This is the first in a series of articles that outline the legal position on an individual’s right to privacy with regard to personal data held across the world. There is an implicit assumption that every individual has the right to privacy. In fact, you could say it is a human right. This right to data privacy is being or has been codified into law across the globe. There is only one major exception in the free Western world, and that is the US, where there is no legally backed guarantee to data privacy. Yes, there is the common-law tort of invasion of privacy derived from English law and the 1974 Privacy Act. However, a guaranteed protection of data rights has never been codified into federal statute in the US, whereas more than eighty other countries and independent territories—including the EU; the UK; and the majority of Latin America, the Caribbean, Asia, and large parts of Africa—now have comprehensive data-protection laws.
These laws set out to limit what data can be held and used as well as how it is to be protected. More importantly for those to whom the information pertains, these laws define the sanctions that can be imposed for a transgression. The US has chosen to follow quite a different path. Within the US, data privacy is neither highly legislated nor highly regulated. Unlike Europe, the US relies on industry-specific legislation such as HIPAA, COPPA, and FACTA. This lack of a codified legal framework of statutes has led the EU to implement safe harbour (more on this later).
The EU’s core legal stance regarding data protection stems from the codification of the Organisation for Economic Co-operation and Development’s 1980 report titled “Recommendation of the Council concerning guidelines governing the protection of privacy and transborder flows of personal data.” Within were contained the following seven guiding principles:
- Notice: data subjects should be given notice when their data is being collected;
- Purpose: data should only be used for the purpose stated and not for any other purposes;
- Consent: data should not be disclosed without the data subject’s consent;
- Security: collected data should be kept secure from any potential abuses;
- Disclosure: data subjects should be informed as to who is collecting their data;
- Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability: data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The OECD’s guidelines were, however, nonbinding. The Council of Europe ratified and incorporated them into the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in 1981. The US endorsed the principles but did nothing to implement them into statute.
This led the EU and US to negotiate safe harbour principles, which were to protect EU citizens’ data to the same standards in the US as in the EU. These, however, were struck down in 2015 by the European Court of Justice (ECJ) as a result of an action brought by an Austrian privacy campaigner in relation to the export of subscribers’ data by Facebook’s European business to Facebook in the US. The rules surrounding the sale and use of information in the US are significantly looser than in the EU.
After this striking-down, the EU and the US negotiated the EU-US Privacy Shield Framework, which became active on July 12, 2016. This treaty governs the transatlantic exchange of personal data for commercial purposes. Its main aim was to enable US companies to more easily receive personal data from EU entities under EU privacy laws.
When President Trump took office, he signed an executive order titled “Enhancing Public Safety,” which appears to undo the EU-US Privacy Shield Framework by removing the protections of the US Privacy Act from non–US citizens and permanent residents. However, the EU issued the following statement regarding this act:
“The US Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:
- The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.
- The EU-US Umbrella Agreement, which enters into force on 1 February (2017). To finalize this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”
This is still a political hot potato. EU citizens are demanding a transparency scheme to ensure that EU citizens’ personal data does not fall into the hands of the US intelligence agencies. Further, the EU has forced Google to introduce a forget-me clause for EU citizens. This is going to be an interesting couple of years. Personal privacy and the right to it are going to be front and center, as will the introduction of the General Data Protection Regulation (GDPR) in Europe. How will the UK’s departure from the EU affect the rights of its citizens to privacy? Will the UK keep the EU model or move to a more free-market model such as that adopted by the US? Another interesting move in this space is the recent US Senate legislation regarding the ability of ISPs to sell users’ browser histories to interested parties. All of these will be discussed in later articles in this series.