Risk
7/13/2011
05:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Don't Foist Euro-Style Online Privacy On The U.S.

As Congress debates numerous privacy bills, don't assume that the tougher protections afforded by EU law are the right model for the U.S.

As Congress weighs new laws to regulate how businesses gather, store, share, and secure consumer data, should it take a page from the tough, consumer-focused privacy protections already in place in the European Union?

Notably, all of the 27 EU member states have implemented EU-wide privacy directives--through national legislation--which offer a strong model for protecting people's online privacy, including obtaining their consent before using any personal data, storing that data securely, and letting people view and correct the data collected about them.

Although those protections are stronger than what's now on offer for U.S. consumers, "it's where the rubber meets the road that makes a difference," says Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum. "It's whether the protections are enforced, and whether companies are paying attention to them."

In fact, even though EU countries have privacy laws on the books, enforcement can be a mixed bag, even a bit flaky. For example, prosecutors in Italy convicted three Google executives of privacy law violations because someone else uploaded an offensive video to its YouTube. They've also pursued cases involving people's "right to be forgotten," including a case involving Google links to an allegedly defamatory newspaper story, as well as a case featuring the unflattering results sometimes generated by Google auto-complete.

"Without evaluating the merits of any of those things, they don't appear to be mainstream privacy issues that affect vast numbers of people," Wolf says.

In the United States, the situation is different. "We have a lot more enforcement against violations of the various laws, which really does serve to create a vigilant regime in companies," Wolf says. For example, HIPAA enforcement actions have been increasing of late, and he predicts compliance levels will follow suit. Likewise, he points to a study from University of California at Berkeley researchers which found that data breach notification laws in particular are driving companies to take privacy much more seriously, not least by adding chief privacy officers.

When it comes to U.S. and EU privacy, what if our respective approaches are different--and arguably, appropriate--because of our differing cultural expectations?

In Europe, privacy historically has been a question of honor and insult, whereas in the United States it's about freedom, says Omer Tene, an associate professor at the College of Management School of Law in Israel, in his reading of privacy history. "An individual seeking privacy protection in the United States asks 'leave me alone.' Conversely, in Europe, an individual seeking privacy demands 'respect me,'" Tene says.

Europeans also rely mostly on their governments to regulate privacy. "Europeans largely follow Bob Dylan's saying that 'privacy is something you can sell, but you can't buy it back,'" says Tene. "Meanwhile, in the United States, the land of big business and small government, individuals appear to be concerned more with government intrusion into their seclusion than with business transgressions. Indeed, in America the mere thought that a government agency will protect individuals' privacy from business appears bizarre."

Regardless of whether you buy into the cultural theory of privacy, Wolf argues that debating whether U.S. or EU privacy is better--as has been done by politicians and regulators, at least behind the scenes--is now a waste of time. "We should stop playing that game, and work together to create international standards," he says.

That's because the current rhetorical disconnect between the U.S. and Europe is creating repercussions, not least for businesses. For example, the EU allows data transfers between its member states and countries such as Peru, Canada, and Israel. But such data transfers to the U.S. are illegal, unless one of three data-transfer mechanisms--all of which are expensive--are used, because the EU doesn't recognize the U.S. as having proper data protections. "That needs to change," Wolf says. "The fact that we're not perfect doesn't mean we don't have adequate protection."

Thankfully, he sees global privacy standards beginning to converge and greater cooperation at hand. "The European Data Protection Supervisor, Peter Hustinx, has made statements to the effect that there will be greater cooperation, and he's recognized the efficacy of American-style enforcement for privacy," Wolf says. With luck, a blending of regulatory styles and enforcement regimes, as well as better cooperation, will result in stronger privacy protections for consumers at home and abroad.

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalistaHerdhart
50%
50%
CalistaHerdhart,
User Rank: Apprentice
6/25/2012 | 5:27:15 AM
re: Don't Foist Euro-Style Online Privacy On The U.S.
we need privacy protections period. So what if those protections end up being similar?? Information sharing should be on an opt-in rather than opt-out basis.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.