Skip to content

Page028

European Union Privacy

The European Union has taken an aggressive pro-privacy stance, while balancing the needs of business. Commerce would be impacted if member nations had different regulations regarding the collection and use of personally identifiable information. The EU Data Protection Directive allows for the free flow of information while still maintaining consistent protections of each member nation’s citizens’ data. The principles of the EU Data Protection Directive are:

  • Notifying individuals how their personal data is collected and used
  • Allowing individuals to opt out of sharing their personal data with third parties
  • Requiring individuals to opt into sharing the most sensitive personal data
  • Providing reasonable protections for personal data

OECD Privacy Guidelines

The Organization for Economic Cooperation and Development (OECD), though often considered exclusively European, consists of 30 member nations from around the world. The members, in addition to prominent European countries, include such countries as the United States, Mexico, Australia, Japan, and the Czech Republic. The OECD provides a forum in which countries can focus on issues that impact the global economy. The OECD will routinely issue consensus recommendations that can serve as an impetus to change current policy and legislation in the OECD member countries and beyond.

An example of such guidance is found in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was issued in 1980. Global commerce requires that a citizen’s personal data flow between companies based in divergent regions. The OECD privacy guidance sought to provide a basic framework for the protections that should be afforded this personal data as it traverses the various world economies. The eight driving principles regarding the privacy of personal data are as follows:

  • Collection Limitation Principle — personal data collection should have limits, be obtained in a lawful manner, and, unless there is a compelling reason to the contrary, with the individual’s knowledge and approval.
  • Data Quality Principle—personal data should be complete, accurate, and maintained in a fashion consistent with the purposes for the data collection.
  • Purpose Specification Principle — the purpose for the data collection should be known, and the subsequent use of the data should be limited to the purposes outlined at the time of collection.
  • Use Limitation Principle — personal data should never be disclosed without either the consent of the individual or as the result of a legal requirement.
  • Security Safeguards Principle — personal data should be reasonably protected against unauthorized use, disclosure, or alteration.
  • Openness Principle — the general policy concerning collection and use of personal data should be readily available.
  • Individual Participation Principle — individuals should be:
  • Able to find out if an entity holds any of their personal data.
  • Made aware of any personal data being held.
  • Given a reason for any denials to account for personal data being held, and a process for challenging any denials.
  • Able to challenge the content of any personal data being held, and have a process for updating their personal data if found to be inaccurate or incomplete.
  • Accountability Principle — the entity using the personal data should be accountable for adhering to the principles above[^5].