When it comes to privacy law, Europe and the United States (U.S.) are not on the same page. Where do the differences lie? This article briefly describes the data protection laws of the European Union (E.U.) and the U.S. and what the differences boil down to.
Under the European Data Protection directives (Data Protection Directive 1995/46/EC and the e-Privacy Directive 2002/58/EC), the user (the “data subject”) owns a set of legal rights entitling him/her to control data that describe them, regardless of who has or had access to the data.
Contrary to this, under the U.S. legal system, he or she who has rightful access to data “owns” the data and may make use of such data; such use may be limited too, but the reasons for such limitations rely on different grounds than in the European Union.
In the European Union, a user basically has the right to be informed about how their data is being used (notice requirement) and prevent any use which he or she may not agree to (consent requirement).
To put it simply and in short, without consent, use is forbidden. In essence, this mechanism resembles any other intellectual property rights (such as copyright, patent and trademark rights).
On the other hand, the U.S. privacy law framework works differently from its European counterpart. As a general rule, whoever has unrestricted access to data “owns” it and may be able to use the data to a certain extent, as such use is not forbidden.
However, there are exceptions and some of the main reasons why use may be forbidden include:
(1) the subject provides data for specific purposes only;
(2) statutory provisions: an entity does not meet specific requirements established by the law (such statutes include the the Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transaction Act (FACTA), Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act, CAN-SPAM Act etc.); or
(3) access to data was unlawful.
For this mechanism to work, a privacy statement plays a very important role in the U.S. The privacy statement must properly describe the privacy practices of a company or organization, otherwise they may be found to engage in unfair competition.
However, in the U.S., it appears that a user need not actually agree to a company’s privacy practices. As long as the user does not object at the time of collection, the company should be fine (if it also is in compliance with any additional requirements established by statutes).
Contrary to this, a company subject to European data protection law will need to be more aware of how to obtain consent necessary to collect and use data.