86  PRIVACY IN A CYBER AGE

           law set out ambitious goals for the standardization of privacy protection
           in Europe, it was hampered from the start by significant gaps in member
           states’ compliance and enforcement. According to one observer, “although
           the EU Data Privacy Directive has been approved by the EU itself, it is not
           self-implementing. Before taking effect in individual nations, each of the
           fifteen EU member countries must pass its own implementing legislation.
           As of the effective date, only five had done so.” 75
              The directive requires that personal data be processed “only with the
                                   76
           consent of the data subject,”  with limited exceptions carved out for
           national security, law enforcement, and some basic state functions such as
                  77
           taxation.  The intentionally broad language of the directive includes but
           is not limited to such actions as collecting, storing, recording, adapting,
           retrieving, and erasing data; and “data” itself is defined broadly enough to
           include not only text, but also photographs, video, and sound. Its restrictions
           recognize that certain kinds of data are particularly sensitive and vulnerable
           to abuse; thus, it contains heightened restrictions on processing data that
           would reveal the subject’s personal traits, such as race, ethnicity, religious
           beliefs, or health background. In most cases, collecting and passing on
           these kinds of information requires the subject’s written consent, or the
           companies cannot proceed.
              The law also requires a degree of transparency. Data processors must
                                                                     78
           disclose to their subjects the ways in which they intend to use the data.
           Finally, in one of the directive’s most restrictive and controversial portions,
           the drafters attempted to address the “borderless” nature of the Internet
           and the likelihood that user data could be processed in or transmitted to
           countries that were not subject to the law’s protections. To protect against
           this vulnerability, the directive contains a provision that requires member
           states to prohibit the transfer of data to countries that have not adopted
                                                    79
           an “adequate level of protection” for personal data.  However as we have
           seen, implementing these protections has proven difficult, and enforcement
           across Europe has, at best, been inconsistent.
              According to a 2011 report from the Center for Democracy and
           Technology, “although it is comprehensive in many ways, the [European]
           Data Protection Directive has significant weaknesses. Erratic enforcement
           and uneven implementation have left consumers and industry confused as
           to how the Directive’s principles apply to emerging practices.” 80
              In 2011, various EU authorities called for new, stronger privacy protec-
           tion measures, especially in response to Facebook; however, so far these
           calls have not been translated into new laws, regulations, or enforcement
           mechanisms.
              Limiting involuntary secondary usages of private information is much
           more popular in Europe than in the United States, as evidenced by the fact