Privacy concepts: US v. EU

When it comes to Privacy Law, Europe and the U.S. are not on the same page. What is the problem? This is not the place to give an extensive answer, but here is what I think the difference boils down to:

Under the European Data Protection directives, the user (the "data subject") owns a set of legal rights entitling him to control data that are describing him, regardless of who had access to the data. Contrary to this, in the U.S. legal system, he who has rightful access to data "owns" the data and may make use of such data; such use may be limited, too, but the reasons for such limitation rely on different grounds than in the European Union.

In the European Union, a user basically has the right to be informed about how data are used (notice requirement), and to prevent any use he does not agree to (consent requirement). In short, and a bit simplified: Without consent use is forbidden. In essence, this mechanism resembles to any other Intellectual Property rights (such as Copyright, Patent and Trademark rights).

The U.S. do not have a framework similar to the European one. As a general rule, whoever has unrestricted access to data "owns" it and may use the data to the extent as such use is not forbidden. The main reasons why use could be forbidden, are

(1) the user gives restricted access only. As an example, before conveying data he makes the recipient agree to use the data only for a limited purpose. Typically, a company gives such commitment in its privacy policy. If the user and a Company "agree" on a later opt-out right, this means that the user shall be able to say "no" later, instead of at the very beginning of the contact.

(2) statute: a company does not meet some specific duties established by a statute (such statutes may be The Gramm-Leach-Bliley Act, CAN-SPAM, or others) or

(3) access to data was unlawful.

For that mechanism to work, a privacy statement plays a very important role in the U.S. The privacy statement must properly describe the privacy practices, otherwise the company may be found to engage in unfair competition. However, in the U.S., it seems not to be necessary that a user actually agrees to a company's privacy practices. As long as the user does not object at the time of collection, the company should be fine (if it also is in compliance with any additional requirements established by statutes).

Contrary to this, a company subject to European data protection law needs to bother ways more about how to get the consent necessary to collect and use data.