P1: c-146Everett-Church
Everett-Chruch-1 WL040/Bidgoli-Vol III-Ch-08 July 11, 2003 11:46 Char Count= 0
BALANCINGPRIVACY ANDLAWENFORCEMENT 99Consumer’s personal information must be kept up to
date, or deleted.
The purpose for collecting data must be given at the time
that data is collected.
An individual’s personal information cannot be used for
any other purpose (such as mailing catalogs or coupons)
unless a company has explicit permission.
Companies must have appropriate security safeguards
in place to guarantee privacy of any data in their pos-
session.
Companies must keep consumers advised in a clear and
open manner about their data practices and how con-
sumer’s privacy will be impacted by any changes.
Consumers must be permitted to see any information a
company has on file about them, must be permitted to
correct any errors, and must be allowed to delete data
unless there’s a legally mandated reason for keeping it.
Companies who keep consumer information must have
someone in the company accountable for ensuring that
the privacy laws are being adhered to.
Companies may not transfer data outside of the EU un-
less the country to which the data is being transferred
has privacy laws as strict as those in the EU (European
Commission, 1995)It should also be noted that these restrictions apply to
all data in a company’s possession, whether customer data
or employee data. And these are minimum standards; in-
dividual member countries can—and have—enacted laws
that are even stricter. To enforce their privacy laws, many
EU member countries have established data protection
authorities—government agencies whose mandate is the
policing of data practices within, and crossing, national
borders. These authorities often require corporations who
possess personally identifiable information about any cit-
izen of their nation to register with the agency and file
detailed statements of what data is collected and how it is
used.
In addition, whereas U.S. law focuses on certain cate-
gories of information, such as financial or healthcare data,
holders of the data such as credit bureaus, or categories
of data subjects such as children, the EU law gives special
consideration to data aboutRace,
Religious affiliation,
Membership in political parties and trade unions, and
Criminal records.These topics are of particular concern to Europeans,
in part because of how records containing information
about race, religion, and trade union memberships were
gathered and used by the Nazi regime in Germany and in
its occupied countries to decide who should be shipped
off to concentration camps. For Europeans, the threat of
private information being misused is more than a test of
wills between marketers and consumers, but has meant
the difference between life and death for the parents and
grandparents of today’s European lawmakers.Cross-Border Data Flow
The issue of cross-border data flow has been particularly
vexing for U.S. corporations, especially given the number
of Internet-based firms with operations in the European
Union that depend upon data flows from the EU back
to the United States. Because the United States does not
have broad privacy-protecting statutes on par with the
EU, U.S. corporations face the prospect of being unable to
communicate customer data, or even personnel records,
back to U.S.-based facilities.
Recognizing the potential for numerous disputes, the
United States and EU entered into a series of negotiations
in the late 1999 and 2000, culminating in an agreement to
create a Safe Harbor program. This program permits U.S.
corporations to assert their adherence to an array of basic
privacy requirements, with the assumption that those who
certify compliance and bind themselves to enforcement
measures in the event of misbehavior will be permitted to
continue transferring data from the European Union into
the United States (DOC, 2000).BALANCING PRIVACY AND
LAW ENFORCEMENT
In post-September 11 America, a great deal of public con-
cern centers around the extent to which new antiterror-
ism intelligence-gathering will negatively affect the pri-
vacy of average citizens. Although few individuals will
ever believe they merit the kind of surveillance activities
implemented for mafia dons, drug kingpins, or terrorists,
many are concerned that ubiquitous surveillance capabil-
ities will result in less privacy for everyone, average cit-
izens and mafia dons alike. Therefore, it is appropriate
to discuss briefly the kinds of issues raised by increasing
surveillance capabilities and to discuss a number of pro-
grams and laws that are adding to the pressures on per-
sonal privacy. More significantly, given the extent to which
American business is increasingly becoming the reposi-
tory of detailed information about the lives and business
transactions of individuals, it is also appropriate to dis-
cuss how businesses are increasingly being called upon
to aid law enforcement in their investigatory efforts, and
why businesses need to exercise some judgment in de-
ciding when and how to comply with law enforcement
requests.
Surveillance, searches and wiretaps raise extremely
complex legal and technical issues that are impossible to
cover in this brief space. Should these issues arise in your
personal or professional activities, it will not be possible
for you to deal with them without the assistance of quali-
fied legal counsel. There are, however, some things to keep
in mind that will help you to understand how an organi-
zation may be affected.
Most domestic wiretapping is governed by the Elec-
tronic Communications Privacy Act of 1986 (ECPA). In
addition, the Foreign Intelligence Surveillance Act of 1978
(FISA) governs wiretaps and surveillance of those consid-
ered “agents of a foreign power.” Both ECPA and FISA
were modified, clarified, and in some cases expanded sig-
nificantly, by the Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and