How Are Other Countries Reacting to the EU Data Protection Directive?Europe is the world leader in privacy, and we tend to pay a lot of attention to activities there. The EU data protection directive remains the central international privacy document, and American business continues to dance to the European tune.
We are not the only ones worried about the Europeans. Other countries are also watching Europe, and their responses can be instructive.
Closest to home, Canada is debating private sector privacy legislation. Canada has had a federal sector privacy law and a privacy commissioner for years. Many Canadian provinces also have privacy officials, and Quebec has its own private sector privacy law. The federal government has been working toward expanding the existing legislation for a long time.
The current bill, known as C-54, is based on the Canadian Standards Association's Model Code for the Protection of Personal Information. The CSA code was approved in 1995 with support from the government, business, and consumers. The CSA privacy standard is a unique Canadian contribution to the privacy debate, and Canada has been trying to get international standards organizations to recognize it. No one can be surprised that the government decided to use the homegrown code as the centerpiece of its proposal.
Marketers in Canada support this legislation. The Canadian Marketing Association has been on record since 1995 as supporting federal privacy legislation. I continue to be amazed that marketers in Canada are so broad-minded about legislation while U.S. marketers welcome privacy legislation as they would the plague.
The legislation is expected to proceed rapidly through Parliament, with action by the summer a distinct possibility. The provinces, especially Quebec, are unhappy about how responsibilities will be shared between the federal and provincial governments. Privacy advocates complain that the legislation is too weak. However, at this point, passage of the legislation remains likely. Government support has never wavered.
Privacy in Australia has been on a roller coaster. Initially, the government announced it would support private sector privacy legislation. The country already has a law that covers the public sector. Early in 1997, the prime minister reneged on the promise for legislation. He tasked the privacy commissioner with studying alternatives to federal legislation, and a useful and interesting report resulted. To see that report, pay a visit to http://www.privacy.gov.au/.
Late in 1998, the government reversed itself again and agreed to support private sector legislation. Three factors were most important in the second change in position. First, pressure from privacy and consumer advocates was strong and continuing. Second, Australia faces the same need to respond to EU privacy standards as do other countries that do business with EU countries. Third, the states in Australia began to look at passing their own legislation. As we all know from American experiences, divergent state legislation is often unattractive for those who operate in many jurisdictions.
Since the government supports the legislation, prospects are good. While the Privacy Commissioner's recent report was not enough to stem the pro-legislation tide, it will be used as the basis for legislation. The government's proposal will rely heavily on industry codes. Privacy advocates hope to strengthen the legislation as it moves through the Parliament.
New Zealand is a small country, but it is especially interesting because it has operated for over three years under a privacy law covering both the public and private sectors. Bruce Slane, the privacy commissioner, just completed a mandatory review of the law. In case anyone is in suspense over his findings, the title of his report is "Necessary and Desirable."
The New Zealand law is working well and is soundly based, but the commissioner still recommended more than 150 changes. Many of his proposals are technical or minor so the number of recommendations overstates somewhat the need for change. The commissioner's key proposals would expand the law's scope, narrow its exemptions, and increase the penalties.
Direct marketers will be primarily interested in two of the recommendations. First, Slane wants to limit the large-scale use of information from public registers for direct marketing. Privacy officials in Europe and elsewhere are paying more attention to the Internet as a mechanism for wide distribution of public record information. Slane sees the need for strict new limits on Internet distribution of registers.
Second, Slane proposes to expand the existing principle that allows data subjects to request correction of personal information. He wants to create an entitlement for people to be taken off lists used for direct marketing. Complaints about marketing uses of personal information are some of the most common under the New Zealand law.
It is too early to assess whether any or all of the commissioner's recommendations will be adopted. Still, the report offers no evidence of any retreat on the privacy front in New Zealand.
If there is a theme here: that privacy legislation covering the private sector continues to gather steam around the world. More of the world's industrial nations are patterning their privacy activities along the EU model. The United States is becoming increasingly isolated in its approach to privacy. Whether this will strengthen the resolve of EU privacy officials to demand stronger privacy protections in the United States remains to be seen.