DWT, LLP | Practice Areas: Communications, Media & Information Technologies

As the European Database Directive Pressures American Lawmakers, Will the Privacy Tail Wag the First Amendment Dog?

By Bruce E. H. Johnson

To what extent should the government interfere with the private sector in order to protect rights of privacy in the private sector? That question will be discussed in 1998 as the United States addresses pressures from the European Union to increase government regulation of private databases for the sake of privacy. To the extent that the resulting regulatory structure may also hamper or abridge the right of the media to investigate government activity and other matters of public interest and to disseminate news, the European directive may impose substantial strains on well-established First Amendment policies and principles.

In 1995, the European Union issued its Data Protection Directive, which requires EU nations to adopt statutes regulating the processing of personal data within the EU and states, in Article 25, that "personal" information may be transmitted outside of the EU only to those nations that provide an appropriate degree of protection for the privacy rights of the individuals who are the subject of that information.¹ Some EU officials have suggested that countries will not be considered in compliance without comprehensive privacy legislation regulating the processing of data by the private sector. Absent such compliance by the United States, the EU may prohibit data transfers between the EU and the United States. The deadline for compliance is October 1998.

According to the Data Directive, "personal data" is defined broadly to include "any information relating to an identified or identifiable natural person."² An identifiable person is one who "can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."³ The Data Directive allows personal data to be processed only if the data subject has unambiguously given his or her consent or processing is necessary for compliance with certain duties, obligations, or "legitimate interests" of the processing party.⁴ The Directive also prohibits any processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or relating to health or sex life unless the data subject legally consents; national employment law permits such processing; the vital interests of the data subject make it necessary; processing is done by a foundation, association, or other nonprofit entity with a political, philosophical, religious or trade-union aim; or the data is manifestly made public by the data subject or is necessary for the establishment, exercise, or defense of legal claims.⁵ Finally, in a seemingly grudging concession, Article 9 allows EU member states to provide for exemptions that would permit the processing of personal data "solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression."⁶

The dangers to the media of such a regime are quite apparent. Under the Data Directive regime, for example, Pat Tornillo's complaint about the way the Miami Herald had processed his "personal data" could entitle him to demand a correction from the newspaper, although the case law under the First Amendment has decisively rejected that position.⁷ Other data subjects could complain about "personal data" retained by members of the media for longer than is necessary for the purposes for which the data were collected or for which they are further processed.⁸

As a practical matter, the EU's Data Directive reflects a very different view of government regulation than Americans are used to. Historically, European legal systems have been very solicitous of, and have granted far more protection to, individual privacy rights than American law has recognized. Most European nations are also more receptive to government regulation of the private sector than are any of the state or federal governments in the United States. The net result is that European law simultaneously allows greater government interference into what Americans consider private economic decision making even while it recognizes greater privacy protections for individuals.

That these two different legal systems place different values on privacy rights is not surprising. Given the differences between American and European views about the role of government, is it logical that (from the American viewpoint) the Europeans would seek to interfere with the rights of private parties in the name of privacy. Dual governmental regulation of private parties' activities (at least as Americans understand them) and protection for individual rights of privacy may be perfectly consistent policies-after all, it is logical that a heavily regulatory legal structure should require more privacy protections than a more laissez faire system. A major difference between America and Europe, however, lies in the definition of privacy. In accordance with the American tradition of limiting governmental powers, privacy protections in the United States generally focus on the risks and dangers of governmental interference in individual privacy-and rarely concern themselves with privacy rights between two private parties. At English common law, for example, there was no actionable right of privacy between two private parties. Other than the recognition by many states of the "hodge-podge of privacy torts"⁹ devised more than a century ago by two Boston lawyers¹⁰ who were critical of media coverage of local socialites, American law has generally avoided broad governmental regulation of private parties for the sake of privacy. With a few discrete exceptions-such as educational records, motor vehicle registrations, telecommunications customer data, video store rental materials, and banking, debt collection, and certain other consumer credit information-the United States government has generally avoided intruding into private activities in the name of privacy. (This may reflect underlying cultural differences as well between America and Europe-a nation that has introduced "JenniCam"¹¹ to the world can hardly claim that privacy rights between private citizens are an overriding political imperative.)

This philosophical point is further complicated by the policies underlying the First Amendment to the United States Constitution. Thus, where information about private individuals is acquired by government, the American media traditionally have exercised a First Amendment watchdog role that allows and even encourages them to scrutinize and monitor such government activity-and also suggests that the government should not interfere even with private parties' rights to collect and transmit information about other private parties. As a result, rather than promoting government regulation of private interests in order to protect rights of privacy, the First Amendment takes the opposite viewpoint-that the private sector, including the media, should be permitted access to government information in order to protect the people from the activities of government. It would seem axiomatic that press freedom in the United States encompasses constitutional, statutory, and common law rights of access to the information that the government has acquired about us. Indeed, for Americans, such a role is the essence of self-government. As a result, if a member of the media publishes accurate information about someone lawfully obtained from public records or from government officials, even if the information is highly personal (i.e. identifying juvenile or rape crime victims), he or she generally cannot be held liable to the subject for any invasion of privacy for disclosure of "private facts"¹² or for other government sanctions.¹³

The EU Data Directive arguably turns that fundamental principle on its head. This impending "clash of civilizations" (to use Professor Huntington's phrase¹⁴) was noted several years ago by Jane Kirtley, executive director of the Reporters Committee for Freedom of the Press. According to Ms. Kirtley, the EU Data Directive "presumes that 'public' information does not really exist. Any data that identifies an individual, even 'directory' information such as name, telephone number, and address, is considered 'personal' information. Under the directive, individuals who process 'personal' information about others are subject to regulation by the government."¹⁵

Similarly, Solveig Singleton argues that "[t]he First Amendment protects citizens' rights to compile information in databases" and that, by attempting "to restrict the transfer of information" that may be interesting and useful to transferor and transferee, the EU Data Directive and similar governmental initiatives create major risks for the American principle of free speech: "A country that takes the freedom of information seriously cannot properly prohibit one business from communicating information about real events and real people to other businesses."¹⁶

Thus far, American politicians have focused their efforts in responding to the European Data Directive in connection with databases accumulated as a result of electronic commerce.¹⁷ The Clinton Administration, under the direction of Ira Magaziner, has sought to craft a response to the Directive that is consistent with American policy and practice. In July 1997, the Administration issued its policy paper, A Framework for Global Electronic Commerce, in which it advocated a market-driven response, relying largely upon industry self-regulation. Certainly, Article 26(2) of the EU Directive recognizes that appropriate privacy protections may be provided through contractual clauses. In November 1997, however, an Administration official suggested that, if there was not sufficient progress on private privacy efforts within the next eight months, the United States government would be forced to adopt privacy legislation to implement the Data Directive.¹⁸ Prior to the EU Data Directive, the differences in American and European styles of regulation and the accompanying constitutional issues have been of interest to comparative legal scholars but have had little practical significance to First Amendment practitioners. That may change, however, as American authorities struggle during the next several months over their response to the European Union's directive on data protection, which reflects the European and not the American viewpoint on privacy rights and the rights of private parties, including the media, to monitor governmental affairs and report on matters of public interest. Given the potential First Amendment problems presented by any comprehensive governmental privacy regulation of private parties' collection, use, and transmission of information, the debate will likely be an interesting one. u Bruce Johnson is a partner in the firm's Seattle office. A member of the Washington and California State Bars and the firm's Communications, Media and Information Technologies Department, he handles litigation matters involving First Amendment, defamation, invasion of privacy, and related issues.

Endnotes

1. "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data," published in 1995 O.J. (L281) 31.

2. Data Directive, supra note 1, at Ch.I, art. 2.

3. Id.

4. Id. at Ch. II, § II, art. 7.

5. Id. at Ch. II, § III, art. 8.

6. Id. at Ch. II, § III, art. 9.

7. See Miami Herald Publ'g Co. v. Tornillo, 418 U.S. 241 (1974).

8. Data Directive, supra note 1, at Ch. II, § I, art. 6. European Database

9. Solveig Singleton, Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector, Cato Inst. Pol'y Analysis No. 295, at 3 (Jan. 22, 1998) (http://www.cato.org/pubs/pas/pa-295.html).

10. See Louis D. Brandeis & Samuel D. Warren, The Right of Privacy, 4 Harv. L. Rev. 193 (1890)

11. See http://www.jennicam.org, a website containing live, continuous and unedited video images of the website creator's bedroom.

12. See Restatement (Second) of Torts at § 652D, cmt. b (1977); see also Cox Broad. Corp. v. Cohn, 420 U.S. 469 (1975) (state may not constitutionally permit an award of damages for the accurate publication of information contained in judicial records that are open to the public).

13. See, e.g., Florida Star v. B.J.F., 491 U.S. 524 (1989); Smith v. Daily Mail Publ'g. Co., 433 U.S. 97 (1979); Oklahoma Publ'g. Co. v. District Court, 430 U.S. 308 (1977).

14. Samuel P. Huntington, The Clash of Civilizations and the Remaking of the World Order (1996).

15. Jane E. Kirtley, The EU Data Directive and the First Amendment: Why a "Press Exemption" Won't Work, 80 Iowa L. Rev. 639, 640 (1995).

16. Singleton, supra note 9, at 5, 20.

17. The current legislative response is in the form of a proposed amendment to the Copyright Act; it provides civil and criminal penalties for using commercially a non-governmental database compiled by another in a manner that undermines the market value of the database. Uses of database information for news reporting, education, science, and research are exempt from the bill. H.R. 2652, 105th Cong. (1997). The bill passed the House Judiciary Committee on March 24, 1998.

18. Administration Won't Pursue Privacy Laws If Private Sector Initiatives Are Forthcoming, 2 Elec. Info Policy & Law Rep. (BNA) 1207 (Nov. 19, 1997) (comments by Barbara Wellberry, special counsel for electronic commerce at the Dept. of Commerce, before District of Columbia Bar, Nov. 12, 1997).