EPIC logo
Testimony and Statement for the Record of
Marc Rotenberg
Director, Electronic Privacy Information Center
Adjunct Professor, Georgetown University Law Center
The European Union Data Directive and Privacy
Before the
Committee on International Relations,
U.S. House of Representatives
May 7, 1998

My name is Marc Rotenberg. I am the executive director of the Electronic Privacy Information Center, a public interest research organization based in Washington, DC. I am also an adjunct professor at Georgetown University Law Center and senior lecturer at the Washington College of Law. I have taught privacy law for almost ten years and I have been involved in many debates and discussions concerning privacy protection. I appreciate the opportunity to testify today on the EU Data Directive.

I should say at the beginning that I am not here to defend the Data Directive. Like all legislation, the Directive has some strengths and some weaknesses. It grew out of specific circumstances related to the integration of the European economies and the need to harmonize national privacy laws. It also reflects a widely held belief that privacy is a fundamental human right, entitled to full protection in law.

But I am also not here to attack the Directive. While it has become common practice for some companies to criticize the Directive, to fund conferences and reports raising questions about the Directive, I view the problem differently. In my opinion, it is not the privacy laws in Europe that raise concern; it is the absence of privacy laws in the United States that created the difficult situation we face today. Because privacy safeguards in the United States have not kept up to date, both European governments and American citizens are rightly concerned about the adequacy of privacy protection in this country.

I will make several points this morning about the debate over the EU Data Directive. These are:

  1. Privacy as a legal right is well established in the United States, and the United States has passed many privacy laws in response to new technologies. But the Administration and some companies are now actively opposing the adoption of real privacy safeguards. A country such as ours that prides itself on human rights should not be campaigning against privacy-- which is one of the most important rights in the information age.
  2. The self-regulatory approach that has been offered as an alternative to strong legal and technical protections is not doing very well. Public support for privacy legislation has grown during the time that self-regulatory policies have been pursued.
  3. Other countries are following the European approach and adopting new laws and new technical measures to protect privacy. The United States is becoming increasingly isolated in the global debate over privacy protection.
  4. Europe is committed to the enforcement of the Directive. Failure by the United States to address this issue will have specific economic consequences for US firms and transborder data flows.
  5. The U.S. policy on privacy is particularly ineffective because we are simultaneously urging surveillance standards in the telecommunications field for European governments and businesses even as we tell the Europeans not to apply their privacy guidelines to American firms operating in Europe.

Privacy Rights are Part of the American Tradition

First, it is important to understand that the right of privacy, as a legal claim enforceable in law, is very much a part of our tradition in the United States. In fact, the privacy right outlined by Brandeis and Warren in their famous 1890 law review article came to be known as the "American Tort." Even before Brandeis, Benjamin Franklin the architect of the United States postal system urged the Congress to enact a federal privacy law to ensure the protection of the US mails.

The United States has continued the tradition of enforcing privacy rights even with the development of new technology. In fact privacy protection has invariably come about in response to new technology. In 1970, the Fair Credit Reporting Act was adopted in response to the privacy risks associated with the creation of databanks containing credit reports. The Privacy Act of 1974, the most comprehensive privacy law in this country, was specifically intended to address the concerns created by the growing automation of records held on US citizens in the federal and state government.

In 1984, the United States adopted privacy provisions as part of the Cable Act to protect the privacy of subscriber records. In 1986 the United States extended privacy protections in the federal wiretap statute to new forms of communications, including electronic mail and digital communication. In 1988 we adopted the Video Privacy Protection Act to protect the privacy of video rental records. In 1991 the Telephone Consumer Protection Act was passed to deal with the problems created by autodialers and junk faxes.

In example after example, we have developed privacy rights, enforceable in law, to address public concerns. But in the last several years, the Administration has been unable to coordinate its privacy policies and there has been little success on the legislative front. Our leadership in the privacy field has slipped.

Still, the need to protect privacy is clear. Across the country states have passed new privacy laws on everything from credit record information to limitations on the misuse of the Social Security Number. This week the California legislature will consider a measure to prohibit the sale of databases containing biometric identifiers.

In Congress there are more than ninety privacy measures pending. Some of these bills would protect the privacy of data about children. Others would extend the privacy protection for telephone conversations. There are proposals to protect the privacy of genetic information, and bills that would strengthen the Fair Credit Reporting Act.

Those who argue that the United States has typically protected privacy by self-regulation and industry codes know very little about the long tradition of privacy legislation in this country. It is, however, correct to say that the United States, over the last twenty years, has taken a sectoral approach as opposed to an omnibus approach to privacy protection in the private sector. But it is also important to note that the sectoral approach has several weaknesses. For example, we have federal privacy laws for video records but not for medical records. There are federal privacy laws for cable subscriber records but not for insurance records.

I think the problems with the sectoral approach will become increasingly apparent as commerce on the Internet grows. The Internet offers the ideal environment to establish uniform standards to protect personal privacy. For the vast majority of transactions, simple, predictable uniform rules offer enormous benefits to consumers and businesses.

It is also becoming increasingly clear that the large industry mergers in the telecommunications and financial services sectors have made the sectoral approach increasingly obsolete. Firms now obtain information about individuals from many different sources. There is a clear need to update and move beyond the sectoral approach.

I am confident that we will be able to do this. Our legal tradition is ideally suited to develop the solutions that will protect privacy and promote commerce in this new economic environment.

Failure of Self-Regulatory Approach

Second, it is important to make clear that the self-regulatory approaches that are currently being touted by industry and the administration have not received much support from consumers and users of the Internet. Poll after poll shows that people want legislation, not fine print, to protect privacy on the Internet.

The most recent Harris poll found that 53% of Americans believe that "Government should pass laws now for how personal information can be collected and used on the Internet." Of those polled, 23% said "government should recommend privacy standards for the Internet but not pass laws at this time." Only 19% believe that the government "should let groups develop privacy standards but not take any action now unless real problems arise."

The Harris/BusinessWeek poll is consistent with other polls that have asked similar questions about privacy and the Internet. Contrary to the popular belief that Internet users oppose all forms of government action, when it comes to matters of privacy, they believe new laws are necessary.

The public skepticism about self-regulation for privacy protection is understandable. The commercial incentive to collect and sell data is enormous. The safeguards are weak and easily ignored. Typically, there is little more than fine print.. The essential framework for privacy policy � a Code of Fair Information Practices that sets out the obligations of companies that collect personal information and the rights of individuals that give up personal information -- is often missing, incomplete, or completely unenforceable

The direct marketing industry, which has long touted industry self-regulation, has one of the worst privacy records of any industry. A 1993 study by Professor Paul Schwartz and Professor Joel Reidenberg found that only half of the industry complies with the industries own self-regulatory procedures. Even the recent announcement by the Direct Marketing Association that they will require that their members comply with a minimal privacy policy has done little to provide any real assurance for American consumers.

It is true that there are good non-legislative privacy solutions. But these solutions often exist where there is also a legal framework. One interesting lesson that has been learned from looking at the early impact of the EU Data Directive is that a privacy law can help encourage the development of good privacy techniques, while the absence of a privacy law will lead to weaker technical standards. For example, the European Commission is actively promoting anonymous payment systems that could spur electronic commerce and protect privacy interests. The new German multi-media law encourages the adoption of similar techniques to protect privacy.

It is particularly interesting to look at the impact of the two approaches on the development of cryptography, a critical technique to protect privacy and security. The European directive has produced policies more consistent with the interests of both consumers and businesses. But the absence of a clear privacy standard in the US means that less favorable standards are being developed.

Consumer groups, privacy experts, and academics have repeatedly made this point to US officials. A group of consumer and privacy organizations wrote to the Senator McCain last year to express support for new privacy legislation for a series of hearings held by the Federal Trade Commission. Earlier this year, more than seventy privacy advocates, experts, and scholars wrote to Commerce Secretary Daley to urge him to carefully assess the adequacy of self-regulation as a means to protect privacy. Regarding a planned conference on privacy group, the group said:

The evaluation of the adequacy of self-regulation to protect privacy should be a primary goal of this conference. The Administration has recommended self-regulation to protect privacy in lieu of other policies and approaches. Many believe that the policy has not succeeded and that stronger steps, including legislation, should be considered. With the July 1st deadline for a report to the President approaching, now would be the right time to determine whether in fact self-regulation has worked.

Other Countries are Following the European Lead

The debate over the EU Data Directive often assumes that Europe is acting alone in developing new privacy laws, but this is not the case. Many countries are moving to adopt privacy standards. From Ottawa to Tokyo, efforts are underway to implement private sector privacy laws. Across Eastern Europe countries are developing new privacy rights enforceable in law. Next month the twenty-nine member nations of the OECD will meet in Paris to discuss the application of the OECD Privacy Guidelines to electronic commerce around the globe.

It is largely the United States, not Europe that has stood alone in the privacy debate.

Europeans Intend to Enforce the Directive

I would also like to say a few words about what I believe to be the view of the European Commission regarding the implementation of the Directive. Over the last several years I have had many meetings with European privacy officials. My sense is that the Europeans are very serious about the Directive, just as we are serious about the protection of our interests, such as controlling software piracy, that may be adversely affected by the lack of safeguards and protections in other countries. In this respect, it should be understood that the EU is not trying to tell the US what to do. It is only trying to protect information about its own citizens when it is transferred abroad.

In a meeting in March in Washington John Mogg, the Director General of DG XV of the European Commission, said that:

The high standards of data protection which our data protection directive seeks to achieve inside the Union will be quickly and fatally undermined if we do not pay attention to what happens to personal data once it leaves our borders.
Mr. Mogg made clear that the EU Directive was a flexible document. But he also said that it is important to ensure that basic data protection rights are protected by enforceable rules with meaningful rights for citizens. This view is shared by the national data protection authorities who are also prepared to take measures to protect the privacy rights of their citizens.

US Seeks to Enforce Surveillance Standards

Even as the United States has opposed the application of European privacy laws to American firms we have promoted surveillance standards overseas for the Internet and all new communication networks by legal and standard-setting efforts

With the Communications Assistance for Law Enforcement Act, European manufacturers of a wide range of telecommunications products and services are now required to ensure that their products can be easily wiretapped by US law enforcement agencies. These requirements probably violate international norms for communications privacy, but that has not stopped our government from imposing them on all foreign companies attempting to sell communications products in the US.

Further, on encryption policy, the Administration is trying to force foreign government to adopt techniques to enable access to confidential communications Through a series of Freedom of Information Act requests, EPIC has obtained the records of meetings between US officials and officials of foreign governments on the encryption issue. It is clear from these records that the Administration is trying to foistan unwanted and unpopular technical standard on foreign governments. A separate study that we undertook of international encryption policy found little support for the US key escrow/key recovery policies. Even Commerce Secretary Daley recently conceded that the implementation of this policy has been a "failure."

The relationship between our opposition to the European privacy initiative and our support for extending domestic surveillance requirements to other countries is not lost on the European governments. They view our efforts to promote these unsound policies as part of the problem with countries that do not establish adequate privacy protection in law. This point became clear at the EU Ministerial Conference last July where the European governments reaffirmed their support for the Data Directive and expressed their opposition to controls on encryption.

What is to be Done?

If you ask American consumers the same question that officials of the European Union are asking -- "is privacy protection in the United States adequate?" -- you will get the same answer. In fact, when I asked this question over at the Brooking Institution when Mr. Litan released his report, only a few hands in the audience went up. So, what are we arguing about? It is obvious that we have a real problem in this country with this absence of good privacy safeguards and Brussels is not responsible for this.

Of course, I do not dispute that the Data Directive of the European Union may pose some problems for American companies doing business in Europe. Nor does it seem particularly significant that a company operating in Europe which processes data on European citizens in the United States should be subject to the same protections as if the processing took place in Europe.

The critical question is whether the United States government will continue to oppose efforts by foreign governments to protect the privacy rights of their citizens. There has been no glory in our recent campaigns against the EU Data Directive. Our government officials spend more time in Brussels lobbying against the European privacy law than they do in Washington trying to develop sensible privacy safeguards. They will meet with industry groups to compile detailed list of problems with the EU Directive but they have been unable to organize one public meeting with American consumers or privacy advocates to discuss privacy safeguards.

Nor do I suspect that many Americans would be pleased if they were aware of the efforts underway to actively oppose the adoption of real privacy safeguards. A country that prides itself on human rights should not be campaigning against one of the most important rights in the information age.

The EU Data Directive is not so much a problem as it is a reminder that our privacy laws are out of date and that there is much work to be done in this country to ensure the protection of this essential freedom. Further action against the EU Data Directive will not make the privacy concerns in the United States go away.

In the end, we need stronger privacy safeguards not to satisfy European government, but to assure the protection of our own citizens. I remain hopeful that this Committee will not lose site of our country's proud traditions as it considers the issues raised by the EU Data Directive.

Thank you for your attention. I will be pleased to answer your questions.


Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New Landscape (MIT Press 1997)

Colin Bennet, Regulating Privacy (Cornell Press 1992)

Fred Cate, Privacy in the Information Age (Brookings 1997)

David H. Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States (Chapel Hill 1989).

Marc Rotenberg, The Privacy Law Sourcebook: United States Law, International law, and Recent Developments (EPIC 1998)

Paul Schwartz and Joel Reidenberg, Data Privacy law: A Study of United States Data Protection (Michie 1996)

Priscilla M. Regan, Legislating Privacy: Technology, Social Values and Public Policy (University of North Carolina Press 1995)


Electronic Privacy Information Center [http://www.epic.org]

Global Internet Liberty Campaign [http://www.gilc.org]

Junkbusters [http://www.junkbusters.com]

Privacy International [http://www.privacy.org/pi/]

Privacy Rights Clearinghouse [http://www.privacyrights.org]


Letter to Senator John McCain (August 1, 1997)

Letter to Secretary Daley (February 28, 1998)