How did that charity get my address? Why Europeans know, and Americans don't
Juliana Jorge
Being a lawyer from Brazil, and having lived in New York before moving to Madrid to work in private practice as a privacy law expert, I am in a unique position to understand the different cultural and legal perspective of privacy in each country. And there is, no doubt, some major differences. I’ve seen it with my own personal information.
With the development of a global market, as well as with the advance of technology at a mind-blowing pace, it seems that privacy is being discussed more and more every day, and everywhere. However, it is clear that the approach to privacy is not the same on both sides of the Atlantic. While Europe has a much more strict perspective about privacy, the U.S. seems to more open about the matter. I would refer to Europe and not the rest of world, because where there is legislation on data protection, the rules are strongly based on the European privacy framework.
The differences regarding the way privacy and data protection are regulated in Europe and in the U.S. are well-defined. While in Europe there is a unified supra-national directive that sets the rights and principles for the processing of personal data in general terms, called the Data Protection Directive, in the U.S. there is no specific and centralized legislation applicable at the federal level – laws are regional and sector-based, instead. Also, the U.S. bases its privacy regulation on a self-regulatory approach, allowing companies to establish their own rules regarding the use of consumer information.
On the one hand, in Europe, for a company to process your personal information – even if it’s only your name --- it is necessary to ask for your consent, with some strict exceptions. Also, the company must inform a Supervisory Authority of the processing of personal information and must guarantee the rights that are granted to the consumers, such as the access to the information. On the other hand, in the U.S., there is no general legislation that regulates the processing of consumer´s personal data and in many cases the selling of information to other companies.
As a practical example of the consequences of these two types of regulation, I can tell you what happened to me weeks ago. I have been living in Spain for the past seven years and I don´t have an address in the U.S. But in the past, I have purchased items online at Amazon or Apple, and had them shipped to a friend´s address in Brooklyn in advance of a visit to New York. Recently, I received a letter from the Leukemia and Lymphoma Society with my full name on her address. The letter was only asking for donation. No harm done. But it made me wonder… who else has my information in the U.S.? After reading the privacy notice on Amazon I learned that according to it, Amazon wouldn´t give my information to the Leukemia and Lymphoma Society. And it´s not like I bought a book on a subject related to cancer that could indicate I have an interest on this subject. Well, after taking a look at the Apple privacy policy I can tell that Apple, in theory, was not part on this “information flying around” scheme, if it really uses as it describes in this policy.
So, I just wonder… how? Who? When?
Now, if this had happened in Spain, for instance, I could call the Leukemia and Lymphoma Society and ask for the source of my information. By law, they are required to give me that kind of information. So let´s say they would tell me they bought the database from Amazon. In that case, I could place a complaint before the Spanish Data Protection Authority, since Amazon, according to its policy, did not have my consent to sell or transfer my information to a third party like the Leukemia and Lymphoma Society. I also have the right to ask the Society to delete my information and not use it again. But that would be in Spain; how about the U.S.? There, consumers are left to simply keep wondering how? Who? Why?
Taking into account that the law is usually a reflection of society´s values, you may ask, “Why is it so different, the way privacy is regulated in the US and Europe?” We can write a monograph about the subject, however in general terms, we could say that the legislators in the U.S seem more interested in protecting the market than the consumer. Just remember, we are talking about the largest capitalist marketplace in the world. Also, we have to take into account the participation of different groups on the creation of the legal framework. While the European Directive was basically created by a Working Party of privacy experts, without the participation of business interest groups, in the U.S., the creation of a privacy legal framework had the participation of business and technology interests with the aid of the Department of Commerce.
There is no question that there is plenty of space for discussion about which system is more adequate to the current state of technology and global market. However, there is no question that with the increase of information flow, the U.S. and Europe will have to find points in common regarding the processing of information in order to allow the development of the global market that requires this kind of information flow.
Contributor Juliana Jorge is a leader in global privacy laws. She grew up and studied in Brazil, and lived in New York before moving to Madrid to work in private practice as a privacy law expert for ECIX Group. Previously by Juliana Jorge: The real fallout (in Europe) from the NSA scandal.