By Paul Rosenzweig, The George Washington University Law School
The basic rules underlying privacy rights for members of the European Union are outlined in a pan-European rule known as the European Union Data Protection Directive. The directive applies to electronic filing systems and also the old-fashioned paper ones. The data covered by the directive is information about an individual that somehow identifies a person by name. It’s what one would call personally identifiable information.
Privacy in Europe versus the United States
Let’s begin with an experiment, or perhaps more like a demonstration. Open up your Web browser and go to google.com. Now, Google your own name or any name of your choice. Chances are something will come upon you, even if it’s only an address or a place you once might have worked or volunteered.
The better known that you are—or the name that you’ve selected—the more information you’ll find. More importantly, from the online researcher’s perspective, the Google algorithm works. You can pretty much count on Google to quickly and accurately get you to some information about a particular name or topic.
Now, go instead to a different Google website. The web address is google.co.uk. And when you’re there, Google the same name again. The result looks more or less the same, doesn’t it? But scroll all the way to the bottom of the web page on the UK website. What do you see? There’s a small puzzling line that reads, “Some results may have been removed under data protection law in Europe.” That text isn’t found on the US website. What does it mean?
This is a transcript from the video series The Surveillance State: Big Data, Freedom, and You. Watch it now, on Wondrium.
Features of Pan-European Rules
Let’s look at Europe and this curious provision that some results may have been removed. The caveat is relatively new; you would not have seen it before 2014. What it reflects is a uniquely European way of attempting to protect privacy and civil liberties. Let’s start with the basics.
For Europeans, privacy is a right. For Americans, it probably isn’t. The right to privacy in Europe is considered so fundamental that it is enshrined in the European Charter of Fundamental Rights. Article 8 states that “Everyone has the right to the protection of personal data concerning him or her.”
One oddity is that these pan-European directives are not self-executing. Instead, they’re treated as a baseline of guidance for each member state. And then, each national government is responsible for implementing the directive.
As you might imagine, there’s a fair bit of variation between, say, Germany and Greece. But the directive serves as the core guiding principle. And since it was adopted in 1995, every country in the European Union has implemented it.
Learn more about the possibilities of quantum computing.
What Pan-European Rules and Directives State
The directive begins by laying down basic privacy principles. They essentially codify the requirement that information should be collected for specific, legitimate purposes only and be stored in an individually identifiable form no longer than necessary. The European directive also states that the person who the information is about has some rights of his or her own.
In particular, a company collecting such information must give the person—who is called the data subject—a notice explaining everything about the data collection. That is, the person who is the subject to this information sweep is entitled to know who is collecting the data and why it’s being collected, as well as who will have access to it.
There’s also a transparency requirement so that the data subject—that is, the person—can have access to the collected information and correct it if needed. There is, however, one gaping hole in the data directive: it doesn’t apply to participating European governments.
The member states exempted themselves from the directive to the extent that it might apply to many of the state’s own operations. So, for example, the directive’s requirements don’t apply to matters of taxation or criminal/national security matters.
Learn more about code breaking.
How European and US Privacy Work
In the United States, the two principal and competing ways of protecting privacy have been to restrict the collection and to restrict processing. In other words, they sometimes protect privacy and civil liberties by saying to a company, “This is data you may not collect in the first instance.”
The other limit is on processing, or what we sometimes call use—the idea that you can collect the data all you want but use it only for the specific purpose that you collected it for. Or, perhaps, that you can use it for another purpose, but only with permission from a court or a supervisor or some other authority.
But on the other hand, Europe behaves differently in terms of privacy and civil liberties. To save privacy, the right to be forgotten allows Europeans to ask Google to remove unrelated links whenever they want.
In discussions of surveillance, civil liberty, and privacy, many of us often limit ourselves to American concepts of law and liberty and to the American experience of spying by US intelligence agencies and commercial surveillance by American companies. But the American approach to these issues is not universal, and on European views, America is something of an outlier on these issues compared with other Western nations.
Common Questions about European Union Data Protection Directive
Pan-European privacy rules aren’t self-executive. These laws are provided as a basis for guidance to all member states. Each member state is obliged to implement the directive as it wishes. How these rules work may vary slightly from per country, but the basics are the same for everyone.
Pan-European privacy rules establish the basic principles of privacy that all European countries must obey. According to these rules, information should only be collected for specific and legitimate purposes and shouldn’t be stored more than necessary.
A European company must first obtain permission to collect someone’s personal information. The company must explain everything to the person. Under pan-European privacy rules, people need to know how, for whom, and for what reason their information is to be collected.