In order to understand the Directive, it is necessary to understand how and why EU and US perspectives on data protection and privacy are different. The United States prefers what is called a 'sectoral' approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. Former U.S. President Bill Clinton and former Vice President Al Gore explicitly recommended in their “Framework for Global Electronic Commerce” that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. To date, the US has no single, overarching privacy law comparable to the EU Directive. Privacy legislation in the United States tends to be adopted on an “as needed” basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Protection Act of 1988, the Cable Television Consumer Protection and Competition Act of 1992, and the Fair Credit Reporting Act). Therefore, while certain sectors may already satisfy the EU Directive, at least in part, most do not.
The reasoning behind this approach probably has as much to do with American laissez-faire economics as with different social perspectives. The First Amendment of the United States Constitution guarantees the right to free speech. While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court. Nowhere in the US Constitution does the word 'privacy' appear. Europeans, however, have an entirely different attitude.
Europeans are acutely familiar with the dangers associated with uncontrolled use of personal information from their experiences under World War II-era fascist governments and post-War Communist regimes, and are highly suspicious and fearful of unchecked use of personal information. World War II and the post-War period was a time in Europe that disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbors to work camps and concentration camps. Europe has experienced atrocities directly related to privacy and the release of personal information inconceivable to most Americans. In the age of computers, Europeans’ guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II. Germany and France, in particular, set forth comprehensive data protection laws.
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.” The seven principles governing the OECD’s recommendations for protection of personal data were:
The OECD Guidelines, however, were nonbinding, and data privacy laws still varied widely across Europe. The US, meanwhile, while endorsing the OECD’s recommendations, did nothing to implement them within the United States. However, all seven principles were incorporated into the EU Directive.
The European Commission realised that diverging data protection legislation in the EU member states would impede the free flow of data within the EU zone. Therefor the European Commission decided to harmonize data protection regulation and proposed the Directive on the protection of personal data.
This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b)
The responsibility for compliance rests on the shoulders of the "controller", meaning the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (art. 2 d)
The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject.
Data may be processed only under the following circumstances (art. 7):
The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn't being processed in compliance with the data protection rules. (art. 12)
When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8)
The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)
A decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used.
The controller must notify the supervisory authority before he starts to process data. The notification contains at least the following information (art. 19):
This information is kept in a public register.
The European Commission has set up the "Working party on the Protection of Individuals with regard to the Processing of Personal Data," commonly known as the "Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.
The Working Party negotiated with U.S. representatives about the protection of personal data, the Safe Harbor Principles were the result. According to critics the Safe Harbor Principles do not provide for an adequate level of protection, because it contains less obligations for the controller and allows the contractual waiver of certain rights.
In July 2007, a new, controversial , Passenger Name Record agreement between the US and the EU was undersigned.
In February 2008, Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the US bilateral policy concerning PNR . The US had signed in February 2008 a memorandum of understanding (MOU) with the Czech Republic in exchange of a VISA waiver scheme, without concerting before with Brussels . The tensions between Washington and Brussels are mainly caused by a lesser level of data protection in the US, especially since foreigners do not benefit from the US Privacy Act of 1974. Other countries approached for bilateral MOU included the United Kingdom, Estonia, Germany and Greece .