Computerworld - The Senate is finally getting around to pushing a national data breach law out of the Committee on Commerce, Science and Transportation (thanks, TJX! ). This represents a major change in how the federal government views the privacy of personal information, shifting away from a mix of self-regulation, state laws and industry-specific requirements (HIPAA, GLBA) toward a comprehensive national policy. The road to this point has been long, but it's worth examining to understand what's ahead.
The EU Privacy Directive
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (aka the EU privacy directive), was implemented to standardize the requirements for the protection of personal information across all the countries that make up the EU. The directive defines personal data in an extremely vague manner:
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; [...]
It then requires organizations that do business in the EU or with EU citizens to observe the following key points:
This last point brought the EU and the U.S. into conflict, because the U.S. had no comprehensive data protection law. After two years of negotiation, on May 31, 2000, the EU voted to approve the U.S. Safe Harbor principles (PDF format).
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
