Risk
7/13/2011
05:56 PM
50%
50%

Don't Foist Euro-Style Online Privacy On The U.S.

As Congress debates numerous privacy bills, don't assume that the tougher protections afforded by EU law are the right model for the U.S.

As Congress weighs new laws to regulate how businesses gather, store, share, and secure consumer data, should it take a page from the tough, consumer-focused privacy protections already in place in the European Union?

Notably, all of the 27 EU member states have implemented EU-wide privacy directives--through national legislation--which offer a strong model for protecting people's online privacy, including obtaining their consent before using any personal data, storing that data securely, and letting people view and correct the data collected about them.

Although those protections are stronger than what's now on offer for U.S. consumers, "it's where the rubber meets the road that makes a difference," says Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum. "It's whether the protections are enforced, and whether companies are paying attention to them."

In fact, even though EU countries have privacy laws on the books, enforcement can be a mixed bag, even a bit flaky. For example, prosecutors in Italy convicted three Google executives of privacy law violations because someone else uploaded an offensive video to its YouTube. They've also pursued cases involving people's "right to be forgotten," including a case involving Google links to an allegedly defamatory newspaper story, as well as a case featuring the unflattering results sometimes generated by Google auto-complete.

"Without evaluating the merits of any of those things, they don't appear to be mainstream privacy issues that affect vast numbers of people," Wolf says.

In the United States, the situation is different. "We have a lot more enforcement against violations of the various laws, which really does serve to create a vigilant regime in companies," Wolf says. For example, HIPAA enforcement actions have been increasing of late, and he predicts compliance levels will follow suit. Likewise, he points to a study from University of California at Berkeley researchers which found that data breach notification laws in particular are driving companies to take privacy much more seriously, not least by adding chief privacy officers.

When it comes to U.S. and EU privacy, what if our respective approaches are different--and arguably, appropriate--because of our differing cultural expectations?

In Europe, privacy historically has been a question of honor and insult, whereas in the United States it's about freedom, says Omer Tene, an associate professor at the College of Management School of Law in Israel, in his reading of privacy history. "An individual seeking privacy protection in the United States asks 'leave me alone.' Conversely, in Europe, an individual seeking privacy demands 'respect me,'" Tene says.

Europeans also rely mostly on their governments to regulate privacy. "Europeans largely follow Bob Dylan's saying that 'privacy is something you can sell, but you can't buy it back,'" says Tene. "Meanwhile, in the United States, the land of big business and small government, individuals appear to be concerned more with government intrusion into their seclusion than with business transgressions. Indeed, in America the mere thought that a government agency will protect individuals' privacy from business appears bizarre."

Regardless of whether you buy into the cultural theory of privacy, Wolf argues that debating whether U.S. or EU privacy is better--as has been done by politicians and regulators, at least behind the scenes--is now a waste of time. "We should stop playing that game, and work together to create international standards," he says.

That's because the current rhetorical disconnect between the U.S. and Europe is creating repercussions, not least for businesses. For example, the EU allows data transfers between its member states and countries such as Peru, Canada, and Israel. But such data transfers to the U.S. are illegal, unless one of three data-transfer mechanisms--all of which are expensive--are used, because the EU doesn't recognize the U.S. as having proper data protections. "That needs to change," Wolf says. "The fact that we're not perfect doesn't mean we don't have adequate protection."

Thankfully, he sees global privacy standards beginning to converge and greater cooperation at hand. "The European Data Protection Supervisor, Peter Hustinx, has made statements to the effect that there will be greater cooperation, and he's recognized the efficacy of American-style enforcement for privacy," Wolf says. With luck, a blending of regulatory styles and enforcement regimes, as well as better cooperation, will result in stronger privacy protections for consumers at home and abroad.

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalistaHerdhart
50%
50%
CalistaHerdhart,
User Rank: Apprentice
6/25/2012 | 5:27:15 AM
re: Don't Foist Euro-Style Online Privacy On The U.S.
we need privacy protections period. So what if those protections end up being similar?? Information sharing should be on an opt-in rather than opt-out basis.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.