EU Privacy Directive — Coming To the US?

An anonymous reader writes "An article over at ComputerWorld implies that the EU Privacy Directive, or something like it, will soon be signed into law here in the USA. The author seems to think this is a good thing, but I'm not so sure. From the article: 'We've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.' Is it time for a national privacy law or 'Privacy Czar', or are we better off letting things be?"

Is it just me

[kensai]

or has this whole "Czar" thing been way overused.

Re:Is it just me

[Bellum+Aeternus]

Czar is an English spelling of a Russian word meaning caesar - which means autocrat. So what they're saying when they label somebody a czar is that his a leader who's above the law and with absolute authority. Seems to me, that in the "free" West, terms like czar should avoided for so many reasons.

I mean what western leader thinks he's above the law... oh right.

Anyways, why not follow the British example and refer to everyone as a minister?

By the time this thing...

...ever makes it into US law (if ever), it will be so watered down and ineffective that it might as well not even exist. The corporations who now run the USA will not stand for it.

Re:By the time this thing...

[HomelessInLaJolla]

"We've finally come to realize that self-regulation by industry hasn't worked." This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding. It was in the transferral of the power to self regulate from the researchers who created the technology to the Wall Street entities which began government appointed overseers and distributors of the technology that the ability to self-regulate was lost.

There is no problem with self-regulation in the industry. The problem is that the industry is not allowed to self-regulate due to special interest groups and politicians' own greed and egos affecting the funding and legislative favoritism.

DHS has a Privacy Committee. Nobody listens.

The DHS's own Privacy Committee has put out a couple of very sensible reports in response to Real ID and other issues. I don't see any action. What's the point if nobody's going to listen?

What's the problem?

[lawpoop]

The author seems to think this is a good thing, but I'm not so sure. What exactly is the problem, AC? We don't need a government function actually serving the interests of the average consumer, instead of large corporations? It will become another bloated, ineffectual government bureaucracy that gets hijacked by industry, like the EPA and the FDA? This is a function that belongs on the state level, like the BBB?

I was going to start to argue *for* another contender on the side of the little guy, but I think I just talked myself out of it.

the lines in the privacy field need to be drawn

[siddesu]

in the past, as near as maybe 20-30 years ago, privacy was not a huge issue, because it wasn't so easy and cheap to amass data. of course, files on people have always existed, but they were specialized and compartmentalized, and not easy to correlate and analyse. nevertheless, some governments (mostly associated with ex-communist countries) are known to have excelled at collection, storage and retrieval of files on people, even if they only used paper. these files were very successfully used to make people behave in certain ways.

now, when there is the technology to collect, store and correlate all kinds of data about very many people by just about any entity with a minor budget, and there are no clear rules about what is okay and what is not, it is easy for the individual to be a target of abuse by a more powerful group (be that government, a large company, or some foundation), and it is almost impossible for the individual to counter-balance such groups, as data collection seems, in the absense of rules, quite legal, and, depending on the profile, the person may not be in a position to make a strong stand. so, it is pretty obvious that some levelling of the playing field is in order, and that it should be made a law, so that it has teeth.

to me the reasonable minimum would be the ability of a person to see the information an entity has amassed on them, and to be able to remove parts of their profile or (that being un-possible for some reason) the whole profile at any time, at least from a private organization. exceptions from that rule should be considered carefully, and introduced on a demonstrated need basis.

this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though :(

It is already "watered down..."

[msauve]

if you read the bill, it's nothing like the EU privacy laws. The EU laws protect a person's privacy, requiring their permission to disclose personal information (among other things).

The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.

The law is summed up in this paragraph:

A covered entity shall develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards

I have a thing about my Social Security number - I only give it to those who require it to fulfill legal mandates. That includes my employer, who has decided (without my permission, and despite my express denial) to give it to a health care provider. This proposed law does nothing to prevent that.

I want them to be prevented from "selling or transferring" my confidential information, without my voluntary consent (no consent as a condition of employment, etc.).

Re:It is already "watered down..."

[ducomputergeek]

I've been asked for my SSN before on job applications and have told them, I'll put it on a W-4 when hired and you can't force me to give it to you because by law the only people I am required to give it out to is the Federal Government.

Maybe one reason why i had trouble finding a job right out of college.

Preemption

[overshoot]

Like the (you) CAN-SPAM and the new (you can) SPY Acts, the main point of both bills is the preemption of (effective) State laws. By pulling all enforcement into a single Federal authority and removing private rights of action, it becomes much less important for the drafters to include explicit language neutering the nominally-beneficial provisions of the legislation.

Done right, these laws get the Legislature some headlines for the voters while effectively insulating the campaign contributors from the risk of being held liable for doing what the Act theoretically prohibits.

Thought experiment: what would either Act have done in the case of HP spying on private parties?

Re:Gaaah!! Go, go fist of death!

[Gonoff]

You may not want your government monitoring your privacy. They already do.

In the UK, I do not want companies invading my privacy and it is made difficult for them to do so.

That's not "watered down..."

[overshoot]

The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.

That is, as you point out, the whole purpose of the Act. It's not "watered down" -- it's specifically designed to enable exactly what you cite (letting corporations do whatever they damn well please with your personal data) without interference from annoying State privacy laws.

Re:That's not "watered down..."

[jandersen]

As a European I take it for granted that my privacy is completely my own, and it seems obvious that I have to give written permission for anybody else to use my data - even government agencies. And that is one of the things about America that I really dislike - it is as if the only thing that matters in America is big money, and whatever big money wants, it gets. Just take the outrage of Microsoft trying to change legislation in the US, which read about here on /. - the reactions of my colleagues here in UK were mostly disbelief; it really is something completely unheard of to most Europeans. Yes, the government consults the industry when they propose new legislation, but at the end of the day, the decision is up to the Parliament, and they often pass laws that are not at all popular with Big Business; that is the purpose of democratic government: to pass laws that benefit the people, not just a small, affluent upper class.

This situation is of course why Americans always go on about privacy - you are starved of it. It's like when people are hungry, all they can think is food. Probably the same thing with freedom, I reckon.

You trust this crap?

[J'raxis]

Just wait. This will be an attempt to stealthily pass a bunch of anti-privacy legislation, such as data-retention laws.

So, who really worries you more?

[C10H14N2]

On a daily basis, do you protect your valuables and confidential records because you're afraid of a public official confiscating them or some random private citizen busting in and stealing them? Strangely enough, the primary reason we have government in the first place is to guard against the latter (whether through policing, the courts or recognition of property rights in general). Yet, people are /far/ more careless with their information and property in the hands of other private interests over whom they have virtually no control than they are with their public counterparts over whom they have direct control.

This is puzzling.

Re:UK privacy?

one has no legal expectation of privacy in a public place

I would like to quote a cleverer man than me:

anyone who cannot distinguish between "not private" and
"under constant surveilance" is a fucking idiot

Re:Gaaah!! Go, go fist of death!

"For example, the organisation:"

The problem, even in Europe are -of course, corporations lobbying States, so the laws are not so-so on them.

"can only use your data for the purposes stated when you gave them the data."

But the law won't forbid putting the customer on such a position but to sign agreement for almost any purpouse (while there are quite a lot of laws about abusive clauses in contracts, I have yet to see one contract without the default "you agree on the cesion of your personal data for whatever purpouse we see fit" but I haven't heard yet about a sentence claiming such kind of clauses void and invalid).

"cannot keep much more data than is necessary for the purpose stated"

Well, you allowed us "any purpouse" so no problem here.

"cannot pass your data on to a third party without your permission"

Except companies belonging to the same holding group and those that need such data in order to properly making bussiness with us. That, bound to the fact that such databases only have to be registered by the "owner" makes them untraceable for any practical intent or purpouse.

"must ensure that any data they hold on you is accurate"

It is *you* the one with the burden to procure *them* accurate data both when you first give it to them but when it changes too.

"is not allowed to hold the information for longer than is necessary"

"Any purpouse", remember?

"must keep the data secure"

For the legal meaning of "secure", which for data other than faith, police records, sexual inclinations or direct bank accounting is laughable.

"may not export your data to a place where it is subject to less stringent privacy rules"

Unless you export it to a company part of your same holding.

"must provide you a copy of any data they have on you for a small fee"

Untrue. All they have to comply to is giving you the means to reach them to ask for your right to modify, decline or delete such data -as it is recorded on the public agency for privacy protection. Since all they have to put on record is ie. "a database of customer data including enough information to reach the customer by mail, phone, fax or e-mail", nothing like passing a database schema, number, location and access methods of servers, etc. that means that all you can do is asking them to delete your data and hope for the best since there's no real means to confirm that your data is, in fact, deleted; and that only for the owner of the data; if the owner lended it to a filial, there's simply no way to follow the tracks.

Re:I have lived in the EU - This is a *GOOD* thing

[cdrguru]

You can do that now in the US. And the US Information Commissioner does the same thing when the spammer can be traced to a whole bunch of compromised Windows boxes in California or some rented server it Korea.

No matter what laws are passed, unless there is cooperation from both the ISPs and foreign governments spam isn't going anywhere anytime soon.

A good thing

[Kirth]

Guess why the USA has such a tremendous problem with "identity theft"? A much bigger one than in Europe?

Something which facilitates this is the missing privacy directive. Companies are much more careless with YOUR data if they can't be held accountable. This, of course, makes it easier for criminals to get your data.

Well, it would be a good thing if thy hadn't watered it down already..

How's the weather in Libertine Fantasy-land?

[Valdrax]

This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding.

I think you meant to put a colon after the word here. It makes more sense that way.

I mean, do you honestly believe that there has ever been some mythical time in US history in which businesses happily kept to themselves and acted like gentlemen in the best interests of their customers before some switch was flipped or some line was crossed and suddenly everyone started buying and trading power and favor? Must've been nice in that parallel universe.

Besides, you seem to be under the illusion that the privacy of their customers is in each business's best interest and that only the evil, evil government is causing them to datamine their customer base instead of the rich profits involved in knowing your customer's needs and desires and how to best inflame them. Privacy, frankly, is an impediment to profit.