/ Articles&Interviews
The Obligation of Businesses Caught in the Data Protection Labyrinth: Between Customer Care and Governmental Control
In today’s high-tech and mobile world where there is an easy access to information as well as the need for data to be provided to and from private actors, we might start doubting how protected our priceless personal records are. Information is “the cornerstone of a democratic society and market economy,” and enhanced technologies for using personal data have arguably transformed financial services into an “information industry.” Online shopping, bank accounts information, airline ticketing – they all require you to share much of your important data. Matters such as safeguarding intellectual property rights and especially data protection from third parties are getting widely discussed as the European Union expands and as the exchange of data grows. Are we just pawns in an indifferent bureaucracy, not knowing what is happening and having no ability to exercise control over our own personal information, or is what is being done sufficient for the data protection regime to function coherently? And what role and obligations are there for the businesses trapped in the ever expanding data protection regime and placed under the control of national and European data protection entities?
Data protection or information privacy is the regulation of the use of personal information about individuals by non-state interests, such as corporations. Every next invention and business method calls for attention for what steps need to be taken for the protection of the individual’s privacy; the right to be let alone. Yet without some dealings in data, search costs would be higher for both merchants and consumers, pricing would be less efficient, and the merchants, for instance, would have a less accurate portrait of their customers; not to mention that some online transactions might indeed be impossible if there is no use of personal data. Because of the flexibility and mobility of the enlargement and development of this globalized world, we inevitably end up being dependent on sharing our personal data. The same holds true for the daily and necessary requirements of how businesses operate. They need a constant and accurate flow of personal data and at the same time need to have a sound mechanism in place to protect this data from misuse.
The data protection regime becomes more and more widely disputed. There are current discussions in different European Committees, such as the Internal Market Committee and the Civil Rights Committee, on whether any natural or legal person should be allowed to process electronic traffic data without the consent of the user. Even the People’s Republic of China, a country that prospers in a lot of ways but still holds on to some undemocratic approaches towards its citizens’ rights, adopts a major amendment in its Criminal Law postulates so that personal information will be better protected. Staff in government offices, financial, medical and educational institutions, transport and communications departments, who usually have access to citizens’ personal information, shall face a maximum jail term of three years if they sell or leak a citizen's personal information.
Data protection could mean protection of the individual from a legitimate business, private corporations or any third party, including the government; or protecting the businesses against each other, or from unwanted governmental interference. Indeed, it can be protection from the government or by the government. For instance, European Union countries are characterized with a high degree of government involvement in the protection of fundamental rights, among which the right to data protection is positioned. On the contrary, in the United States of America privacy law is concerned with upholding privacy rights against the government. That is an observation done by the fact that the European approach to privacy can be described as “putting the burden of protection on society rather than the individual.” The American notion of privacy is grounded in liberty rather than dignity and can generally be defined as the right to freedom from intrusions by the state. The Americans have the laissez-faire approach.
Keeping on mind that the EU and the USA hold the most developed regimes of data protection in the world brings us to another cross-road query: just how more difficult can it get for corporations to do business and comply with data protection rules if their activities span to both sides of the Atlantic? The value of trade between the USA and the EU is enormous. Much of the commercial traffic between the USA and the EU is accompanied by, or consists of, streams of data. Even simple sales of goods may involve the collection of information from and/or about a customer. Yet the American legislative results on data protection are more fragmented than those of the European Union. Apart from the number of bills that Congress has considered, there is no comprehensive federal information privacy statute. On the other side of the Atlantic, the information privacy protection has long been the subject of comprehensive legislative action. The EU Data Protection Directive (95/46/EC) has prescriptions for specific requirements for the handling or processing of personal data. Personal data must be processed fairly and in a manner consistent with specified, explicit and legitimate purposes, maintained accurately, updated periodically, erased or rectified in a timely manner, and kept anonymously when identification of data subjects is no longer necessary. The Directive also provides exceptions such as when the data subject has unambiguously given their consent or when processing is necessary in order to protect the vital interests of the data subject.
The European Union puts its efforts to set global standards on the data protection regulation with its Data Protection Directive (95/46/EC). It could be problematic with the relationship with the USA since there the privacy of personal information is not a fundamental or explicit constitutional right. Still there are a few acts that separately regulate the data protection matter. The Gramm-Leach-Bliley Act requires that financial institutions implement managerial and technical measures to protect against loss and unauthorized access, destruction, use, or disclosure of data. Another regulator act is the Fair Credit Reporting Act, which applies to personal information and in particular to the information contained in consumer reports. American jurisprudence, a main source of law, also enumerates a few decisions that establish a duty of confidentiality. For example, state courts have found it implicit in a bank’s contract with its customers that the bank could not disclose information concerning the customer’s account to third parties.
The Data Protection Directive (95/46/EC) of the European Union on the other hand serves the dual purpose of ensuring the free movement of personal data in the Internet market and guaranteeing a uniformly high level of privacy protection for data subjects. The Directive as a uniform act seems to serve somewhat better and easier the member states, whereas the US dispersed codification leaves a trace of a chaos in the regulatory environment. The Directive specifies that the personal data must be processed “fairly and lawfully” and it may be collected only “for specified, explicit and legitimate purposes” and it must not be “further processed in a way incompatible with those purposes.” That is an explicit fundament of guarantee of the right of each citizen to have their personal data protected.
The EU has indicated a willingness to engage in further discussions on data protection, which is a great opportunity for the US to begin negotiations before the EU starts to exert even stronger pressure on US officials to come to an agreement. In the awaiting currently EU member states informally permit many trans-Atlantic transfers to occur in violation of their national data protection laws, but there is evidence that data protection authorities in EU member states may begin to enforce data protection restrictions more actively.
As long as there is a functioning and developing system to regulate and secure the data protection regime, the citizens of the EU member states should not worry. No matter if we like it or not, more and more often private actors such as companies are obliged to transmit data of their customers to law enforcement authorities. Since it is not being done chaotically and since the Data Protection Directive (95/46/EC) is present to balance and control, the private rights of the customers are somehow preserved. For the EU countries it is getting more and more important to collect and store data and this tendency does not have the potential to decrease. But as a widely discussed topic of great importance of the intangible life of the individual, the EU does things to regulate it. That is why, we do not need to apprehend the care and efforts of the EU as the next Big Brother but as a way of preserving, cultivating and guarding our private right to have our data protected.
Elitsa Stoeva
Elitsa Stoeva is a student of Law at the University of Sofia "St. Kliment Ohridski," Bulgaria. She studied for a year at the University of Georgia, USA, as part of the Open Society Institute's Undergraduate Exchange Program. Elitsa is interested in foreign languages, human rights and international relations.
