The director-general of London-based Privacy International has warned that American Express Co and Electronic Data Systems Corp may face lawsuits over their handling of European customers’ personal information. PI’s Simon Davies told Interactive Week that when the EC directive on data privacy takes effect on October 25, neither AmEx nor EDS will meet the legal […]
The director-general of London-based Privacy International has warned that American Express Co and Electronic Data Systems Corp may face lawsuits over their handling of European customers’ personal information. PI’s Simon Davies told Interactive Week that when the EC directive on data privacy takes effect on October 25, neither AmEx nor EDS will meet the legal requirements for adequate privacy protection. However a lawyer who has consulted for AmEx on privacy issues disagrees. W. Scott Blackmer, with Washington, DC law firm Wilmer Cutler & Pickering, says European individuals have more to fear from ill-informed data pirates than from multinationals whose bread and butter is in transborder information flow. They have tended to be in contact with European national data privacy registrars all along, Blackmer argues. All they can do is comply with what they understand to be the principles of the directive and the procedures that are in place. If you believe the in multinationals’ essential goodwill, what’s really on the line is EC credibility. The Commission may yet have to try to enforce the directive in the absence of supporting national laws. Are all good companies up to speed? Probably not, says Blackmer. Are all the laws in place? Definitely not. Only Greece and Italy have enacted laws, Blackmer observes. Denmark, Sweden, Belgium and the UK have legislation in train. But in Germany it seems clear that no new legislation will be enacted until after the general election in September. Realistically, Blackmer says, it won’t happen until early 1999. The substantive principles of the directive are already enshrined in German law, he says, but until now they have not required notification. The EC directive stipulates that companies must notify individuals when their personal information is put to some new use. Similarly, Germany has no central registry but has chosen to encourage the appointment of data protection officers in individual companies. Meanwhile, European national authorities have indicated that they are interested in selectively investigating and enforcing the privacy directive, looking at bad actors and the largest and most sensitive data flows Blackmer says. The trouble with that is, it raises a whole lot of trade issues, he points out. The Global Agreement on Trade and Services (GATS) tolerates national laws like these only if they are applied in a proportionate and non-discriminatory way, and not when they are a disguised restriction on trade. If all the enforcement heat falls on a handful of US multinationals, the US can bring a complaint to the World Trade Organization’s new dispute resolution body, Blackmer says. On current form, Europe hasn’t much of a case. All this posturing is premature, he concludes, the laws just aren’t there yet.