EU Privacy Directive — Coming To the US?

An anonymous reader writes "An article over at ComputerWorld implies that the EU Privacy Directive, or something like it, will soon be signed into law here in the USA. The author seems to think this is a good thing, but I'm not so sure. From the article: 'We've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.' Is it time for a national privacy law or 'Privacy Czar', or are we better off letting things be?"

Is it just me

[kensai]

or has this whole "Czar" thing been way overused.

Re:Is it just me

[WrongSizeGlass]

or has this whole "Czar" thing been way overused. Yes. Yes it has.

I believe Czar is a Native American word meaning destined for failure.

Re:Is it just me

[RedElf]

Hold up a second, they're just trying to be like Ceasar (except with bad spelling) too bad they didn't read the history books to see what happened to him.

Re:Is it just me

[WrongSizeGlass]

too bad they didn't read the history books to see what happened to him. He had a salad named after him?

Re:Is it just me

[WrongSizeGlass]

Among other, more dire things... I don't know about you, but I can't think of too many things worse than having my legacy associated with a meal of the vegetarian variety.

Re:Is it just me

[RedElf]

I don't know about you, but I can't think of too many things worse than having my legacy associated with a meal of the vegetarian variety. Real vegetarians won't eat a caesar salad because of the eggs and sometimes chicken topings. Of course to have a legacy you would have to have offspring, and this is slashdot where leaving your mothers basement is not only strictly prohibited, it's highly discouraged.

Re:Is it just me

[Arancaytar]

Egg? "Real vegetarian" does not mean "Vegan".

----

As for worse things to be associated with than salads, try surgical procedures. Messy.

Re:Is it just me

[PhxBlue]

I believe Czar is a Native American word meaning destined for failure.

Y'know, based on my knowledge of history, I'd have to guess it means the same thing in Russian.

Re:Is it just me

[whoever57]

What about the anchovy used in Cesar Salad (either directly or as an ingredient of Worcestershire sauce)? That should put it off the list of edible foods for vegetarians.

Re:Is it just me

[Bellum+Aeternus]

Czar is an English spelling of a Russian word meaning caesar - which means autocrat. So what they're saying when they label somebody a czar is that his a leader who's above the law and with absolute authority. Seems to me, that in the "free" West, terms like czar should avoided for so many reasons.

I mean what western leader thinks he's above the law... oh right.

Anyways, why not follow the British example and refer to everyone as a minister?

Re:Is it just me

[capnez]

Incidentially, I just read my current issue of The Economist, and they have a leader (op-ed piece) about absurd titles. You can read it online at http://www.economist.com/opinion/displaystory.cfm? story_id=9339915.

My favourite sentence from that piece: "What next? Führers, Caudillos, Duci, Gauleiters and Generalisimos must be due for a comeback."

Re:Is it just me

[dosquatch]

Silly poster, fish and chicken don't count* - only the cute animals.

Re:Is it just me

[sortius_nod]

aren't fish vegetables?

By the time this thing...

...ever makes it into US law (if ever), it will be so watered down and ineffective that it might as well not even exist. The corporations who now run the USA will not stand for it.

Re:By the time this thing...

[HomelessInLaJolla]

"We've finally come to realize that self-regulation by industry hasn't worked." This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding. It was in the transferral of the power to self regulate from the researchers who created the technology to the Wall Street entities which began government appointed overseers and distributors of the technology that the ability to self-regulate was lost.

There is no problem with self-regulation in the industry. The problem is that the industry is not allowed to self-regulate due to special interest groups and politicians' own greed and egos affecting the funding and legislative favoritism.

There's a big question here.

[sehlat]

Given the history of regulatory agencies (see the history of the Interstate Commerce Commission for starters), just how long will it be before the new regulators end up captive to the industries they regulate?

There's a line in the movie "Absence of Malice" which sums up the problem of government regulators very neatly, even if it wasn't intended that way: "Have you given any thought to what you'll do after government service?"

Privacy Laws are a Good Thing

[ShadeTC]

I think in general privacy laws and government regulation of privacy is a good thing. The problem with self-regulation of privacy is that personal information is a lucrative commodity. It is hard to get companies to do what's right when most people don't even realize how much information they are giving up or what their rights are. I think well crafted legislation can provide a good framework for companies to better their privacy policies as well as provide redress for consumers who are adversely affected by bad policies. Good laws also provide a way for privacy advocacy groups to benchmark companies by providing a baseline as well as providing standards to hold companies to.

The key here will be that the laws need to be broad enough to deal with the rapidly changing business methods as well as provide room for companies to try different methods of achieving the results. At some point you can push companies far enough that they will then try to advertise on how great their privacy is versus some other company, so it's good to set the bar and allow companies to rise above it as well as just meeting it.

Depends

[TubeSteak]

Printer Friendly:
http://www.computerworld.com/action/article.do?com mand=printArticleBasic&articleId=9024784

Anyways, it doesn't matter what the US signs into law if there is no meaningful oversight, penalties and enforcement.

I also can't imagine that the business lobby isn't going to scream and shout about the expense involved with implementing true EU style reforms.

One alternative to all these expensive-to-implement laws is to make it an opt-in industry. By the time they're done culling out all the people who don't want to be in the database (a one-time event), EU style privacy laws won't cost all that much to implement.

Re:Depends

[zCyl]

Anyways, it doesn't matter what the US signs into law if there is no meaningful oversight, penalties and enforcement.

It can, actually. If the American people believe they have a legal right to privacy, and expect it, then eventually oversight, penalties, and enforcement will come around, even if they don't start out in place.

Sometimes we have to aim for gradual cultural shifts if we can't immediately obtain sweeping and effective legislation.

Yeah, right!

[DimGeo]

And pigs can fly. Not a snowball's chance in hell that this could happen! Restricting business? How dare they! :)

Re:Breaking privacy news:

[WrongSizeGlass]

I just pooped my cute little pants. (P.S. Since my karma went down recently, I am unable to post as much. Thanks for your patience.) It's not your posting, but you pooping that's affecting your Karma. Just ask Earl ;-)

What's the problem?

[lawpoop]

The author seems to think this is a good thing, but I'm not so sure. What exactly is the problem, AC? We don't need a government function actually serving the interests of the average consumer, instead of large corporations? It will become another bloated, ineffectual government bureaucracy that gets hijacked by industry, like the EPA and the FDA? This is a function that belongs on the state level, like the BBB?

I was going to start to argue *for* another contender on the side of the little guy, but I think I just talked myself out of it.

the lines in the privacy field need to be drawn

[siddesu]

in the past, as near as maybe 20-30 years ago, privacy was not a huge issue, because it wasn't so easy and cheap to amass data. of course, files on people have always existed, but they were specialized and compartmentalized, and not easy to correlate and analyse. nevertheless, some governments (mostly associated with ex-communist countries) are known to have excelled at collection, storage and retrieval of files on people, even if they only used paper. these files were very successfully used to make people behave in certain ways.

now, when there is the technology to collect, store and correlate all kinds of data about very many people by just about any entity with a minor budget, and there are no clear rules about what is okay and what is not, it is easy for the individual to be a target of abuse by a more powerful group (be that government, a large company, or some foundation), and it is almost impossible for the individual to counter-balance such groups, as data collection seems, in the absense of rules, quite legal, and, depending on the profile, the person may not be in a position to make a strong stand. so, it is pretty obvious that some levelling of the playing field is in order, and that it should be made a law, so that it has teeth.

to me the reasonable minimum would be the ability of a person to see the information an entity has amassed on them, and to be able to remove parts of their profile or (that being un-possible for some reason) the whole profile at any time, at least from a private organization. exceptions from that rule should be considered carefully, and introduced on a demonstrated need basis.

this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though :(

Re:the lines in the privacy field need to be drawn

[ObsessiveMathsFreak]

this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though :(

:)

It is already "watered down..."

[msauve]

if you read the bill, it's nothing like the EU privacy laws. The EU laws protect a person's privacy, requiring their permission to disclose personal information (among other things).

The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.

The law is summed up in this paragraph:

A covered entity shall develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards

I have a thing about my Social Security number - I only give it to those who require it to fulfill legal mandates. That includes my employer, who has decided (without my permission, and despite my express denial) to give it to a health care provider. This proposed law does nothing to prevent that.

I want them to be prevented from "selling or transferring" my confidential information, without my voluntary consent (no consent as a condition of employment, etc.).

Re:It is already "watered down..."

[ducomputergeek]

I've been asked for my SSN before on job applications and have told them, I'll put it on a W-4 when hired and you can't force me to give it to you because by law the only people I am required to give it out to is the Federal Government.

Maybe one reason why i had trouble finding a job right out of college.

Preemption

[overshoot]

Like the (you) CAN-SPAM and the new (you can) SPY Acts, the main point of both bills is the preemption of (effective) State laws. By pulling all enforcement into a single Federal authority and removing private rights of action, it becomes much less important for the drafters to include explicit language neutering the nominally-beneficial provisions of the legislation.

Done right, these laws get the Legislature some headlines for the voters while effectively insulating the campaign contributors from the risk of being held liable for doing what the Act theoretically prohibits.

Thought experiment: what would either Act have done in the case of HP spying on private parties?

Re:Gaaah!! Go, go fist of death!

[Gonoff]

You may not want your government monitoring your privacy. They already do.

In the UK, I do not want companies invading my privacy and it is made difficult for them to do so.

That's not "watered down..."

[overshoot]

The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.

That is, as you point out, the whole purpose of the Act. It's not "watered down" -- it's specifically designed to enable exactly what you cite (letting corporations do whatever they damn well please with your personal data) without interference from annoying State privacy laws.

Re:That's not "watered down..."

[jandersen]

As a European I take it for granted that my privacy is completely my own, and it seems obvious that I have to give written permission for anybody else to use my data - even government agencies. And that is one of the things about America that I really dislike - it is as if the only thing that matters in America is big money, and whatever big money wants, it gets. Just take the outrage of Microsoft trying to change legislation in the US, which read about here on /. - the reactions of my colleagues here in UK were mostly disbelief; it really is something completely unheard of to most Europeans. Yes, the government consults the industry when they propose new legislation, but at the end of the day, the decision is up to the Parliament, and they often pass laws that are not at all popular with Big Business; that is the purpose of democratic government: to pass laws that benefit the people, not just a small, affluent upper class.

This situation is of course why Americans always go on about privacy - you are starved of it. It's like when people are hungry, all they can think is food. Probably the same thing with freedom, I reckon.

You trust this crap?

[J'raxis]

Just wait. This will be an attempt to stealthily pass a bunch of anti-privacy legislation, such as data-retention laws.

So, who really worries you more?

[C10H14N2]

On a daily basis, do you protect your valuables and confidential records because you're afraid of a public official confiscating them or some random private citizen busting in and stealing them? Strangely enough, the primary reason we have government in the first place is to guard against the latter (whether through policing, the courts or recognition of property rights in general). Yet, people are /far/ more careless with their information and property in the hands of other private interests over whom they have virtually no control than they are with their public counterparts over whom they have direct control.

This is puzzling.

The fallacy is that compliance = privacy

[Allnighterking]

All too often laws are enacted with the best of intentions only to show that compliance with the law is a hollow shell of the desired objective. Case in point is something like the CanSpam directive. By giving you a link to a page that had all the correct bells and whistles to appear to allow you to de-list yourself, when it actually de-listed you from one list and listed you on 40 others, is the probable end result.

How many times have you had a company ask for ridiculously invasive information for your protection . Similar results will be incurred here. Currently asking information is at best spotty in legality and because of this you have a certain level of push back available to you when they request it. (No I will not give my sons grade school his SSN) however once a law like this goes into play it creates an aura of safety that once an organization appears to comply with it, the loss of your personal data no longer is a high level of liability for them. As a result your privacy is reduced to a level of cookie cutter actions that never get questioned because, 'everyone knows it meets legal requirements'.

Re:Gaaah!! Go, go fist of death!

[emm-tee]

No, I do not want the government monitoring my privacy. That is the exact opposite of privacy. You don't understand (or maybe you are a troll). The government doesn't monitor the individual. This is a set of rules to limit what organisations can do with information about individuals.

I know almost nothing about the EU Privacy Directive, but I think the UK's Data Protection Act implements all or part of it, and I have a basic understanding of this. Please note my knowledge is very limited, there may be factual errors in my post, I'm not a lawyer.

The Data Protection Act restricts what an organisation can do with any personal data (such as your address), which it processes.

For example, the organisation:

• can only use your data for the purposes stated when you gave them the data.
  
• cannot keep much more data than is necessary for the purpose stated.
  
• cannot pass your data on to a third party without your permission (this means that I get no junk post at all).
  
• must ensure that any data they hold on you is accurate.
  
• is not allowed to hold the information for longer than is necessary.
  
• must keep the data secure.
  
• may not export your data to a place where it is subject to less stringent privacy rules.
  
• must provide you a copy of any data they have on you for a small fee (this is what allows people to request copies of closed-circuit television tapes they may appear in).
  

See http://www.direct.gov.uk/en/RightsAndResponsibilit ies/DG_10028507 for more information.

Re:Gaaah!! Go, go fist of death!

"For example, the organisation:"

The problem, even in Europe are -of course, corporations lobbying States, so the laws are not so-so on them.

"can only use your data for the purposes stated when you gave them the data."

But the law won't forbid putting the customer on such a position but to sign agreement for almost any purpouse (while there are quite a lot of laws about abusive clauses in contracts, I have yet to see one contract without the default "you agree on the cesion of your personal data for whatever purpouse we see fit" but I haven't heard yet about a sentence claiming such kind of clauses void and invalid).

"cannot keep much more data than is necessary for the purpose stated"

Well, you allowed us "any purpouse" so no problem here.

"cannot pass your data on to a third party without your permission"

Except companies belonging to the same holding group and those that need such data in order to properly making bussiness with us. That, bound to the fact that such databases only have to be registered by the "owner" makes them untraceable for any practical intent or purpouse.

"must ensure that any data they hold on you is accurate"

It is *you* the one with the burden to procure *them* accurate data both when you first give it to them but when it changes too.

"is not allowed to hold the information for longer than is necessary"

"Any purpouse", remember?

"must keep the data secure"

For the legal meaning of "secure", which for data other than faith, police records, sexual inclinations or direct bank accounting is laughable.

"may not export your data to a place where it is subject to less stringent privacy rules"

Unless you export it to a company part of your same holding.

"must provide you a copy of any data they have on you for a small fee"

Untrue. All they have to comply to is giving you the means to reach them to ask for your right to modify, decline or delete such data -as it is recorded on the public agency for privacy protection. Since all they have to put on record is ie. "a database of customer data including enough information to reach the customer by mail, phone, fax or e-mail", nothing like passing a database schema, number, location and access methods of servers, etc. that means that all you can do is asking them to delete your data and hope for the best since there's no real means to confirm that your data is, in fact, deleted; and that only for the owner of the data; if the owner lended it to a filial, there's simply no way to follow the tracks.

Re:I have lived in the EU - This is a *GOOD* thing

[cdrguru]

You can do that now in the US. And the US Information Commissioner does the same thing when the spammer can be traced to a whole bunch of compromised Windows boxes in California or some rented server it Korea.

No matter what laws are passed, unless there is cooperation from both the ISPs and foreign governments spam isn't going anywhere anytime soon.

HIPPA didn't work

[r00t]

Do I want to get the health insurance my employer subsidizes? Sure I do. The insurer makes that conditional on waiving my HIPPA rights. I guess they want to post my info on their web site (crap, they do!) and leave it where even the janitor can see it.

I'm also easy to impersonate.

Meanwhile, if she follows the law, my own wife has no ability to get the info. WTF?

My blood relatives should be able to get inheritable disease records. People who lived with me during the past year should be able to get contagious disease records. Anybody sharing finances with me (or recently, as with an ex-spouse) should be able to get billing records.

So HIPPA has pretty much made everything worse for me. I don't need more of the same.

EU could learn from US too

[erik_norgaard]

The EU directive is very good when it comes to specifying what 3rd parties may do with private data and giving the citizen rights to control the use of such data:

* The citizen may request information of what data is kept
* The citizen may require incorrect data to be corrected
* The citizen may require data to be deleted

Further, data must not be shared with states outside EU unless the EU has recognized these as providing adequate protection of personal data. US is not on the list (but Canada is) which is the reason of the current conflict over passenger data on transatlantic flights.

But, the EU directive lacks one think: Supervision. There is no controls implemented, no prior certification of data processing entities, no posterior audit to ensure that data protection is adequately implemented, not even common standards on how data must be protected. AND, there is no obligation to publicly announce data breaches.

Certifying data processing entities and then granting these authorization to handle data is cumbersome and expensive and won't ever happen - fine. But, some control system should be established, and standards or guidelines should be made. Why is there no requirement to encrypt personal data when stored in a non-controlled environment (say mobile devices) and not in use?

And after the data retention directive, which seems also to be on the road into US law, why did they not set strict requirements on protection of these data to ensure that they are only available for the purpose of the retention - investigation of terrorism? Why may companies retain such traffic data and store it unencrypted?

At the very least, we could learn from the many US states that require companies to advice customers about data breaches and risk of abuse.

A good thing

[Kirth]

Guess why the USA has such a tremendous problem with "identity theft"? A much bigger one than in Europe?

Something which facilitates this is the missing privacy directive. Companies are much more careless with YOUR data if they can't be held accountable. This, of course, makes it easier for criminals to get your data.

Well, it would be a good thing if thy hadn't watered it down already..

Re:Gaaah!! Go, go fist of death!

[jimicus]

In the UK, I do not want companies invading my privacy and it is made difficult for them to do so.

I must have missed something. Yeah, it's difficult for the man at the local newsagents to demand your name, DOB, NI number and inside leg measurement then sell it to the highest bidder when you go in to buy your daily paper, but it's a different story for banks, building societies and property rental agencies - most of whom I'd be dubious about trusting with too much information.

Generally in the UK they don't sell it to the highest bidder anyway - they just print it out and throw it in the street.

How's the weather in Libertine Fantasy-land?

[Valdrax]

This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding.

I think you meant to put a colon after the word here. It makes more sense that way.

I mean, do you honestly believe that there has ever been some mythical time in US history in which businesses happily kept to themselves and acted like gentlemen in the best interests of their customers before some switch was flipped or some line was crossed and suddenly everyone started buying and trading power and favor? Must've been nice in that parallel universe.

Besides, you seem to be under the illusion that the privacy of their customers is in each business's best interest and that only the evil, evil government is causing them to datamine their customer base instead of the rich profits involved in knowing your customer's needs and desires and how to best inflame them. Privacy, frankly, is an impediment to profit.