An Analysis of the Informational Privacy Protection Afforded by the European Union and the United States

I. INTRODUCTION It has become a common occurrence at American dinner tables for a meal to be interrupted by a caller who persistently attempts to survey a household member or to sell that individual some product. Undoubtedly, this same family's mailbox is overflowing with letters, requests-even demands-from people who seem to be convinced that the product or service that they are offering is something that this family cannot live without. Whether it was Al Gore bringing us the Internet or Bill Gates putting a personal computer within the reach of the average household, it is apparent that the Information Age has arrived. Moreover, the traffic of all of this newly available information has become an industry unto itself. Today, companies compile, sell, and swap demographic information to such an extent that an individual's personal information is on the verge of becoming public. While the mass transit of personal data is a global phenomenon, countries on either side of the Atlantic maintain different perspectives as to how this information flow should be regulated. After early difficulties in developing a concerted policy, the European Union (EU), by enacting the European Union Data Protection Directive (EU Directive), has taken the lead in actively regulating the traffic of personal information. This Directive imposes substantial regulatory controls over personal data collection, processing, and transfers in order to safeguard what is considered to be an inherent right to personal privacy. In contrast, the traditional fear of overarching government in the United States initially resulted in a more fragmented policy, with significant regulation formulated only in response to glaring deficiencies. More recently, U.S. legislators have adopted a more proactive stance by passing the Gramm-Leach-Bliley Financial Modernization Act (GLBA), mandating more stringent privacy protections with regard to consumer financial information. Nevertheless, the remaining ideological gaps between U.S. and European privacy policies have required the ad hoc establishment of U.S. Safe Harbor Principles to the EU Directive in an effort to prevent an impending information embargo. For the sake of homogeneity, this comment is limited to an overview of privacy as it pertains to personal information. Part II presents a historical account of the emergence of privacy law in the European Union and the United States. Part III provides an in-depth examination of the EU Directive, as well as a discussion of its ramifications in the marketplace. Part IV addresses the implications of Title V of the GLBA, and also briefly describes the advantages that international and domestic banking institutions may enjoy by obtaining financial holding company status under Title I of the Act. Finally, Part V outlines the U.S. Safe Harbor Principles, as well as the reasons behind its limited acceptance by U.S. companies. II. EXAMINATION OF THE DIVERGENT APPROACHES TO INFORMATION PRIVACY IN THE EUROPEAN UNION AND THE UNITED STATES Although the European Union and the United States initially developed privacy regulations reflecting different philosophies, a commonality between these approaches is that both ultimately resulted in the implementation of conflicting privacy standards that proved to be inadequate to safeguard data protection. This fragmentation led to the passage of the EU Directive, the GLBA, and the U.S. Safe Harbor Principles, in order to establish a uniform approach to informational privacy. These will be discussed in sections III, IV, and V, respectively. The following section presents the privacy theories and laws in the European Union and the United States, which provided the stimuli for the enactment of current privacy legislation. A. Origins of Privacy Law in the European Union The European approach to financial privacy is premised on the notion that the protection of personal data and privacy of individual citizens is a fundamental right, and that citizens should not be subjected to abuses of privacy before preventative measures are undertaken. …