The Guidelines contain a set of data privacy principles similar to those stipulated in “the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.”¹³ The Guidelines have been very influential on the drafting of data privacy laws and standards in non-European jurisdictions, such as Australia, New Zealand, and Canada.¹⁴ They have also been formally endorsed—though not necessarily implemented—by numerous companies and trade associations in the USA.¹⁵ Further, they constitute an important point of departure for ongoing efforts by the Asia-Pacific Economic Cooperation (APEC) to draft a set of common data privacy principles for jurisdictions in the Asia-Pacific region.¹⁶

In terms of other international legal instruments, there does not exist a truly global convention or treaty dealing specifically with data privacy. The call to the United Nation (UN) was made in a declaration adopted at the 27th International Conference of Data Protection and Privacy Commissioners in Montreux in early September of 2005.

In what they have called “the Montreux Declaration,” the commissioners also call for governments to encourage the adoption of legislation in line with recognized data protection principles and to extend it to their mutual relations; and for the Council of Europe to invite non-member states of the organization to ratify the Convention for the protection of individuals with regard to automatic processing of personal data and its additional protocol.

International organizations have been asked to commit themselves to complying with data protection rules; international non-governmental organizations (NGOs) have been asked to draw up data protection standards; and hardware and software manufacturers have been asked to develop products and systems that integrate privacy-enhancing technologies.

The nature of the legally binding instrument to be adopted by the UN is not prescribed; but Swiss data-protection commissioner Hanspeter Thür told SwissInfo.org that it could be a text adopted by the UN in the same way as human-rights provisions.

Progress in implementing the objectives will be subject to a regular assessment. The first such assessment will be carried out at the 28th International Conference, due to take place in September 2006 in Argentina.

The commissioners also adopted a resolution presented by Germany on the use of biometric data in passports, ID cards, and travel documents. In it, the commissioners call for effective safeguards to be built in so as to limit the risks inherent in biometrics. They also adopted a resolution from Italy on the use of personal data for political communication purposes.¹⁷

Within the European Union (EU), several Directives on data privacy have been adopted, the first and most important of which is “Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data” (hereinafter “EU Directive”).¹⁸ This instrument is binding on EU member states. It is also binding on non-member states (Norway, Iceland and Liechtenstein) that are party to the 1992 Agreement on the European Economic Area (EEA). While the Directive is primarily a European instrument for European states, it exercises considerable influence over other countries not least because it prohibits (with some qualifications) transfer of personal data to those countries unless they provide “adequate” levels of data privacy (see Articles 25–26).¹⁹ Many non-European countries are passing legislation in order, at least partly, to meet this adequacy criterion.²⁰

Furthermore, the Directive stipulates that the data privacy law of an EU state may apply outside the EU in certain circumstances, most notably if a data controller,²¹ based outside the EU, utilizes “equipment” located in the state to process personal data for purposes other than merely transmitting the data through that state (see Article 4 <1> <c>).²² All of these provisions give an impression that the EU, in effect, is legislating for the world.²³

Although the Directive establishes what a company can and cannot do with the data they hold, yet it does not make any specific provisions with regard to e-mail or more specifically, e-mail marketing. Unsolicited e-mail, i.e., “spam” is becoming a growing problem that is costing business worldwide a staggering £6bn per year in online connection costs.²⁴ As the European Parliament and the Council of the European Union conceive: the Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services, publicly available electronic communications services over the Internet open new possibilities for users but also new risks for their personal data and privacy. So-called spyware, Web bugs, hidden identifiers, and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.²⁵

Therefore, a new EU anti-spam law—Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) ²⁶ came into force on December 11, 2003, and is already having a dramatic effect on the amount of spam sent to computer users. Under the Directive, spyware becomes illegal software.²⁷ This Directive’s implementation glorifies the formal stepping in the global anti-spam war of EU and is an important weapon to enhance the consumer’s confidence on Internet and e-communication as well.²⁸

By contrast, the US legal regime for data privacy is much more atomized. While there is fairly comprehensive legislation dealing with federal government agencies,²⁹ omnibus legislative solutions are eschewed with respect to the private sector. Legal protection of data privacy in relation to the latter takes the form of ad hoc, narrowly circumscribed, sector-specific legislation, combined with recourse to litigation based on the tort of invasion of privacy and/or breach of trade practices legislation.³⁰ European-style data privacy agencies do not exist.

At the same time, though, a “safe harbor” agreement has been concluded between the USA and EU allowing for the flow of personal data from the EU- to US-based companies that voluntarily agree to abide by a set of “fair information” principles based loosely on the EU Directive. The scheme, which so far has attracted over 500 companies,³¹ has been held by the European Commission to satisfy the Directive’s adequacy test in Article 25.³²

Today, much of the privacy regulation in the USA occurs at the state level, where many of the 50 states have enacted privacy laws that govern specific industries, issues, or practices. Often, these laws are inconsistent, so that a set of business practices that is legal and commonplace in one state may be prohibited just across the state line. In addition, the number of state privacy laws is increasing quickly—for example, more than 20 states have passed separate financial privacy laws just since the beginning of 2004.

At the same time, Congress has enacted federal privacy legislation specific to certain industries. For instance:

Finally, a bill announced on February 8, 2006, in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a “legitimate” business purpose.³⁹