Chapter 19: Major Dilemmas Facing Privacy Practitioners

William B. Wilhelm, Jr.

Deciding on Choice of Law

The scope and direction of privacy law are changing so rapidly that the dilemmas facing a chief privacy officer or other privacy advisor are numerous. Some of the more significant issues facing privacy practitioners are in the area of choice of law, as well as the practical challenges facing those engaged in the development of corporate privacy policies.

When first addressing privacy compliance matters, it is essential to determine what law to apply. The basic question of choice of law is significant because it identifies the proper legal framework to apply to a compliance question. In many cases lawyers apply the law of the jurisdiction in which a transaction occurs.

The problem with electronic transactions is, of course, that there is often no physical location where goods are sold or documents signed. If, for example, the officer of a Delaware corporation buys goods from a vendor in France and electronically "signs" documents while on vacation in Germany, seeking delivery of the goods in Peru - what privacy law applies to the transaction? The analysis is further complicated by the fact that this information may be stored or carried by Internet service providers in other countries. If the officer submits personal financial information as part of the transaction, and she did not consent to the disclosure of this information to third parties without prior approval, can the Mexican ISP processing the transaction for the vendor nevertheless aggregate her information and sell it to others? If so, is the action a breach of contract, a tort, or some other claim? In answering these questions do you look to the law of Delaware or New York? If the state laws afford a right of action for violation of the officer's privacy rights, are those laws preempted by a Federal statute or the law of another country? Further, can the bill of sale determine the privacy rights of the officer, or are the contract provisions superseded by the rules of a particular regulatory body?

While these questions are of significant interest to large law firms, law professors, and their sleep-deprived students, the proliferation of overlapping and conflicting laws is of little comfort to the thousands of large and small companies that would otherwise find electronic commerce a compelling and rewarding business medium. There is little doubt that despite the dot-com flameouts of the 1990s, electronic commerce is an extraordinarily efficient and compelling distribution channel. While the medium has created an extraordinary opportunity to collect, efficiently process, and harvest information, in my experience most companies are genuinely interested in complying with all of their legal and regulatory obligations concerning the use of this information. The current lack of legislative and judicial focus on choice of law doctrine for electronic commerce transactions has unfortunately made privacy law compliance an unavoidably complex and cumbersome endeavor for even the most knowledgeable practitioners.