None of Your Business:European Data Privacy

20 December 1997
Date: Thu, 18 Dec 1997 16:37:07 -0500 (EST)
To: cypherpunks@cyberpass.net
From: Peter Swire <swire.1@osu.edu>
Subject: Draft book on European data privacy law

Greetings:

        Although not specifically on crypto, we have a draft book on my web
site that might be of interest to readers of the list.  The book will be
published by the Brookings Institution in 1998, and is entitled "None of
Your Business: World Data Flows, Electronic Commerce, and the European
Privacy Directive."  The focus of the book is on the effect of the European
Data Protection Directive, which goes into effect in October 1998.

        The book is available from www.osu.edu/units/law/swire.htm.

        I've been around this list long enough to know how much many
contributors hate laws and regulations that govern how data is supposed to
flow from one place to another.  The European privacy laws are real and
quite stringent in many respects, so you may, despite your visceral
distaste, want to learn more about them.

        Of particular interest to people here may be Chapter Four: "The
Tension Between Data Protection and Modern Information Technologies."  I am
already aware of a couple of glitches in the draft, such as the definition
of an Intranet.  But I would be very interested in comments on this or other
chapters.

        To give a sense of the book's coverage, I am enclosing the draft
table of contents.

        Thanks for any comments you may have.  I'm doing a big rewrite
during the next several weeks.

        Peter Swire
==========================

	CHAPTER ONE:  INTRODUCTION

A.	"None of Your Business."
B.	Some Reasons for Data Protection Laws.
C.	Overview of the Book.

	CHAPTER TWO:  THE LEGAL CONTEXT
	[not included in this interim report]

A.	Comparing the European and American Approaches to Privacy.
B.	Provisions of the Directive.

	CHAPTER THREE:  PREPARING TO ASSESS THE TRANSBORDER
	EFFECTS OF THE DIRECTIVE

A.	Defining the Baselines: What are the Trans-border Effects of the Directive?
B.	Why What is Legal Under the Directive Matters.

	CHAPTER FOUR:  THE TENSION BETWEEN DATA PROTECTION
	AND MODERN INFORMATION TECHNOLOGIES

A.	Mainframes.
	1.	Transborder Data Flows.
	2.	Compliance by Mainframes.
	3.	Contracts and Codes of Conduct for Mainframes.
B.	Client/Server Systems, Intranets, and Extranets.
	1.	Client/Server Architecture.
	2.	Intranets.
	3.	Extranets.
C.	Internet: E-mail, Telecopies, and the Web.
	1.	Electronic Mail.
	2.	Telecopies.
	3.	The Web.
D.	Bringing Laptops or Personal Organizers Out of Europe.
E.	The Hardware and Software Industries and the Level of Electronic Commerce.
F.	Summary of Effects on Information Technologies.

	CHAPTER FIVE:  ISSUES AFFECTING A WIDE RANGE OF BUSINESSES
	AND OTHER ORGANIZATIONS

A.	Human Resources Records.
B.	Auditing and Accounting.
C.	Business Consulting.
D.	Call Centers and Other Worldwide Customer Service.
E.	Processing Permitted Under Article 7 but Not Article 26.
F.	Conclusion.

	CHAPTER SIX:  THE FINANCIAL SERVICES SECTOR

A.	Payments Systems.
B.	Sale of Financial Services to Individuals.
C.	Sale of Financial Services to Businesses.
	1.	Reinsurance.
	2.	Loan Participations.
D.	Investment Banking.
	1.	Market Analysis.
	2.	Hostile Takeovers.
	3.	Due Diligence.
	4.	Private Placements and Other Sales to Europeans.
	5.	Other Issues for European Companies Raising Money in the U.S.
E.	Mandatory Securities and Accounting Disclosures.
	1.	Legally Required Disclosures.
	2.	Disclosures Required by Accounting or Stock Exchange Rules.
	3.	Disclosures that are Not Strictly Required.
F.	Individual Credit Histories.
	1.	Providing Information to Credit Agencies or Sharing It Among Agencies.
	2.	Receiving Credit Reports.
G.	Corporate Credit Histories.

	CHAPTER SEVEN:  OTHER SECTORS WITH LARGE
	TRANSBORDER 	COMPONENTS

A.	The Press.
B.	Effects Generally on Non-Profit Organizations.
C.	International Educational Institutions.
D.	International Conferences.
E.	Effects on Non-European Governments.
F.	Research and Marketing for Pharmaceuticals and Medical Devices.
G.	Business and Leisure Travel.
	1.	Reservation Systems.
	2.	Frequent Flyer Miles and Other Affinity Programs.
H.	Internet Service Providers.
I.	Telephone Networks.
	1.	Calling Card Calls.
	2.	Enhanced Services, Including Caller ID.
	3.	Cellular Roaming.
	4.	The Proposed Telecommunications Directive.
J.	Retailing and Other Direct Marketing.
	1.	Traditional Direct Marketing--Catalogues and Customers Lists.
	2.	Direct Marketing and Electronic Commerce--Toward a "Market of One"?

	CHAPTER EIGHT:  CONCLUSION AND POLICY RECOMMENDATIONS

A.	Differing Information Cultures and the Dilemmas of Enforcement.
B.	Seeking to Resolve the Dilemmas: Some Policy Recommendations.
	1.	Sectors with Significant Privacy Legislation. 
	2.	Sectors with Functional Similarity.
	3.	Sectors Where Transfers Can and Should be Approved by Data Protection
Authorities. 
	4.  	Routine Transfers Where the Benefits Outweigh the Likely Privacy Harms. 
	5.	Clarification of the Article 26 Exceptions and Other Provisions. 
	6.	The Internet.
	7. 	The Political and Legal Process for Resolving Disputes.	
-------------------


Prof. Peter Swire
Ohio State University
College of Law
(614) 292-2547
mailto:swire.1@osu.edu
http://www.osu.edu/units/law/swire.htm (revised site now includes draft
      book on European Privacy Directive and Internet Privacy Page)