Privacy concepts: US vs EU

By Christian Laux

The United States and European Union both share a common goal of protecting individuals’ privacy rights, but have different legal frameworks in place.

When it comes to privacy law, Europe and the United States (U.S.) are not on the same page. Where do the differences lie? This article briefly describes the data protection laws of the European Union (E.U.) and the U.S. and what the differences boil down to.

Under the European Data Protection directives (Data Protection Directive 1995/46/EC and the e-Privacy Directive 2002/58/EC), the user (the “data subject”) owns a set of legal rights entitling him/her to control data that describe them, regardless of who has or had access to the data.

Contrary to this, under the U.S. legal system, he or she who has rightful access to data “owns” the data and may make use of such data; such use may be limited too, but the reasons for such limitations rely on different grounds than in the European Union.

In the European Union, a user basically has the right to be informed about how their data is being used (notice requirement) and prevent any use which he or she may not agree to (consent requirement).

To put it simply and in short, without consent, use is forbidden. In essence, this mechanism resembles any other intellectual property rights (such as copyright, patent and trademark rights).

On the other hand, the U.S. privacy law framework works differently from its European counterpart. As a general rule, whoever has unrestricted access to data “owns” it and may be able to use the data to a certain extent, as such use is not forbidden.

However, there are exceptions and some of the main reasons why use may be forbidden include:

(1) the subject provides data for specific purposes only;

As an example, before any data is handed over, the subject makes known to the recipient that the recipient shall only use the data for a limited purpose. Typically, an entity makes such commitments to adhere to these restrictions via a privacy policy. If the user and an entity agree on a later opt-out right, this would mean that the user shall be able to say “no” to their data being used later on, instead of at the very beginning.

(2) statutory provisions: an entity does not meet specific requirements established by the law (such statutes include the the Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transaction Act (FACTA), Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act, CAN-SPAM Act etc.); or

(3) access to data was unlawful.

For this mechanism to work, a privacy statement plays a very important role in the U.S. The privacy statement must properly describe the privacy practices of a company or organization, otherwise they may be found to engage in unfair competition.

However, in the U.S., it appears that a user need not actually agree to a company’s privacy practices. As long as the user does not object at the time of collection, the company should be fine (if it also is in compliance with any additional requirements established by statutes).

Contrary to this, a company subject to European data protection law will need to be more aware of how to obtain consent necessary to collect and use data.

About the author

Christian Laux
Christian is the principal of Laux Lawyers AG, a Switzerland-based legal firm specializing in information technology (IT) law. With his extensive experience and deep knowledge of the IT industry, Christian regularly advises clients on all aspects of IT law, including contract formation, project outsourcing, cloud computing, electronic archiving, legal screening of business processes and open source compliance matters. Christian speaks German, English, French and Russian. He may be contacted at christian.laux[at]lauxlawyers.ch.