Coming to America: The EU privacy directive

Computerworld - The Senate is finally getting around to pushing a national data breach law out of the Committee on Commerce, Science and Transportation (thanks, TJX! ). This represents a major change in how the federal government views the privacy of personal information, shifting away from a mix of self-regulation, state laws and industry-specific requirements (HIPAA, GLBA) toward a comprehensive national policy. The road to this point has been long, but it's worth examining to understand what's ahead.

The EU Privacy Directive

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (aka the EU privacy directive), was implemented to standardize the requirements for the protection of personal information across all the countries that make up the EU. The directive defines personal data in an extremely vague manner:

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; [...]

It then requires organizations that do business in the EU or with EU citizens to observe the following key points:

• Only the minimum personal data needed should be collected, and it should be retained for the minimum time necessary.
• Consent must be given by the person to which the data refers to collect and process the data.
• The directive attempts to reconcile the right to privacy with the right to free expression by carving out an exception for journalistic, artistic or literary expression.
• The subject has the right to know whom is keeping and accessing their personal data, and the right to examine the data and to have the data removed or changed.
• Personal data must be kept secure and protected from disclosure.
• Breaches of the directive may be enforced by member states.
• Each member state must set up an authority to monitor and implement the rules of the directive.
• Transfers of data to third countries must be limited to only those countries that ensure an adequate level of protection.

This last point brought the EU and the U.S. into conflict, because the U.S. had no comprehensive data protection law. After two years of negotiation, on May 31, 2000, the EU voted to approve the U.S. Safe Harbor principles (PDF format).

• Individuals must be notified that information is being collected, t
  1

  2

  3

  4

  Next »