Risk
7/13/2011
05:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Don't Foist Euro-Style Online Privacy On The U.S.

As Congress debates numerous privacy bills, don't assume that the tougher protections afforded by EU law are the right model for the U.S.

As Congress weighs new laws to regulate how businesses gather, store, share, and secure consumer data, should it take a page from the tough, consumer-focused privacy protections already in place in the European Union?

Notably, all of the 27 EU member states have implemented EU-wide privacy directives--through national legislation--which offer a strong model for protecting people's online privacy, including obtaining their consent before using any personal data, storing that data securely, and letting people view and correct the data collected about them.

Although those protections are stronger than what's now on offer for U.S. consumers, "it's where the rubber meets the road that makes a difference," says Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum. "It's whether the protections are enforced, and whether companies are paying attention to them."

In fact, even though EU countries have privacy laws on the books, enforcement can be a mixed bag, even a bit flaky. For example, prosecutors in Italy convicted three Google executives of privacy law violations because someone else uploaded an offensive video to its YouTube. They've also pursued cases involving people's "right to be forgotten," including a case involving Google links to an allegedly defamatory newspaper story, as well as a case featuring the unflattering results sometimes generated by Google auto-complete.

"Without evaluating the merits of any of those things, they don't appear to be mainstream privacy issues that affect vast numbers of people," Wolf says.

In the United States, the situation is different. "We have a lot more enforcement against violations of the various laws, which really does serve to create a vigilant regime in companies," Wolf says. For example, HIPAA enforcement actions have been increasing of late, and he predicts compliance levels will follow suit. Likewise, he points to a study from University of California at Berkeley researchers which found that data breach notification laws in particular are driving companies to take privacy much more seriously, not least by adding chief privacy officers.

When it comes to U.S. and EU privacy, what if our respective approaches are different--and arguably, appropriate--because of our differing cultural expectations?

In Europe, privacy historically has been a question of honor and insult, whereas in the United States it's about freedom, says Omer Tene, an associate professor at the College of Management School of Law in Israel, in his reading of privacy history. "An individual seeking privacy protection in the United States asks 'leave me alone.' Conversely, in Europe, an individual seeking privacy demands 'respect me,'" Tene says.

Europeans also rely mostly on their governments to regulate privacy. "Europeans largely follow Bob Dylan's saying that 'privacy is something you can sell, but you can't buy it back,'" says Tene. "Meanwhile, in the United States, the land of big business and small government, individuals appear to be concerned more with government intrusion into their seclusion than with business transgressions. Indeed, in America the mere thought that a government agency will protect individuals' privacy from business appears bizarre."

Regardless of whether you buy into the cultural theory of privacy, Wolf argues that debating whether U.S. or EU privacy is better--as has been done by politicians and regulators, at least behind the scenes--is now a waste of time. "We should stop playing that game, and work together to create international standards," he says.

That's because the current rhetorical disconnect between the U.S. and Europe is creating repercussions, not least for businesses. For example, the EU allows data transfers between its member states and countries such as Peru, Canada, and Israel. But such data transfers to the U.S. are illegal, unless one of three data-transfer mechanisms--all of which are expensive--are used, because the EU doesn't recognize the U.S. as having proper data protections. "That needs to change," Wolf says. "The fact that we're not perfect doesn't mean we don't have adequate protection."

Thankfully, he sees global privacy standards beginning to converge and greater cooperation at hand. "The European Data Protection Supervisor, Peter Hustinx, has made statements to the effect that there will be greater cooperation, and he's recognized the efficacy of American-style enforcement for privacy," Wolf says. With luck, a blending of regulatory styles and enforcement regimes, as well as better cooperation, will result in stronger privacy protections for consumers at home and abroad.

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalistaHerdhart
50%
50%
CalistaHerdhart,
User Rank: Apprentice
6/25/2012 | 5:27:15 AM
re: Don't Foist Euro-Style Online Privacy On The U.S.
we need privacy protections period. So what if those protections end up being similar?? Information sharing should be on an opt-in rather than opt-out basis.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.