Risk
7/13/2011
05:56 PM
50%
50%

Don't Foist Euro-Style Online Privacy On The U.S.

As Congress debates numerous privacy bills, don't assume that the tougher protections afforded by EU law are the right model for the U.S.

As Congress weighs new laws to regulate how businesses gather, store, share, and secure consumer data, should it take a page from the tough, consumer-focused privacy protections already in place in the European Union?

Notably, all of the 27 EU member states have implemented EU-wide privacy directives--through national legislation--which offer a strong model for protecting people's online privacy, including obtaining their consent before using any personal data, storing that data securely, and letting people view and correct the data collected about them.

Although those protections are stronger than what's now on offer for U.S. consumers, "it's where the rubber meets the road that makes a difference," says Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum. "It's whether the protections are enforced, and whether companies are paying attention to them."

In fact, even though EU countries have privacy laws on the books, enforcement can be a mixed bag, even a bit flaky. For example, prosecutors in Italy convicted three Google executives of privacy law violations because someone else uploaded an offensive video to its YouTube. They've also pursued cases involving people's "right to be forgotten," including a case involving Google links to an allegedly defamatory newspaper story, as well as a case featuring the unflattering results sometimes generated by Google auto-complete.

"Without evaluating the merits of any of those things, they don't appear to be mainstream privacy issues that affect vast numbers of people," Wolf says.

In the United States, the situation is different. "We have a lot more enforcement against violations of the various laws, which really does serve to create a vigilant regime in companies," Wolf says. For example, HIPAA enforcement actions have been increasing of late, and he predicts compliance levels will follow suit. Likewise, he points to a study from University of California at Berkeley researchers which found that data breach notification laws in particular are driving companies to take privacy much more seriously, not least by adding chief privacy officers.

When it comes to U.S. and EU privacy, what if our respective approaches are different--and arguably, appropriate--because of our differing cultural expectations?

In Europe, privacy historically has been a question of honor and insult, whereas in the United States it's about freedom, says Omer Tene, an associate professor at the College of Management School of Law in Israel, in his reading of privacy history. "An individual seeking privacy protection in the United States asks 'leave me alone.' Conversely, in Europe, an individual seeking privacy demands 'respect me,'" Tene says.

Europeans also rely mostly on their governments to regulate privacy. "Europeans largely follow Bob Dylan's saying that 'privacy is something you can sell, but you can't buy it back,'" says Tene. "Meanwhile, in the United States, the land of big business and small government, individuals appear to be concerned more with government intrusion into their seclusion than with business transgressions. Indeed, in America the mere thought that a government agency will protect individuals' privacy from business appears bizarre."

Regardless of whether you buy into the cultural theory of privacy, Wolf argues that debating whether U.S. or EU privacy is better--as has been done by politicians and regulators, at least behind the scenes--is now a waste of time. "We should stop playing that game, and work together to create international standards," he says.

That's because the current rhetorical disconnect between the U.S. and Europe is creating repercussions, not least for businesses. For example, the EU allows data transfers between its member states and countries such as Peru, Canada, and Israel. But such data transfers to the U.S. are illegal, unless one of three data-transfer mechanisms--all of which are expensive--are used, because the EU doesn't recognize the U.S. as having proper data protections. "That needs to change," Wolf says. "The fact that we're not perfect doesn't mean we don't have adequate protection."

Thankfully, he sees global privacy standards beginning to converge and greater cooperation at hand. "The European Data Protection Supervisor, Peter Hustinx, has made statements to the effect that there will be greater cooperation, and he's recognized the efficacy of American-style enforcement for privacy," Wolf says. With luck, a blending of regulatory styles and enforcement regimes, as well as better cooperation, will result in stronger privacy protections for consumers at home and abroad.

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalistaHerdhart
50%
50%
CalistaHerdhart,
User Rank: Apprentice
6/25/2012 | 5:27:15 AM
re: Don't Foist Euro-Style Online Privacy On The U.S.
we need privacy protections period. So what if those protections end up being similar?? Information sharing should be on an opt-in rather than opt-out basis.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0235
Published: 2015-01-28
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.