The European Community has gone far beyond the United States in its efforts to protect privacy rights. A Directive passed by the European Parliament in November 1995 requires that, among other things, personal data can only be processed if the subject has granted “unambiguous consent” to the collection and disclosure and use of the information. Article 25 of the Directive specifically covers the transfer of personal data from European Union countries to countries outside of the European Union and only allows transfers of personal data to those countries which afford an adequate level of protection for privacy of data or if adequate safeguards are implemented, i.e. contracts to specifically protect and preserve the data. It is still not clear whether the United States will be deemed adequate for purposes of the transfer of personal data from European Union countries in accordance with Article 25. The transfer of personal data to the United States from Europe will likely be evaluated based upon the federal, state, and local privacy laws in effect as well as any specific contractual arrangements that are in place to protect and preserve the specific data at issue.
Any business, large or small, doing business on the Internet must consider itself a global business, and the impact of the European privacy initiative may have an effect on their operations. The collection of data on-line to enhance marketing or advertising may be an acceptable practice in the United States but falls under the more severe restrictions that protect such personal data in Europe.