for tax evasion, funding of terrorism and money laundering. But once again the two governments go about this completely differently — the U.S. carefully defines financial data and financial institutions and aims narrow regulations at these targets, while the E.U. levels broad regulation to protect transactions data, regardless of the company.
In the U.S., the Right to Financial Privacy Act (1978) first established the confidentiality of personal financial records. It required the federal government to notify and provide individuals a chance to object before a bank or other financial institution can disclose the person’s financial information to the government. The Financial Services Modernization Act (1999) required financial institutions to notify customers when their information is being shared. The Fair and Accurate Credit Transactions Act (2003) added safeguards for sensitive financial data like credit card and social security numbers – FACTA is the reason receipts only display the last four digits of your credit card.
In transactions with non-member states, the European Union has sought stricter compliance with their own data protection policies. European countries like Austria and Luxembourg have some of the most secretive banking systems in the world. In 2013, the Swiss President Ueli Maurer defended banking secrecy saying the government should not know "what is there in your account."
But the level of secrecy has enabled foreign tax evasion. After continued pressure from the Internal Revenue Service to curb tax havens, Switzerland signed a convention with the Organization for Economic Cooperation and Development, agreeing to share tax information with foreign authorities. The act shook a pillar of Swiss bank secrecy — the infamous Swiss bank numbered account, created by the Swiss Banking Act (1934).
The U.S.-E.U. Safe Harbors Framework provides an easy way for U.S. companies to comply with E.U.’s Seven Core Privacy Principles — notice, choice, onward transfer, security, data integrity, access, and enforcement. Safe Harbors was created under the Data Protection Directive to streamline the export of data across the Atlantic. Corporations in the U.S. can become certified under the European framework by signing an annual pledge to comply with the seven principles.
If the General Data Protection Directive is passed by the council of ministers, U.S. companies will face even greater regulation than the Safe Harbors agreement required.
The E.U. and U.S. have extensive legislation to combat money laundering, including a close line of communication between the government and financial institutions. The government sends alerts to financial institutions, which look out for suspicious activity and report back.
The U.S. Bank Secrecy Act of 1970 required financial institutions to keep records of cash purchases, file reports of cash transactions exceeding $10,000, and alert the government of suspicious activity that might indicate money laundering and tax evasion. The PATRIOT Act (2001), Title III, created a “secure network” of communication between financial institutions and the government. Most notably, the act allowed personal financial data to be shared with intelligence agencies. This created an exception to the federal Privacy Act of 1974, which had prevented government agencies from sharing an individual’s personal information with any other person or agency without the consent of the individual.
In a similar move, a 2005 European directive required banks to investigate cash transactions in excess of €15,000 – Directive on the Prevention of the Use of the Financial System for the Purpose of Money Laundering and Terrorist Financing [2005/60/EC].
Citing concerns for the privacy of its citizens, the European Union rejected a 2011 proposal by the United States to share information about bank transfers in order to track suspected terrorists. The U.S. was recently caught mining data illegally from international banking regulators in Belgium.
European law enforcement agencies can only collect data “necessary for the prevention of a real danger or the suppression of a specific criminal offence,” in accordance with the Recommendation Regulating the Use of Personal Data in the Police Sector [R(87)15]. Communication of a subject’s data with public bodies or private persons outside the police sector is only permissible if such communication is in the clear interest of the subject, or in order to prevent a “serious and imminent danger.”
The recommendation includes several provisions pertinent to the police sector. Police in the E.U. have the option to delay notification of the individual whose data is being collected so that they don’t tip off a suspect. Individuals can’t be targeted for data collection on the basis of racial, sexual, religious, or political status. Data based on fact should always be kept separate from data based on analysis or opinion. An independent, external supervisory body is responsible to ensure police compliance with these measures.
Europe and the U.S. have very different attitudes towards public awareness of sex offenders. The U.S. maintains a public map with the full names, addresses and mugshots of known offenders. The European Court of Human Rights, trying to strike a balance between public and private interests, has given more consideration to the privacy rights of offenders and their chance to remake themselves.
In the U.K., parents and guardians can make a narrow request to the police to find out if a specific person is a known sex offender, but only law enforcement and private companies running prisons have direct access to the Violent and Sex Offender Register.
In 2009, the European Court of Human Rights found that France's national sex offender database struck a balance between private and public interest because only government workers subject to stringent confidentiality could access the database. The database preserved records for a reasonable amount of time (between 20 and 30 years) and provided an opportunity for offenders to petition to get off the list.
In Z. v. Finland (1998), the ECHR found that a sex offender, convicted for manslaughter after knowingly infecting people with HIV virus, had the privacy right to not be exposed to the public. A national court ordered the case documents to remain confidential for 10 years, and the ECHR ruled that his documents could remain private indefinitely because protection of medical data is a fundamental privacy right, especially with the stigma of HIV.
But there are plenty of voices calling for courts to put the public’s right to know over the offenders right to not be known. Ninety-seven percent of European Parliament members supported an E.U.-wide registry of sex offenders, according to a 2007 poll. The pressure came after the case of 3-year-old Madeleine McCann, a British citizen, who disappeared from a resort in Portugal and was never found.
The U.S. Supreme Court has twice upheld the legality of the national sex offender database. The registry is coordinated by the Department of Justice, and the FBI maintains a more comprehensive list of records which is not publicly accessible.
The U.S. has more specific provisions on wiretapping than the E.U. because each European country has separate law enforcement, intelligence and defense forces, as opposed to powerful federal agencies like the CIA, FBI, NSA and the Department of Homeland Security.
The European Convention on Human Rights forbids arbitrary wiretapping, but does not specify a process for obtaining a warrant. Some E.U. countries have rules which may be considered lax by American standards but are of little concern to most Europeans. In the U.K., for example, warrant requests start and end in the executive branch – a cabinet minister of internal affairs can personally approve wiretapping requests.
In the U.S., the Foreign Intelligence Surveillance Court must approve wiretapping requests from federal agencies. The PATRIOT Act (2001) made obtaining a warrant easier by expanding the methods of communication which can be tapped and the number of judges who can issues such warrants. In 2008, the FISA Amendments Act further expanded surveillance privileges. The act permits the government to destroy search records; it gives telecom companies immunity for complying with the government, and allows surveillance of U.S. citizens abroad. The act allowed for new surveillance programs like PRISM, the NSA’s metadata collection service that was revealed to the public in 2013 by Edward Snowden.
Neither Europe nor the U.S. has a clear policy on surveillance by Closed-Circuit Television and courts are left to decide how far an individual’s right to privacy goes. The U.S. has no federal law regulating CCTV use and laws vary by state. In Europe too, CCTV is widespread in some places like the U.K. and rare in others like Denmark.
The E.U. explicitly recognizes the right to privacy in public areas and there is general agreement that individuals must be made aware they are being monitored. If an individual enters an area with a CCTV sign, the law sees this as implicit consent to being watched. But as CCTV use spreads in countries like the U.K., it becomes difficult to even get a sandwich from the grocery store without being watched. This raises the issue that individuals don’t have the option to not consent.
The United States Supreme Court has recognized too some right to privacy on public property. A public pay-phone user, the Court said in Katz v. United States (1967), had a reasonable expectation of a private phone call when he closed the booth door. FBI’s wiretapping of that phone booth was not constitutional without a warrant. The ruling implies that in some cases, CCTV might infringe on a person’s privacy.
Online privacy is the main area where European regulators have imposed significantly better protection than their American counterparts.
In the E.U., employers cannot read private emails of employees; personal information of citizens cannot be shared across companies or borders without express permission from the data subject; and customers of international organizations such as Amazon and eBay in the E.U. have explicit legal right to review and delete information.
Americans have no such protections.
The U.S. Federal Trade Commission has attempted to put forth a similar philosophy in its Code of Fair Information Practice (FIP) which provides for the right of notification, choice, access, and security. But the code includes many exemptions and is not enforceable in court.
In 2010 the FTC called on the online industry to agree to a voluntary "Do Not Track" mechanism. Do Not Track lets users change their browser settings to ask websites to disable cookies and other tracking methods. All major browsers – including Internet Explorer, Chrome, Mozilla Firefox and Safari – support the protocol. The Digital Advertising Alliance has agreed with the federal government to honor the Do Not Track system. However, there is no enforcement mechanism and websites can choose to ignore the user’s request to turn off cookies.
Europe’s e-Privacy Directive (2002) is much stronger. It mandates that websites obtain explicit, informed consent from a user before placing cookies on the user’s device. The site also has to inform users how they are being tracked. All European member states have incorporated the law, except Germany, Norway, Poland and Slovenia.
The U.S. CAN-SPAM Act (2003) criminalized the sending of junk mail and has led to several convictions, although it’s efficacy has been challenged. The act forbids the use of false or misleading header and subject lines. The email sender must identify the message as an ad, include a company's valid physical address and allow the recipient to unsubscribe. The law allows FTC to take legal action against companies that do not comply, but individuals cannot bring class-action lawsuits against companies.
The e-Privacy Directive in Europe forbids the sending of unsolicited messages altogether, unless the user has opted-in or the company has already established a relationship with the recipient. The sending company cannot conceal its identity and users are able to unsubscribe for free at any time.
The spam ban extends to text, push messages and robo-calls.
In the U.S., there are almost no restrictions how data collectors can collect, use and store private information, as long as it has been obtained through legal means. In 2012, President Barack Obama unveiled A Privacy Bill or Rights which aims to give users more control over their own data. The bill, which is voluntary, includes the right of the user to view easy-to-understand privacy policies; the right to accessible and accurate personal data; and more limits on data collection. The proposal is voluntary, but if companies “publicly and affirmatively” adopt the practices, the White House said, they fall under the subject of FTC jurisdiction.
Europe’s Data Protection Directive provides comparable rights with the Privacy Bill of Rights, but the directive is mandatory. In accordance with Section 1, Article 6, data can be collected only for a specific purpose, in a limited scope and for limited time. The data collector can collect, use and store the data only if it’s necessary for a legitimate interest of the user and he/she has given consent. The processing of so-called “sensitive data” is highly restricted — this includes health records, race and ethnicity, political views, religious and philosophical beliefs, trade-union membership and sexual life. Member states may restrict the privacy rights for defense and public security issues.
Europe’s privacy restrictions apply to government bodies, companies and even private individuals. In a landmark decision from 2003, the European Court of Justice found that a woman who identified and included information about fellow church volunteers on her personal web site was in breach of the Data Protection Directive — in Europe, even a personal blog is within the scope of the law.
Europe’s proposed General Data Protection Directive aims to unify all existing E.U. data protection within a single law. Just as important, it strives to address some of the growing privacy issues of the digital age.
Some measures in the directive:
- Expanding the scope of what is considered personal data. This could include photos on your iPhone, an old, deleted Facebook post, or even your laptop’s IP address.
- Establishing a “right to be forgotten,” to allow users to have their data permanently erased from a website unless the site had legitimate reason to keep it.
- Requiring that any "serious data breaches" be brought before the E.U.'s data protection authority within 24 hours, or as soon as possible.
U.S. law allows individuals to opt out of telemarketing calls, while the default in the E.U. is to block telemarketers from the start and allow individuals to opt in.
The Do-Not-Call Implementation Act (2003) allowed customers to opt out of unsolicited phone calls. Individuals can call a hotline and join a Federal Trade Commission database to not be bothered. Political, polling and nonprofit organizations are exempt from the opt-out clause — even if you opt out, these organizations can purchase your phone numbers from the FTC database.
Article 13 of the E-Privacy Directive sets forth a basic rule of "opt-in" consent for "unsolicited communications" like automated telephone calls, faxes, texts, and email. If a company has prior business with an individual, they are able to send unsolicited emails to that individual. Other than that, no direct marketing e-mail can be legally sent without the express consent of the receiver.
The Family Education Rights and Privacy Act of 1974 gives parents the right to see their child’s education records until the student turns 18. FERPA also prevents schools from sharing education records without the parent or student’s consent, except to certain exempted parties like another school to which the student is transferring, scholarship and financial aid organizations, or the juvenile justice system.