Depending upon your point of view, the number of books about privacy published today is impressive, surprising or alarming.
One book of interest is a reference book. “The Privacy Law Sourcebook” was compiled by Marc Rotenberg, executive director of the Electronic Privacy Information Center. EPIC is one of the most influential privacy and Internet advocacy groups, but the book is not an advocacy document.
Rotenberg assembles in one place all the major U.S. and international privacy documents. It has the text of the Fair Credit Reporting Act, Privacy Act of 1974, Drivers Privacy Protection Act and laws relating to school, cable TV and video rental. Among the international section reprints are the critically important OECD Privacy Guidelines from 1981, the Council of Europe Convention on Privacy and the EU Directive. A third section offers laws from British Columbia, Hong Kong and selected EU documents.
For anyone who deals with privacy even occasionally, the book is an indispensable reference. No more searching through law books or Internet sites to find the laws you need. The book can be purchased through EPIC's Web site (www.epic.org).
Another book offers an analysis of the EU Data Protection Directive. The authors of “None of Your Business” are Peter P. Swire, professor of law at the Ohio State University College of Law, and Robert E. Litan, director of the economic studies program at the Brookings Institution. More details about the book, including ordering information, can be obtained at www.brook.edu.
The EU directive has been much discussed. It's the most important document in international privacy and the driving force behind much U.S. privacy activity and privacy laws under development in places such as Canada, Australia and Latin America. Swire and Litan offer a detailed analysis of the directive.
The most refreshing aspect of the book is that the authors take the directive seriously. They do not attack it as an illegitimate attempt to establish a nontariff trade barrier. Instead, they accept the directive on its own terms and recognize that the attempt to control the export of European personal data to other jurisdictions is a logical extension of the basic objective.
That is not to say, however, that the authors have no reservations about the directive. The principal theme of the book is that the application of the directive in the real world is fraught with uncertainty.
Swire and Litan analyze a series of financial and other types of routine transfers. They also discuss export of human resource records, accounting and auditing records, pharmaceutical research records and call centers. In some instances, the directive sets out an express method for data export. But too often, it's difficult to determine exactly how or even whether a particular export is authorized. For example, the directive permits data exports with the consent of the data subject. But there are three different types of consent mentioned in the directive: regular consent, explicit content and unambiguous consent. The substantive and procedural distinctions are not entirely clear. Unambiguous consent may be particularly important because it's one of the exceptions that allows the export of data.
For all the directive's uncertainties, however, it's also clear that some problems were anticipated and solved by the EU. Different paths have been provided to support essential transfers of personal data. Indeed, many major international transactions will be able to continue under the directive with little change or difficulty.
The book concludes with the author's policy recommendations for both the United States and the EU. For the United States, they propose creation of an office of e-commerce and privacy policy at the Department of Commerce. For the EU, they urge acceptance of self-regulatory measures, compliance by contract and resolution of the many remaining uncertainties about application of the directive.
Without question, the authors make a strong case that the directive needs more clarity. They identify in detail the types of problems likely to result from new legislation. Much of the analysis is useful, but some gives in to overreaction. Still, the book is a valuable resource for anyone concerned about the directive.
The book also may have a special interest now. Peter Swire is the recently-appointed privacy counselor at the Office of Information and Regulatory Affairs at the Office of Management and Budget. This is a new position and it isn't entirely clear what his responsibilities will be. He will, however, be a key player in setting and overseeing Clinton Administration privacy policies.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives' subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected].
