Risk
7/13/2011
05:56 PM
50%
50%

Don't Foist Euro-Style Online Privacy On The U.S.

As Congress debates numerous privacy bills, don't assume that the tougher protections afforded by EU law are the right model for the U.S.

As Congress weighs new laws to regulate how businesses gather, store, share, and secure consumer data, should it take a page from the tough, consumer-focused privacy protections already in place in the European Union?

Notably, all of the 27 EU member states have implemented EU-wide privacy directives--through national legislation--which offer a strong model for protecting people's online privacy, including obtaining their consent before using any personal data, storing that data securely, and letting people view and correct the data collected about them.

Although those protections are stronger than what's now on offer for U.S. consumers, "it's where the rubber meets the road that makes a difference," says Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum. "It's whether the protections are enforced, and whether companies are paying attention to them."

In fact, even though EU countries have privacy laws on the books, enforcement can be a mixed bag, even a bit flaky. For example, prosecutors in Italy convicted three Google executives of privacy law violations because someone else uploaded an offensive video to its YouTube. They've also pursued cases involving people's "right to be forgotten," including a case involving Google links to an allegedly defamatory newspaper story, as well as a case featuring the unflattering results sometimes generated by Google auto-complete.

"Without evaluating the merits of any of those things, they don't appear to be mainstream privacy issues that affect vast numbers of people," Wolf says.

In the United States, the situation is different. "We have a lot more enforcement against violations of the various laws, which really does serve to create a vigilant regime in companies," Wolf says. For example, HIPAA enforcement actions have been increasing of late, and he predicts compliance levels will follow suit. Likewise, he points to a study from University of California at Berkeley researchers which found that data breach notification laws in particular are driving companies to take privacy much more seriously, not least by adding chief privacy officers.

When it comes to U.S. and EU privacy, what if our respective approaches are different--and arguably, appropriate--because of our differing cultural expectations?

In Europe, privacy historically has been a question of honor and insult, whereas in the United States it's about freedom, says Omer Tene, an associate professor at the College of Management School of Law in Israel, in his reading of privacy history. "An individual seeking privacy protection in the United States asks 'leave me alone.' Conversely, in Europe, an individual seeking privacy demands 'respect me,'" Tene says.

Europeans also rely mostly on their governments to regulate privacy. "Europeans largely follow Bob Dylan's saying that 'privacy is something you can sell, but you can't buy it back,'" says Tene. "Meanwhile, in the United States, the land of big business and small government, individuals appear to be concerned more with government intrusion into their seclusion than with business transgressions. Indeed, in America the mere thought that a government agency will protect individuals' privacy from business appears bizarre."

Regardless of whether you buy into the cultural theory of privacy, Wolf argues that debating whether U.S. or EU privacy is better--as has been done by politicians and regulators, at least behind the scenes--is now a waste of time. "We should stop playing that game, and work together to create international standards," he says.

That's because the current rhetorical disconnect between the U.S. and Europe is creating repercussions, not least for businesses. For example, the EU allows data transfers between its member states and countries such as Peru, Canada, and Israel. But such data transfers to the U.S. are illegal, unless one of three data-transfer mechanisms--all of which are expensive--are used, because the EU doesn't recognize the U.S. as having proper data protections. "That needs to change," Wolf says. "The fact that we're not perfect doesn't mean we don't have adequate protection."

Thankfully, he sees global privacy standards beginning to converge and greater cooperation at hand. "The European Data Protection Supervisor, Peter Hustinx, has made statements to the effect that there will be greater cooperation, and he's recognized the efficacy of American-style enforcement for privacy," Wolf says. With luck, a blending of regulatory styles and enforcement regimes, as well as better cooperation, will result in stronger privacy protections for consumers at home and abroad.

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalistaHerdhart
50%
50%
CalistaHerdhart,
User Rank: Apprentice
6/25/2012 | 5:27:15 AM
re: Don't Foist Euro-Style Online Privacy On The U.S.
we need privacy protections period. So what if those protections end up being similar?? Information sharing should be on an opt-in rather than opt-out basis.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.