Slashdot Mirror
EU Privacy Directive — Coming To the US?
An anonymous reader writes "An article over at ComputerWorld implies that the EU Privacy Directive, or something like it, will soon be signed into law here in the USA. The author seems to think this is a good thing, but I'm not so sure. From the article: 'We've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.' Is it time for a national privacy law or 'Privacy Czar', or are we better off letting things be?"
or has this whole "Czar" thing been way overused.
...ever makes it into US law (if ever), it will be so watered down and ineffective that it might as well not even exist. The corporations who now run the USA will not stand for it.
I think in general privacy laws and government regulation of privacy is a good thing. The problem with self-regulation of privacy is that personal information is a lucrative commodity. It is hard to get companies to do what's right when most people don't even realize how much information they are giving up or what their rights are. I think well crafted legislation can provide a good framework for companies to better their privacy policies as well as provide redress for consumers who are adversely affected by bad policies. Good laws also provide a way for privacy advocacy groups to benchmark companies by providing a baseline as well as providing standards to hold companies to.
The key here will be that the laws need to be broad enough to deal with the rapidly changing business methods as well as provide room for companies to try different methods of achieving the results. At some point you can push companies far enough that they will then try to advertise on how great their privacy is versus some other company, so it's good to set the bar and allow companies to rise above it as well as just meeting it.
And pigs can fly. Not a snowball's chance in hell that this could happen! Restricting business? How dare they! :)
in the past, as near as maybe 20-30 years ago, privacy was not a huge issue, because it wasn't so easy and cheap to amass data. of course, files on people have always existed, but they were specialized and compartmentalized, and not easy to correlate and analyse. nevertheless, some governments (mostly associated with ex-communist countries) are known to have excelled at collection, storage and retrieval of files on people, even if they only used paper. these files were very successfully used to make people behave in certain ways.
:(
now, when there is the technology to collect, store and correlate all kinds of data about very many people by just about any entity with a minor budget, and there are no clear rules about what is okay and what is not, it is easy for the individual to be a target of abuse by a more powerful group (be that government, a large company, or some foundation), and it is almost impossible for the individual to counter-balance such groups, as data collection seems, in the absense of rules, quite legal, and, depending on the profile, the person may not be in a position to make a strong stand. so, it is pretty obvious that some levelling of the playing field is in order, and that it should be made a law, so that it has teeth.
to me the reasonable minimum would be the ability of a person to see the information an entity has amassed on them, and to be able to remove parts of their profile or (that being un-possible for some reason) the whole profile at any time, at least from a private organization. exceptions from that rule should be considered carefully, and introduced on a demonstrated need basis.
this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though
The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.
The law is summed up in this paragraph:
I have a thing about my Social Security number - I only give it to those who require it to fulfill legal mandates. That includes my employer, who has decided (without my permission, and despite my express denial) to give it to a health care provider. This proposed law does nothing to prevent that.
I want them to be prevented from "selling or transferring" my confidential information, without my voluntary consent (no consent as a condition of employment, etc.).
"National Security is the chief cause of national insecurity." - Celine's First Law
You may not want your government monitoring your privacy. They already do.
In the UK, I do not want companies invading my privacy and it is made difficult for them to do so.
I'll see your Constitution and raise you a Queen.
Lacking <sarcasm> tags,
On a daily basis, do you protect your valuables and confidential records because you're afraid of a public official confiscating them or some random private citizen busting in and stealing them? Strangely enough, the primary reason we have government in the first place is to guard against the latter (whether through policing, the courts or recognition of property rights in general). Yet, people are /far/ more careless with their information and property in the hands of other private interests over whom they have virtually no control than they are with their public counterparts over whom they have direct control.
This is puzzling.
All too often laws are enacted with the best of intentions only to show that compliance with the law is a hollow shell of the desired objective. Case in point is something like the CanSpam directive. By giving you a link to a page that had all the correct bells and whistles to appear to allow you to de-list yourself, when it actually de-listed you from one list and listed you on 40 others, is the probable end result.
How many times have you had a company ask for ridiculously invasive information for your protection . Similar results will be incurred here. Currently asking information is at best spotty in legality and because of this you have a certain level of push back available to you when they request it. (No I will not give my sons grade school his SSN) however once a law like this goes into play it creates an aura of safety that once an organization appears to comply with it, the loss of your personal data no longer is a high level of liability for them. As a result your privacy is reduced to a level of cookie cutter actions that never get questioned because, 'everyone knows it meets legal requirements'.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I know almost nothing about the EU Privacy Directive, but I think the UK's Data Protection Act implements all or part of it, and I have a basic understanding of this. Please note my knowledge is very limited, there may be factual errors in my post, I'm not a lawyer.
The Data Protection Act restricts what an organisation can do with any personal data (such as your address), which it processes.
For example, the organisation:
See http://www.direct.gov.uk/en/RightsAndResponsibili
Guess why the USA has such a tremendous problem with "identity theft"? A much bigger one than in Europe?
Something which facilitates this is the missing privacy directive. Companies are much more careless with YOUR data if they can't be held accountable. This, of course, makes it easier for criminals to get your data.
Well, it would be a good thing if thy hadn't watered it down already..
"The more prohibitions there are, The poorer the people will be" -- Lao Tse