In 1980, the Organization for Economic Cooperation and Development (OECD) issued the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Commonly known as the OECD Guidelines, they established eight data protection principles for balancing data protection and the free flow of information. Although the OECD Guidelines are recognized by all OECD member nations including the EU and the U.S., they are not legally binding and are thus, implemented differently in different nations. The OECD guidelines address the following aspects of data protection: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability . The five FIPs include: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress. The FIPs represent a subset of the internationally recognized OECD Guidelines, but they have been the focus of U.S. industry and government guidelines and ideals for the protection of personal data and privacy.
The legal foundation for much EU data protection is found in the 1995 EU Information Directive (Directive 95/46/EC). In July of 2002, the European Commission adopted the Directive on Privacy and Electronic Communications (2002/58/EC). This Directive requires member states of the EU to implement it by October 31, 2003 by passing appropriate national legislation. The 2002 EU Privacy and Electronic Communication Directive makes frequent reference to Directive 95/46/EC. The 2002 EU Privacy and Electronic Communications Directive is mainly directed towards online privacy, while the 1995 Information Directive pertains to privacy issues in law that are not limited to the Internet. The 2002 EU Directive creates additional privacy protections for Internet users on a foundation that was laid by 1995 EU Information Directive.
2.1U.S. Definition of Personal Information
The definition of what constitutes personal privacy is a concept about which there is not unanimity. The latest U.S. approach is indicated by Section 8(8) of the 2003 version of OPPA, which defines personal information as including: “first and last name; home and other physical address; e-mail address; social security number; telephone number; and any other identifier that the Commission [FTC] determines identifies an individual; or information that is maintained with, or can be searched or retrieved by means of, data described immediately above. If the 2003 version of OPPA is enacted into law, the information immediately above would be legally protected in ways provided for by the Act, which provides for notice, choice, access, security, and enforcement, as is discussed in Section 3.
Previous versions of OPPA, introduced in earlier sessions of Congress, categorized certain personal information as “sensitive” including: individually identifiable health information; race or ethnicity; political party affiliation; religious beliefs; sexual orientation; social security numbers; and sensitive financial information.1 Most of the information in the “sensitive” category is both personal, but also “private.” Many people willingly disclose their names to strangers, but few are willing to disclose health information, religious orientation, or sexual orientation to people they do not know unless there are guarantees that such information will be kept confidential and not used for other purposes. The 2003 version of OPPA definition does not contain a category of personal information that is labeled “sensitive.” If the 2003 version of OPPA was enacted into law, its protections would be directed towards users’ names and addresses and the other categories listed in Section 8(8) of OPPA, but there would be no special legal protections for “sensitive” personally identifying information (PII).
2.2EU Definition of Personal Information
As mentioned above, the 2002 EU Directive builds on the privacy protections that are contained in the 1995 EU Information Directive. Article 2(a) of the EU 1995 Information Directive defines “personal data” as “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity...” The EU definition appears in accordance with the 2003 version of OPPA, but is perhaps more comprehensive. Protection of PII based on psychological, mental, cultural or social identity is similar to the “sensitive” categories of information labeled in previous versions of OPPA, but not the 2003 version.
The EU 1995 Information Directive defines special “categories of data” that closely correspond to the categories of “sensitive” personal information defined in previous versions of OPPA. In particular, Article 8 of the EU 1995 Information Directive identifies several “special categories of data” and addresses the handling of these categories by stating that, “Member states shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and processing of data concerning health or sex life.” There are a number of exceptions to the prohibitions on member states processing special categories of personal data where the data subject has given his consent. These exceptions include processing that takes place pursuant to employment law in member states, actions intended to protect individuals, data gathering by political, philosophical, or religious organizations, or if the data are made public by the data subject or are made public based on legal claims.
PII typically does not refer to private information, even though it is personal and identifying. A person’s name or phone number may be personally identifying, but it is not generally private information. A weakness with many prior studies of online privacy is that both public and private categories of PII were combined together. Compiling all the names and phone numbers of residents of a town in a single book is not viewed as particularly threatening by most people, whereas compiling lists of Jews, socialists, and hemophiliacs would be viewed with alarm, not only by the data subjects, but also by the public at large. Internet users’ willingness to provide PII to websites depends on the nature of the information (private or public) as well as the kind of website (retail, health care, financial) collecting the information . Although many Internet users are not reluctant to reveal their name, age, or even home address to commercial websites, most of those same users are very opposed to revealing health and financial information as well as their social security numbers to websites .
Relative to current U.S. law, the legal protection provided by the EU is much more directed towards protecting what is traditionally considered “private” information: ethnicity, religion, sexual orientation, political affiliation, medical and financial records. In the U.S., medical and financial records are protected by separate legislation, while most other private information acquired online currently does not have legal protection. It seems clear that passage of the 2003 version of OPPA would not protect possible online misuse of special or sensitive PII that is currently protected from processing by the 1995 EU Information Directive.