Slashdot Mirror
EU Privacy Directive — Coming To the US?
An anonymous reader writes "An article over at ComputerWorld implies that the EU Privacy Directive, or something like it, will soon be signed into law here in the USA. The author seems to think this is a good thing, but I'm not so sure. From the article: 'We've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.' Is it time for a national privacy law or 'Privacy Czar', or are we better off letting things be?"
or has this whole "Czar" thing been way overused.
...ever makes it into US law (if ever), it will be so watered down and ineffective that it might as well not even exist. The corporations who now run the USA will not stand for it.
Given the history of regulatory agencies (see the history of the Interstate Commerce Commission for starters), just how long will it be before the new regulators end up captive to the industries they regulate?
There's a line in the movie "Absence of Malice" which sums up the problem of government regulators very neatly, even if it wasn't intended that way: "Have you given any thought to what you'll do after government service?"
I think in general privacy laws and government regulation of privacy is a good thing. The problem with self-regulation of privacy is that personal information is a lucrative commodity. It is hard to get companies to do what's right when most people don't even realize how much information they are giving up or what their rights are. I think well crafted legislation can provide a good framework for companies to better their privacy policies as well as provide redress for consumers who are adversely affected by bad policies. Good laws also provide a way for privacy advocacy groups to benchmark companies by providing a baseline as well as providing standards to hold companies to.
The key here will be that the laws need to be broad enough to deal with the rapidly changing business methods as well as provide room for companies to try different methods of achieving the results. At some point you can push companies far enough that they will then try to advertise on how great their privacy is versus some other company, so it's good to set the bar and allow companies to rise above it as well as just meeting it.
In the United Gulags Of America.
Cheers,
W
The DHS's own Privacy Committee has put out a couple of very sensible reports in response to Real ID and other issues. I don't see any action. What's the point if nobody's going to listen?
Printer Friendly:m mand=printArticleBasic&articleId=9024784
http://www.computerworld.com/action/article.do?co
Anyways, it doesn't matter what the US signs into law if there is no meaningful oversight, penalties and enforcement.
I also can't imagine that the business lobby isn't going to scream and shout about the expense involved with implementing true EU style reforms.
One alternative to all these expensive-to-implement laws is to make it an opt-in industry. By the time they're done culling out all the people who don't want to be in the database (a one-time event), EU style privacy laws won't cost all that much to implement.
[Fuck Beta]
o0t!
appointed, whatever program comes to a screeching failure. Think Drug Czar, Iraq War Czar, etc.
Leave the gun, take the cannoli -- Clemenza, The Godfather
In most countries there will hopefully be just enough people exercising their rights under this kind of legislation to compel all concerned to comply. That's mostly what this sort of thing is about. The OP is a fool.. this *is* 'a good thing'.
And pigs can fly. Not a snowball's chance in hell that this could happen! Restricting business? How dare they! :)
I don't know about the UK. In Amsterdam we have plenty of cameras too, and they go to extensive lengths to prevent the cameras from seeing inside homes et all.
I was going to start to argue *for* another contender on the side of the little guy, but I think I just talked myself out of it.
Computers are useless. They can only give you answers.
-- Pablo Picasso
Not at all, I would imagine, since their courts hold that one has no legal expectation of privacy in a public place.
Sort of like ours in the U.S., actually. And having recently moved from one of the most heavily-surveilled cities per capita (thanks to these folks), I'm pretty familiar with the applicable laws, although your mileage may vary by state.
Of course, since the privacy law in question doesn't apply to surveillance cameras anyway, methinks you're just taking a cheap shot at our friends across the pond.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
No, I do not want the government monitoring my privacy. That is the exact opposite of privacy. lack of necessary logic resulting in core dump in 5... 4 .. 3.. 2 .. 1 Oh wait this is slashdot, logic not requited. End Sequence.
Well.. maybe. Or Maybe not. But Definitely not sort of.
in the past, as near as maybe 20-30 years ago, privacy was not a huge issue, because it wasn't so easy and cheap to amass data. of course, files on people have always existed, but they were specialized and compartmentalized, and not easy to correlate and analyse. nevertheless, some governments (mostly associated with ex-communist countries) are known to have excelled at collection, storage and retrieval of files on people, even if they only used paper. these files were very successfully used to make people behave in certain ways.
:(
now, when there is the technology to collect, store and correlate all kinds of data about very many people by just about any entity with a minor budget, and there are no clear rules about what is okay and what is not, it is easy for the individual to be a target of abuse by a more powerful group (be that government, a large company, or some foundation), and it is almost impossible for the individual to counter-balance such groups, as data collection seems, in the absense of rules, quite legal, and, depending on the profile, the person may not be in a position to make a strong stand. so, it is pretty obvious that some levelling of the playing field is in order, and that it should be made a law, so that it has teeth.
to me the reasonable minimum would be the ability of a person to see the information an entity has amassed on them, and to be able to remove parts of their profile or (that being un-possible for some reason) the whole profile at any time, at least from a private organization. exceptions from that rule should be considered carefully, and introduced on a demonstrated need basis.
this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though
Just let those big, overpaid, greedy top-managers screem a while. Then, publicly, pick out the loudest screamer and sack him. Something for public television and a president wanting to be popular again. (You can sack him roman style which is a bit too bloody for modern times. Oh wait you are Americans right? You still do that. Well That's ok then.) Anyways, his salary alone will compensate for those costs no problemo. With the added merit of the rest of those greedy bastards now wanting to scream too loud...
The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.
The law is summed up in this paragraph:
I have a thing about my Social Security number - I only give it to those who require it to fulfill legal mandates. That includes my employer, who has decided (without my permission, and despite my express denial) to give it to a health care provider. This proposed law does nothing to prevent that.
I want them to be prevented from "selling or transferring" my confidential information, without my voluntary consent (no consent as a condition of employment, etc.).
"National Security is the chief cause of national insecurity." - Celine's First Law
Done right, these laws get the Legislature some headlines for the voters while effectively insulating the campaign contributors from the risk of being held liable for doing what the Act theoretically prohibits.
Thought experiment: what would either Act have done in the case of HP spying on private parties?
Lacking <sarcasm> tags,
Lacking <sarcasm> tags,
It's a good idea to have a privacy czar, assuming the other half of his job description isn't to implement EU-style data retention policies. This Orwellian definition of privacy I wouldn't put past the government to invent.
Just wait. This will be an attempt to stealthily pass a bunch of anti-privacy legislation, such as data-retention laws.
Liberty in your lifetime
Privacy laws were partly the cause of the VT shootings. That's simplfing it a bit, I know, but this is one of those things that I don't think can go both ways in my book. If we agree that privacy is a good thing, then sorry, events like VT could happen again because of the inability of sharing data. (And with the comming national ID cards and such, I really like the idea of having some strong privacy laws.)
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
On a daily basis, do you protect your valuables and confidential records because you're afraid of a public official confiscating them or some random private citizen busting in and stealing them? Strangely enough, the primary reason we have government in the first place is to guard against the latter (whether through policing, the courts or recognition of property rights in general). Yet, people are /far/ more careless with their information and property in the hands of other private interests over whom they have virtually no control than they are with their public counterparts over whom they have direct control.
This is puzzling.
one has no legal expectation of privacy in a public place
I would like to quote a cleverer man than me:
anyone who cannot distinguish between "not private" and
"under constant surveilance" is a fucking idiot
Disclosing information should not be considered a crime, unless of course you are bound by contract not to disclose it. Similarly, grabbing information should not be considered a crime, unless of course you invade someone's property by doing it (breaking in one's house, trash, computer etc)
\u262D = \u5350
It's about setting a precedent, so that the EU can push future initiatives over American national sovereignty. I guess the Constitution means nothing anymore to the Republocrats and Demopublicans. We need an external body to set the laws of the land.
You mean a single point of contact that helps reduce the privacy of the common man, but makes damned sure the elected officials have it?
No thanks.
---- Booth was a patriot ----
They are derived from exactly the same word, they just took different routes to get to English.
...because "hacker" sounds way sexier than "code drone."
I believe a Privacy Czar, though not necessarily using that term, is a step in the right direction.
All too often laws are enacted with the best of intentions only to show that compliance with the law is a hollow shell of the desired objective. Case in point is something like the CanSpam directive. By giving you a link to a page that had all the correct bells and whistles to appear to allow you to de-list yourself, when it actually de-listed you from one list and listed you on 40 others, is the probable end result.
How many times have you had a company ask for ridiculously invasive information for your protection . Similar results will be incurred here. Currently asking information is at best spotty in legality and because of this you have a certain level of push back available to you when they request it. (No I will not give my sons grade school his SSN) however once a law like this goes into play it creates an aura of safety that once an organization appears to comply with it, the loss of your personal data no longer is a high level of liability for them. As a result your privacy is reduced to a level of cookie cutter actions that never get questioned because, 'everyone knows it meets legal requirements'.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
These laws don't make sense unless the countries/regions also want to deal with how the data is disseminated.
I just got off the phone dealing with someone from my phone company's customer service centre... in India. He was very helpful, so don't get me wrong but... It was disconcerting to know he could check my credit card number. I am sure many/most offshore call centre's employees are honest, but I have to wonder about how this privacy crap matters when we allow corporations to send our private information to servers around the world.
For example there are many Canadians in British Columbia who bitch and moan and disparage the U.S. about homeland security and privacy issues (probably about as many as do the same in the U.S. :-) )... but at the same time don't complain when the British Columbia outsources their health care information billing system to a U.S. company who now have all their citizens financial and medical information. And which is subject to search etc. by the U.S. government now since the data is stored on American servers.
Another thought: What happens if we have a dispute with China and they have centres there with access to our personal and corporate information. They have leverage to influence in ways that might not be good... tell us to leave them alone or they destroy or corrupt the information on the servers under their control?
-- I ignore anonymous replies to my comments and postings.
As mentioned before, it would be fairly easy to fix with Opt In only privacy law. No one should be able to use my private info for anything without my express permission. Additionally, it should be illegal to require permission to be granted to use a businesses services. More specifically, they should only be able to keep the minimum amount of info, and only use it for the minimum purpose required to provide service to you. In no case should be they be allowed to trade or sell that info to others without your permission and perhaps compensation. If they can make money off of it, then you should have a right to charge them for it if you want to. They have a done some work with health info, but this privacy needs to be expanded to all personal info, and further enhanced across the board.
Ok, I know this is unlikely given our current culture and government, but it's what SHOULD be.
The United States of America is a voluntary union comprising of many independent states. These states have the right to self-governance and popular sovereignty; the Constitution does not allow for any such federal restrictions.
Indeed. The courts have been fucking idiots about this for some time now.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Once we submit all our information to the new government body, we'll be a lot better off!
At least in the EU when you get some brain-dead corporation spamming you, or sending you annoying SMS messages you can fight back with "Stop, or I will report you to the Information Commissioner". This gets their attention very quickly, because if they don't then large fines are handed out.
You mean I can't talk about it if I'm not a citizen but I can't tell someone not to talk about it but wait how would I know because I don't even know whats secret in my own country much less every other country in the plant but... oh whatever I'm moving into a cave.
BTW - if NATIONAL ID CARDS and this strategy are related some how, does than mean once national ids are introduced then new identity kiosks will appear in all quickie marts that will allow you to instantly register a new ID with the government if necessary?
can we civvies keep our identies and laws least please?
The EU Directive specifically covers this. No EU company can send personal data to another country if they don't have privacy laws that the EU deems good enough. This applies both between companies and within the same company. Canada had to enact legislation (PIPEDA) while the US got away with telling the EU to trust them.
Make ALL personal information your personal property, the use of which is revocable at will, like the RIAA does with copying music. Anyone you aren't doing business with (say, Choicepoint, Lexis/Nexis, USSEARCH.COM etc.), who is trying to share your personal information around, has to ask for permission and pay royalties for transactions. Just like with the RIAA.
If someone posts their phone number or picture online and removes it tomorrow with a notice not to copy, you have to remove it. Period. The RIAA has that right, why can't we?
Enforce it with DMCA-level punishments. Infringers pay attorney costs as well as the judgement, just like copyright violations.
Oh wait, I know why you're about to disagree with this... the RIAA is a multi billion dollar corporation and personal information pertains to worthless little peons, right?
--- Grow a pair, liberals... stop letting the Republicans bully you!
Ah! MI6 moded this guy down
"Hand all over your private information over to us, the Government, so we may protect it for you!"
just wait wait for it..
"To lead the people, you must walk behind them"
... title bar ever.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
'We've finally come to realize that self-regulation by industry hasn't worked.'.
Wow, Einstein, what a brilliant deduction. When, save for very niche industries, has self regulation ever worked? The uncontrolled free market, self regulation, etc is all fine and dandy for large companies who squeeze everything out of small players or the consumer.
Just look at the oil industry for instance. Exxon's CEO was paid what? 35 million last year? While the prices of fuel keep going through the stratosphere. Where's the 'self regulation' there? It's an artificial cap on prices just below the limit of robbing us blind, where people would explode, march up to Exxon or Shell and blow them up. There's no self regulation here.
It applies to most other industries. Unless there's a balance between government regulation and control, vs uncontrolled free market, society is headed for collapse, just as in Soviet Russia where the government controlled everything. The uncontrolled free markets we're seeing in the 'western' world is unsustainable, and the smart ones know that. Our economy 'grows' by raping the environment, exploiting poor countries with natural resources, polluting water sources and the air, indiscriminate logging, and depleting natural resources. Give it a few decades, and we're all burnt out.
....is more government regulation. As one of my favorite authors put, "You don't make a ineffective government more effective by adding more ineffective layers or splitting it into ineffective parts." In other words you have to cut out the ineffective parts. You don't fix a clog by adding more junk; you fix it by getting rid of the junk that's already there. But, I don't really see that happening anytime soon. As long as the rich own the media and the media owns the politicians we won't see much improve.
I give you, THE WAR ON PRIVACY! errr... or something.
To boldly use to and too two times and get it right too! They're not gonna believe their eyes when they see it there!
The new "privacy":
"All of your information is kept under lock and key, and held under the highest levels of security. All information is encrypted and is guaranteed safe, secure, and secret."
Unfortunately, this all means ABSOLUTELY DICK in keeping Big Brother away. Nobody openly mentions that they will allow Big Brother UNFETTERED ACCESS to ANY information about you, and your "private" data will be at the beck and call of Him (I don't mean 'Him' as in 'God'; I mean 'Him' as in Big Brother, and the snoops, goons, and spooks that act as if they are God).
Since when did my Republican Party think Big Government was good?
Oh wait, I forgot: Big Government isn't a problem when you *ARE* the Government.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Do I want to get the health insurance my employer subsidizes? Sure I do. The insurer makes that conditional on waiving my HIPPA rights. I guess they want to post my info on their web site (crap, they do!) and leave it where even the janitor can see it.
I'm also easy to impersonate.
Meanwhile, if she follows the law, my own wife has no ability to get the info. WTF?
My blood relatives should be able to get inheritable disease records. People who lived with me during the past year should be able to get contagious disease records. Anybody sharing finances with me (or recently, as with an ex-spouse) should be able to get billing records.
So HIPPA has pretty much made everything worse for me. I don't need more of the same.
Hmmm, how about having your legacy associated with something really gruesome, like a the cutting open of a pregnant woman so as to remove her baby?
What? Ohhh... right.
The author of the original article clearly didn't read the S.1178, "A bill to strengthen data protection and safeguards, require data breach notification, and further prevent identity theft", the bill they're citing. And nobody else here seems to have read it either.
First, it's not anything like the European Privacy Directive. It has nothing to do with privacy. It's about leaks of information useful for identity theft and about credit reporting. It's actually another one of those bills designed to remove state consumer protections. The key provisions are 1) it overrides all state laws on that subject, and 2) it doesn't provide for any private right of action. Only the Federal Trade Commission, which seldom does anything really punitive, can enforce it.
Not very good but they are reasonably effective at preventing abuse of them.
writes these shitty articles? /. used to be good.
The EU directive is very good when it comes to specifying what 3rd parties may do with private data and giving the citizen rights to control the use of such data:
* The citizen may request information of what data is kept
* The citizen may require incorrect data to be corrected
* The citizen may require data to be deleted
Further, data must not be shared with states outside EU unless the EU has recognized these as providing adequate protection of personal data. US is not on the list (but Canada is) which is the reason of the current conflict over passenger data on transatlantic flights.
But, the EU directive lacks one think: Supervision. There is no controls implemented, no prior certification of data processing entities, no posterior audit to ensure that data protection is adequately implemented, not even common standards on how data must be protected. AND, there is no obligation to publicly announce data breaches.
Certifying data processing entities and then granting these authorization to handle data is cumbersome and expensive and won't ever happen - fine. But, some control system should be established, and standards or guidelines should be made. Why is there no requirement to encrypt personal data when stored in a non-controlled environment (say mobile devices) and not in use?
And after the data retention directive, which seems also to be on the road into US law, why did they not set strict requirements on protection of these data to ensure that they are only available for the purpose of the retention - investigation of terrorism? Why may companies retain such traffic data and store it unencrypted?
At the very least, we could learn from the many US states that require companies to advice customers about data breaches and risk of abuse.
Guess why the USA has such a tremendous problem with "identity theft"? A much bigger one than in Europe?
Something which facilitates this is the missing privacy directive. Companies are much more careless with YOUR data if they can't be held accountable. This, of course, makes it easier for criminals to get your data.
Well, it would be a good thing if thy hadn't watered it down already..
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
No, that would be MI5 - the Security Service. MI6 are responsible for foreign intelligence collection. They are the Secret Intelligence Service.
Have a look at soylentnews.org for a different view
... he has a bolt through the c*ck named to him, don't guess that was his dying last wish; A salad sure sounds better to me.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding.
I think you meant to put a colon after the word here. It makes more sense that way.
I mean, do you honestly believe that there has ever been some mythical time in US history in which businesses happily kept to themselves and acted like gentlemen in the best interests of their customers before some switch was flipped or some line was crossed and suddenly everyone started buying and trading power and favor? Must've been nice in that parallel universe.
Besides, you seem to be under the illusion that the privacy of their customers is in each business's best interest and that only the evil, evil government is causing them to datamine their customer base instead of the rich profits involved in knowing your customer's needs and desires and how to best inflame them. Privacy, frankly, is an impediment to profit.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I mean, unless it's a "War on Privacy" Czar, isn't that a bad thing?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The United States of America is a voluntary union comprising of many independent states. These states have the right to self-governance and popular sovereignty; the Constitution does not allow for any such federal restrictions.
Me: What about the interstate commerce clause and the Civil War?
AC: LAH LAH LAH LAH LAH! I'M NOT LISTENING!
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
US data privacy laws are a bloody mess.
In 1972, Elliot Richardson was the Sec'y of HEW under Nixon. He commissioned one of the first reports on data privacy, which was shaping up to be a great thing. Then he left to become Attorney General to providee some moral credibility during Watergate, and Cap Weinberger (the mentor of Don Rumsfeld and Dick Cheney among others) came in and gutted the report's recommendations.
What was left was a report that said data privacy is a HUGE problem, and recommended a number of steps for government databases (which were never fully implemented), but recommended we wait and see what problems occur in the private sector before doing anything. The report was insightful in its analysis of the problem, but was extremely weak on a plan for action to forstall private sector abuse.
In order to avoid having to consider constraining private sector abuses, the report had to explicitly reject the idea of a right to privacy. However this was a profound logical flaw that made the report's recommendations an absurdity. How can something be an abuse, unless there is something to be abused?
Because of this, the US has taken an approach to privacy that has been called "sectoral", as if each kind of data application were analyzed for its problems and a custom approach crafted for it. Nothing could be further from the reality. What actually happens is that the we have waited for specific privacy problems to reach crisis proportions, the point at which ignoring the problem would be political suicide. Then we have passed ad hoc laws which are supposed to blunt the worst of the problem.
The result is that there is a complex and incomprehensible patchwork of laws, in which the same problems are addressd over and over in different ways for differnet industries.
By contrast EU directive builds on the HEW report findings, but takes them to their logical (and far simpler) conclusion. People have specific rights in record keeping systems, no matter who it is who is keeping the records.
The concern in the HEW report is that recognizing such rights would hamper the formation of new businesses. And in fact, they do. We have a major private industry over hear that traffics in highly dubious intelligence reports on individuals. However if you step back and squint, it would appear that European society has not collapsed for lack of this. European commerce hasn't collapsed either. The kind of companies that brought us the Florida voting list debacle will bitch and moan that this will put them out of business. Good riddance, I say.
The final and least important reason this would be a good thing is that it would be good for American businesses as a whole. Rights don't mean anything if you can move a process someplace where those righs aren't recognized. Just as the Bush administration why it turns over "detainees" to foreign intelligence services. So EU companies should really not transfer any data to the US if it contains any personally identifiable information. Right now, we are operating under an agreement negotiated in the Clinton administration that allows US companies to work with EU companies under a safe harbor arrangement. This was controversial in the EU because it involved putting considreable trust in the US political system.
As you may have noticed, we aren't exactly the most trusted nation these days. Specifically, people outside the US aren't very confident of our commitment to human rights. Our ability to do business with the EU is skating on thin ice. Harmonizing our laws with EU laws (that are based largely on our original analysis of the problem) would be good for the economy, and good for American citizens.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
declare war on privacy.
Just to make one thing clear here: "Czar" comes etimologically from "caesar", just like the German word "Kaisar". Both mean "emperor". And emperors are (usually) autocrats. But that doesn't mean that every word related to "caesar" means autocrat.
And not even all emperors are autocrats. I believe Japan's power is firmly in the hands of a democratically elected government nowadays, for example. Just like kings and queens aren't autocrats anymore.
I meant to say that while privacy protection against private interests is all well and good, I'm getting more and more concerned about privacy protection against government intrusion. I'm sure it's a good law to have (when viably enforced); I'm just concerned about both intrusions, and ever moreso over the latter here.
At least on this side of the pond, it might curtail some of government's outsourcing of surveillance duties to private institutions. Ah, but aren't they suffering from government-mandated data retention polices as well? Maybe not so effective over that after all.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
How about the actual EU Directive on Data Retention? (Directive 95/46/EC)
Read a nice summary of it here. It prevents a lot of the data mining and reselling that goes on in this country. If you don't feel that it's been good for anything but providing corporate welfare (...as a largely unfunded mandate), please let me know where it's failed and stripped citizens' rights.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").