industry-based codes of practice, and the E.U. Directive itself encourages greater use of such codes (see E.U. Directive, Article 27). Moreover, data privacy regimes in each country are far from static. For example, Swedish legislation originally operated with relatively extensive licensing and notification requirements; now it has dispensed entirely with a licensing scheme and cut back notification requirements to a minimum. There is movement too at a broader European level. For instance, while West European data privacy regimes have traditionally relied heavily on paternalistic control mechanisms,135 they now show greater readiness to rely more on citizen action, supplemented by greater readiness to embrace market mechanisms for the regulation of data processing. This notwithstanding, European jurisdictions (in contrast to, say, the United States) generally still maintain a relatively non-negotiable legislative baseline for the private sector.

Across the Atlantic, Canada comes closest of the North American countries to embracing the European approach. There is now federal legislation in place in Canada to ensure the comprehensive protection of data privacy in relation to both the public and private sectors.136 Some Canadian provinces have already enacted data privacy legislation in relation to provincial and local government agencies and/or the private sector.137 Data privacy agencies exist at both federal and provincial levels. The Commission of the European Communities (hereinafter termed “European Commission”) has formally ruled that, in general, Canada offers “adequate” protection for data privacy pursuant to Article 25 of the E.U. Directive.138

By contrast, the U.S. legal regime for data privacy is much more atomized. While there is fairly comprehensive legislation dealing with federal government agencies,139 omnibus legislative solutions are eschewed with respect to the private sector. Legal protection of data privacy in relation


That is, control exercised by government bodies (primarily data privacy agencies) on behalf and supposedly in the best interests of citizens (data subjects).


See Privacy Act of 1982; Personal Information Protection and Electronic Documents Act of 2000.


See, for example, Quebec’s Act on Protection of Personal Information in the Private Sector of 1993.


Decision 2002/2/EC of 20.12.2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (O.J. L 2, Jan. 4, 2002, p. 13 et seq.).


Most notably the Privacy Act of 1974 (P.L. 93-579) and the Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503). Note also the limited protection of data privacy afforded under the Constitution as construed by the Supreme Court: see especially Whalen v. Roe, 429 U.S. 589 (1977). See further, for instance, Schwartz and Reidenberg, Data Privacy Law, 1996, Chapter 4.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement