Presentation is loading. Please wait.

Presentation is loading. Please wait.

Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards By Gregory Shaffer Assistant.

Similar presentations


Presentation on theme: "Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards By Gregory Shaffer Assistant."— Presentation transcript:

1 Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards By Gregory Shaffer Assistant Professor of Law, University of Wisconsin Law School

2 Globalization and Social Protection2 Introduction Much of the compilation and transfer of personal information that is daily in the US is in Europe illegalMuch of the compilation and transfer of personal information that is daily in the US is in Europe illegal In a globalizing economy, European law also constraints US domestic private policy and practices; in order to avoid EU data transfer restrictions, US businesses implement new internal data privacy practices, oriented at the EU criteriaIn a globalizing economy, European law also constraints US domestic private policy and practices; in order to avoid EU data transfer restrictions, US businesses implement new internal data privacy practices, oriented at the EU criteria The article examines the ongoing dispute between the US and the EU over the regulation of data privacy protectionThe article examines the ongoing dispute between the US and the EU over the regulation of data privacy protection

3 Globalization and Social Protection3 I. EU Data Privacy Rules and their impact on business Trading Up in the EU: The Link between Data Privacy Protection and EU Trade Liberalization The EU Directive was negotiated in the context of the threat of data transfer bans from certain EU Member States with protective data privacy laws to other states with less stringent lawsThe EU Directive was negotiated in the context of the threat of data transfer bans from certain EU Member States with protective data privacy laws to other states with less stringent laws Goal of protecting individual privacy and ensuring trade liberalization within the EU were inseparable for political reasonsGoal of protecting individual privacy and ensuring trade liberalization within the EU were inseparable for political reasons The most powerful states in the EU (Germany and France) demanded greater data privacy protection and so the Directive was made accordingly strictThe most powerful states in the EU (Germany and France) demanded greater data privacy protection and so the Directive was made accordingly strict Art. 1 § 1: “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy...”Art. 1 § 1: “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy...” Art. 1 §2 : “Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1”Art. 1 §2 : “Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1” Only by ensuring the protection of fundamental privacy rights could the EU ensure the free transferability of dataOnly by ensuring the protection of fundamental privacy rights could the EU ensure the free transferability of data

4 Globalization and Social Protection4 I. EU Data Privacy Rules and their impact on business Rights and Obligations: The EU Directive’s Regulatory Controls over data processing EU Directive covers all private sector processing of personal dataEU Directive covers all private sector processing of personal data Ex ante controls, that requires controllers to inform the data subject of the identity of the controller of the data and the purpose of processingEx ante controls, that requires controllers to inform the data subject of the identity of the controller of the data and the purpose of processing The data can only be used for the specified purposeThe data can only be used for the specified purpose Individuals must be informed before personal data are disclosed for the first time to third parties for the purpose of direct marketingIndividuals must be informed before personal data are disclosed for the first time to third parties for the purpose of direct marketing Individuals have a permanent right to access their data and to obtain copies of their recordsIndividuals have a permanent right to access their data and to obtain copies of their records The EU Directive grants individuals significant enforcement rightsThe EU Directive grants individuals significant enforcement rights Supervisory authorities are granted significant powers, including the power to investigate processing operationsSupervisory authorities are granted significant powers, including the power to investigate processing operations

5 Globalization and Social Protection5 I. EU Data Privacy Rules and their impact on business Privacy at a Price: The Costs of EU Requirements on European Business Operations Privacy requirements impose costs on business operating and constraints the sovereignty of private business decision-makingPrivacy requirements impose costs on business operating and constraints the sovereignty of private business decision-making Businesses are required to retain detailed information concerning the data’s use and to respond promptly to all inquiries concerning itBusinesses are required to retain detailed information concerning the data’s use and to respond promptly to all inquiries concerning it Where informed consent is required, individuals may refuse to grant itWhere informed consent is required, individuals may refuse to grant it Where individuals withhold consent, businesses seek to obtain information through more costly means (reduced efficiency)Where individuals withhold consent, businesses seek to obtain information through more costly means (reduced efficiency) Business forego revenue from data sale to direct marketing companiesBusiness forego revenue from data sale to direct marketing companies The non-negotiability of rights both reduces efficiency and raises equity concerns; the possibility of any cost-benefit analysis is eliminatedThe non-negotiability of rights both reduces efficiency and raises equity concerns; the possibility of any cost-benefit analysis is eliminated Exceptions for concerns such as “public security, defense, State security and the activities of the State in areas of criminal lawExceptions for concerns such as “public security, defense, State security and the activities of the State in areas of criminal law

6 Globalization and Social Protection6 I. EU Data Privacy Rules and their impact on business Exporting Privacy Protection: The EU’s Threat to ban Data Transfers to the US All data transfer to a third country is prohibited if this country does not ensure an adequate level of protection of data privacy rightsAll data transfer to a third country is prohibited if this country does not ensure an adequate level of protection of data privacy rights EU internal requirements: processing must be limited to a specific purpose, the purpose must be made known to the individual, the individual must have access to the data and the right to object to its processingEU internal requirements: processing must be limited to a specific purpose, the purpose must be made known to the individual, the individual must have access to the data and the right to object to its processing The third-country recipient must be prohibited from transferring the information to countries, that do not afford adequate levels of protectionThe third-country recipient must be prohibited from transferring the information to countries, that do not afford adequate levels of protection

7 Globalization and Social Protection7 II. US Data Privacy Protection: Does it fail to meet the EU Criteria? US Protections against Data Processing by Government Privacy Act of 1974 as the only federal omnibus actPrivacy Act of 1974 as the only federal omnibus act It applies only to data processing conducted by federal governmentIt applies only to data processing conducted by federal government The Privacy Act obliges federal agencies to collect information to the greatest extend possible directly from the concerned individuals, to retain only relevant and necessary information, to maintain adequate and complete records, to provide the right of access to review and have their records correctedThe Privacy Act obliges federal agencies to collect information to the greatest extend possible directly from the concerned individuals, to retain only relevant and necessary information, to maintain adequate and complete records, to provide the right of access to review and have their records corrected Majority of states lack omnibus privacy acts and offer instead scattered statutes applying to specific sectors or concernsMajority of states lack omnibus privacy acts and offer instead scattered statutes applying to specific sectors or concerns

8 Globalization and Social Protection8 II. US Data Privacy Protection: Does it fail to meet the EU Criteria? US Protections against Data Processing by the Private Sector US provides no generalized protection to individualsUS provides no generalized protection to individuals Congress has limited federal privacy protection to discrete sectors and concernsCongress has limited federal privacy protection to discrete sectors and concerns It may be adequate under EU standards in some sectors, but it was sought inadequate in mostIt may be adequate under EU standards in some sectors, but it was sought inadequate in most Enterprises can freely compile, mix, match, buy and sell dataEnterprises can freely compile, mix, match, buy and sell data Individuals have little or no protection in unregulated sectorsIndividuals have little or no protection in unregulated sectors US regulation of the private sector largely depends on industry norms and individual company policiesUS regulation of the private sector largely depends on industry norms and individual company policies In the context of the EU-US negotiations these self-regulatory schemes remain voluntary, unenforceable and often ignored by the companiesIn the context of the EU-US negotiations these self-regulatory schemes remain voluntary, unenforceable and often ignored by the companies

9 Globalization and Social Protection9 II. US Data Privacy Protection: Does it fail to meet the EU Criteria? Problems with the Public-Private Distinction As the importance of large private actors increases, it may seem odd that the private sector is subject to less regulationAs the importance of large private actors increases, it may seem odd that the private sector is subject to less regulation The traditional distinction, that’s basis lies in liberal political theory has long been critiquedThe traditional distinction, that’s basis lies in liberal political theory has long been critiqued Legal realists have long cast doubt on workability of the public-private distinction, given that so many private entities provide public functionsLegal realists have long cast doubt on workability of the public-private distinction, given that so many private entities provide public functions

10 Globalization and Social Protection10 II. US Data Privacy Protection: Does it fail to meet the EU Criteria? Alternative Institutions: The Interaction of US Markets, Legislatures and Courts in Regulating Private Sector Use of Personal Data Role of Markets: markets can be powerful regulators as companies value their reputation; by enhancing their privacy protection policies, companies can improve their market position compared to competitorsRole of Markets: markets can be powerful regulators as companies value their reputation; by enhancing their privacy protection policies, companies can improve their market position compared to competitors Role of Legislation: legislation creates default rules around which bargaining can take place; but US legislation has yet to change, because of problems concerning lobbyingRole of Legislation: legislation creates default rules around which bargaining can take place; but US legislation has yet to change, because of problems concerning lobbying Role of Courts: can complete market and legislative measures, but there are limits to relying on courts, because their resources are limited and needed for other purposesRole of Courts: can complete market and legislative measures, but there are limits to relying on courts, because their resources are limited and needed for other purposes

11 Globalization and Social Protection11 II. US Data Privacy Protection: Does it fail to meet the EU Criteria? The limits of Single jurisdiction analysis: The need to account for Transnational Institutional Independence Single jurisdictional analysis fails to account for the dynamics of regulatory change in a globalizing economySingle jurisdictional analysis fails to account for the dynamics of regulatory change in a globalizing economy US businesses are pressed to modify their data privacy practices from multiple directions, as we live in a time where it is less and less accurate to think solely in terms of national regulation and institutionUS businesses are pressed to modify their data privacy practices from multiple directions, as we live in a time where it is less and less accurate to think solely in terms of national regulation and institution Countries that trade goods can also import standards and proceduresCountries that trade goods can also import standards and procedures

12 Globalization and Social Protection12 III.The Transatlantic Context: Managing the Conflict over Privacy Pooling Sovereignty to Bolster Market Power: The Role of the EU market EU is US’ largest trading partner and the site of most US foreign investment (1997: US exported $ billion, imp. $ billion)EU is US’ largest trading partner and the site of most US foreign investment (1997: US exported $ billion, imp. $ billion) EU market power provides its officials with considerable bargain leverage over privacy issuesEU market power provides its officials with considerable bargain leverage over privacy issues In trading negotiating authority to the EU the member states have been able to speak with a single, more powerful voiceIn trading negotiating authority to the EU the member states have been able to speak with a single, more powerful voice It is because that EU and US laws are not sufficiently harmonized that the EU can potentially block data transfer to the USIt is because that EU and US laws are not sufficiently harmonized that the EU can potentially block data transfer to the US

13 Globalization and Social Protection13 III.The Transatlantic Context: Managing the Conflict over Privacy Public and Private: The multiple means to restrict data transfer to the US EU member states are instructed to ban all data transfers to countries that fail to ensure adequate data privacy protectionEU member states are instructed to ban all data transfers to countries that fail to ensure adequate data privacy protection Determination can be limited to certain economic sectors, types of information or operationsDetermination can be limited to certain economic sectors, types of information or operations Authorities can independently fine individual companies and enjoin them from transferring data; company officials can be imprisonedAuthorities can independently fine individual companies and enjoin them from transferring data; company officials can be imprisoned Individuals can sue companies for damages before member state courtsIndividuals can sue companies for damages before member state courts

14 Globalization and Social Protection14 III.The Transatlantic Context: Managing the Conflict over Privacy Conflict Management: US-EU Negotiations over Adequacy Pressure from US firms make negotiations to a high profile issue for US administrationPressure from US firms make negotiations to a high profile issue for US administration US commerce officials defend US practices, critiquing EU as bureaucratsUS commerce officials defend US practices, critiquing EU as bureaucrats US officials prompt businesses to create “self-regulatory”US officials prompt businesses to create “self-regulatory” US proposes that both agree to a set of core data privacy protectionUS proposes that both agree to a set of core data privacy protection

15 Globalization and Social Protection15 IV. The supranational Context: The Constraints of International Trade Rules WTO constraints on the European Union There are arguably some protectionist motives behind the EU Directive, as US businesses are more advanced in the use of IT than EU companies might beThere are arguably some protectionist motives behind the EU Directive, as US businesses are more advanced in the use of IT than EU companies might be As personal data is a non-standardized product, it is seen as a service and its transfer should be covered under GATS (General Agreement on Trade in Services)As personal data is a non-standardized product, it is seen as a service and its transfer should be covered under GATS (General Agreement on Trade in Services) EU is obliged to treat US service providers no less favorably than EU service providers and to apply its domestic regulation in a “reasonable manner”EU is obliged to treat US service providers no less favorably than EU service providers and to apply its domestic regulation in a “reasonable manner”

16 Globalization and Social Protection16 IV. The supranational Context: The Constraints of International Trade Rules Why the US should not prevail The EU Directive applies equally to transfers to all countries and thus should not violate the GATS most-favored-nations clauseThe EU Directive applies equally to transfers to all countries and thus should not violate the GATS most-favored-nations clause EU has a legitimate public policy objective - to protect the privacy of EU residentsEU has a legitimate public policy objective - to protect the privacy of EU residents WTO panel will be wary of engaging in a delicate balancing of trade and privacy interestsWTO panel will be wary of engaging in a delicate balancing of trade and privacy interests

17 Globalization and Social Protection17 IV. The supranational Context: The Constraints of International Trade Rules The EU Directive Under the WTO’s new Criteria EU regulation as “extra-jurisdictional” in its focusEU regulation as “extra-jurisdictional” in its focus Author compares it with a Asian Shrimp-Turtle CaseAuthor compares it with a Asian Shrimp-Turtle Case Conclusion: EU application of the Directive should meet theses Appellate Body criteria for permissible extra-jurisdictional measuresConclusion: EU application of the Directive should meet theses Appellate Body criteria for permissible extra-jurisdictional measures

18 Globalization and Social Protection18 IV. The supranational Context: The Constraints of International Trade Rules Reinforcing a Trading Up:WTO Rules as an EU Shield WTO supranational trade rules offer the US only a limited check on the EU’s Directive’ applicationWTO supranational trade rules offer the US only a limited check on the EU’s Directive’ application Constraining EU’s ability to discriminate US companiesConstraining EU’s ability to discriminate US companies WTO rules do not relieve the pressure on the US to raise its standardsWTO rules do not relieve the pressure on the US to raise its standards

19 Globalization and Social Protection19 V. The EU Directive’s Extra-Jurisdictional effects in the US Enhanced US Regulatory Efforts US administration is divided over data privacy issuesUS administration is divided over data privacy issues Department of Commerce has advocated a more market-based approach. Businesses should do self-regulation, EU Directive as a over-reliance on “big government”Department of Commerce has advocated a more market-based approach. Businesses should do self-regulation, EU Directive as a over-reliance on “big government” Clinton administration and the FTC, the independent federal agency promote legislation to expand data privacy protectionClinton administration and the FTC, the independent federal agency promote legislation to expand data privacy protection Commerce: “Safe Harbor Principles” as self regulation in 1998Commerce: “Safe Harbor Principles” as self regulation in 1998 EU has so far rejected the US proposals as inadequateEU has so far rejected the US proposals as inadequate EU Directive has not only shaped the US baseline rules, it has spurred new institutional developmentsEU Directive has not only shaped the US baseline rules, it has spurred new institutional developments

20 Globalization and Social Protection20 V. The EU Directive’s Extra-Jurisdictional effects in the US An opportunity for public advocacy groups and public service providers Data privacy advocates have attempted to use the US Directive to challenge lax business practices in the USData privacy advocates have attempted to use the US Directive to challenge lax business practices in the US The Role of privacy advocates: “Repeat players” in ongoing negotiations over US data privacy rules; they believe that individuals must be able top control the commercial use of their data; they jumped on the opportunity to pressure the Department of Commerce to make its Safe Harbor Principles more stringentThe Role of privacy advocates: “Repeat players” in ongoing negotiations over US data privacy rules; they believe that individuals must be able top control the commercial use of their data; they jumped on the opportunity to pressure the Department of Commerce to make its Safe Harbor Principles more stringent The Role of Privacy Service Providers: EU Directive fosters the creation of a new service industry for the certification and monitoring of self-regulatory programs; Accountants have created a program entitled CPA WebTrust; also the development of new technology, that protects privacy interests is stimulatedThe Role of Privacy Service Providers: EU Directive fosters the creation of a new service industry for the certification and monitoring of self-regulatory programs; Accountants have created a program entitled CPA WebTrust; also the development of new technology, that protects privacy interests is stimulated

21 Globalization and Social Protection21 V. The EU Directive’s Extra-Jurisdictional effects in the US Business Reaction to EU Pressures for privacy protection US businesses have vehemently objected the EU data privacy demandsUS businesses have vehemently objected the EU data privacy demands They lobby governmental representatives to leave this issue to self-regulation, so businesses are pressed to raise their internal standardsThey lobby governmental representatives to leave this issue to self-regulation, so businesses are pressed to raise their internal standards Commerce Safe Harbor Principles: On one hand the negotiations with the EU are strongly supported, because they protect businesses from EU data transfer restrictions, on the other hand businesses fear that these principle lead to more expensive data requirements in the USCommerce Safe Harbor Principles: On one hand the negotiations with the EU are strongly supported, because they protect businesses from EU data transfer restrictions, on the other hand businesses fear that these principle lead to more expensive data requirements in the US Intra-European transfer should be subject to Directive, EU-US transfer, however, subject to the principlesIntra-European transfer should be subject to Directive, EU-US transfer, however, subject to the principles In the US higher litigation risk, in Europe punishment more modestIn the US higher litigation risk, in Europe punishment more modest Once US businesses adopt internal data privacy policies to avoid EU restriction, they subject themselves to potential FTC enforcement proceeding for failure to comply with proclaimed policies (spill-over effects)Once US businesses adopt internal data privacy policies to avoid EU restriction, they subject themselves to potential FTC enforcement proceeding for failure to comply with proclaimed policies (spill-over effects)

22 Globalization and Social Protection22 VI. Conclusion US-EU dispute is a story of foreign political pressure backed by foreign market power:US-EU dispute is a story of foreign political pressure backed by foreign market power: US businesses demand foreign market liberalization in order to exploit foreign marketsUS businesses demand foreign market liberalization in order to exploit foreign markets EU data privacy laws as luxury good consumed by EU citizensEU data privacy laws as luxury good consumed by EU citizens EU privacy laws must affect foreign as well as domestic practices if they should accomplish their goalsEU privacy laws must affect foreign as well as domestic practices if they should accomplish their goals EU Member States use their market power to satisfy their citizens’ demands and they increase their power in acting collectivelyEU Member States use their market power to satisfy their citizens’ demands and they increase their power in acting collectively Supranational rules do not significantly constrain the EU’s application of its data privacy lawsSupranational rules do not significantly constrain the EU’s application of its data privacy laws


Download ppt "Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards By Gregory Shaffer Assistant."

Similar presentations


Ads by Google