Nearly simultaneously with issuance of the IITF Privacy Principles, the Council of Ministers of the European Commission adopted a Council Directive "on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (the EU Directive).9 The EU Directive requires members states to conform their national privacy laws by mid-1998.
Under the EU Directive, personal data must be collected for specified and legitimate purposes and "not processed in a way incompatible with those purposes."10 Data must be adequate, relevant, accurate, current, not excessive, and must not be kept in identifying form for any longer than necessary.11 Personal data may be processed only if the data subject has consented "unambiguously" or if the processing falls within an exception, some of which include contract, legal obligation, or where a data subject's "fundamental rights and freedoms" in the personal information do not outweigh the legitimate interests of the data gatherer and where processing is necessary to pursue these interests.12 Under the EU Directive, member states must provide judicial remedies for any breach of the rights guaranteed, and adopt enforcement mechanisms, including sanctions for infringements of the privacy laws enacted in conformance with the Directive.13 The EU Directive requires member states to establish supervisory authorities to monitor the application of national law adopted pursuant to the EU Directive. The supervisory authorities are required to have investigatory authority, effective powers of intervention, and the power to engage in legal proceedings or to bring violations to the attention of judicial authorities.14
Article 25(2) of the EU Directive requires member states to ensure that personal data is transferred only to third countries with "adequate" privacy protection.15 Adequacy is to be determined on a case by case basis in light of all the circumstances surrounding a particular data transfer.16 The U.S. and EU are discussing how the EU Directive might affect transatlantic data flow, but these discussions are in early stages. Nevertheless, no discussion of online privacy protection can be complete without appropriate consideration of the EU Directive and its implications for international trade in the Information Age.
9. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995). For a comparison of the US/EU approaches to information privacy, see generally, Paul M. Schwartz & Joel Reidenberg, Data Privacy Law (1996).
10. EU Directive, supra note 9, at art. 6(1)(b).
11. Id. art. 6(1)(c)-(e).
12. Id. art. 7.
13. Id. arts. 22-24.
14. Id. art. 28.
15. Id. art. 25.