Coming to America: The EU privacy directive

The House and Senate get to the party at last

The Senate is finally getting around to pushing a national data breach law out of the Committee on Commerce, Science and Transportation (thanks, TJX! ). This represents a major change in how the federal government views the privacy of personal information, shifting away from a mix of self-regulation, state laws and industry-specific requirements (HIPAA, GLBA) toward a comprehensive national policy. The road to this point has been long, but it's worth examining to understand what's ahead.

The EU Privacy Directive

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (aka the EU privacy directive), was implemented to standardize the requirements for the protection of personal information across all the countries that make up the EU. The directive defines personal data in an extremely vague manner:

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; [...]

It then requires organizations that do business in the EU or with EU citizens to observe the following key points:

  • Only the minimum personal data needed should be collected, and it should be retained for the minimum time necessary.
  • Consent must be given by the person to which the data refers to collect and process the data.
  • The directive attempts to reconcile the right to privacy with the right to free expression by carving out an exception for journalistic, artistic or literary expression.
  • The subject has the right to know whom is keeping and accessing their personal data, and the right to examine the data and to have the data removed or changed.
  • Personal data must be kept secure and protected from disclosure.
  • Breaches of the directive may be enforced by member states.
  • Each member state must set up an authority to monitor and implement the rules of the directive.
  • Transfers of data to third countries must be limited to only those countries that ensure an adequate level of protection.

This last point brought the EU and the U.S. into conflict, because the U.S. had no comprehensive data protection law. After two years of negotiation, on May 31, 2000, the EU voted to approve the U.S. Safe Harbor principles (PDF format).

Safe Harbor

The Safe Harbor framework was developed and implemented by the Department of Commerce to ensure an "adequate level of protection" for EU citizen data held by U.S. companies in accordance with the principles of the EU privacy directive. The program allows companies to "self-certify" annually. This list is then published and maintained by the Commerce Department. The principles of Safe Harbor are as follows:

  • Individuals must be notified that information is being collected, to whom it is disclosed and the reason for its disclosure.
  • Individuals must be given a choice to opt out of data collection.
  • Transfers to third parties must follow the above two principles, or the company can require contractually that the third party comply with the principles of safe harbor.
  • Individuals must be able to access the information about them and be able to correct, amend or delete information that is incorrect.
  • Organizations must take reasonable steps to ensure the security and integrity of information.
  • Organizations must have an "available and affordable" recourse mechanism for investigation of claims, procedures to verify that the company is adhering to the Safe Harbor principles and an obligation to remedy problems, including "sanctions sufficiently rigorous to ensure compliance by the organization."

Enforcement of Safe Harbor is left to private organizations that offer certifications based on the principles, civil lawsuits and, in certain industries, federal regulators (for example, the U.S. Department of Transportation and the Federal Trade Commission enforce the Safe Harbor framework with respect to airlines).

History of state laws

Of course, Safe Harbor principles don't apply to U.S. companies holding the personal data of U.S. citizens, so individual states started to address the issue of privacy, mainly by focusing on data breaches.

California was the first to enact a breach disclosure law in 2003. The main requirements of the law are that companies must notify customers if their unencrypted personal information "was, or is reasonably believed to have been, acquired by an unauthorized person." This notification can be by mail, e-mail or press release to statewide media. California also set down a much more stringent definition of personal information:

  • An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted
  • Social Security number
  • Driver's license number or California Identification Card number
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account

A majority of other states have followed California's lead and passed breach disclosure laws of their own. Unfortunately, the requirement for disclosure and definition of what constitutes personal information varies by state, making compliance difficult for firms that do business nationwide.

The Identity Theft Prevention Act

Into this convoluted environment, five bills were introduced in the Senate and two in the House addressing privacy breach disclosure. So far, Senate Bill 239 (the Notification of Risk to Personal Data Act of 2007) (PDF format) and Senate Bill 1178 (the Identity Theft Prevention Act) (PDF format) have been passed out of committee and on to the Senate floor.

While the two acts differ, the key points are the same. First, they both preempt existing state laws in order to clear out the confusion that exists currently. Second, they apply to any and every entity that stores personal information, with the only exception being for national security. While S.239 is strictly concerned with breach disclosure, S.1178 goes much further, requiring organizations to do the following:

1. Ensure the security and confidentiality of such data.
2. Protect against any anticipated threats or hazards to the security or integrity of such data.
3. Protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual.

Both bills also create a national definition of what constitutes personal information. S. 239 defines it fairly narrowly as:

  1. Any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any
  2. a) name, Social Security number, date of birth, official state- or government-issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number

    b) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation

    c) unique electronic identification number, address or routing code

    d) telecommunication identifying information or access device

    S.1178 uses a definition more in line with California's. It defines personal information as an individual's name, address or telephone number combined with a Social Security number; financial account number (such as a credit card number); a state driver's license or ID number; or the username and password or PIN to access accounts for financial services.

These differences will most likely be ironed out by the Justice and Commerce committees as they pass through those venues.

Disclosure requirements

Both bills require notification of the FTC, the credit bureaus and consumers in a timely manner. S.1178 defines that period as no more than 25 business days since discovery, and both bills allow law enforcement to delay disclosure if it would interfere with an investigation.

S.239 has some straightforward and Draconian penalties -- $1,000 per day per persons data breached. S.1178 makes violation of the law an unfair or deceptive act under 15 USC § 57 and allows judges to "grant such relief as the court finds necessary to redress injury to consumers or other persons, partnerships and corporations resulting from the rule violation or the unfair or deceptive act or practice, as the case may be." (In other words, don't break the law, and if you do, dont annoy the judge.)

Sound simple? Not so fast

So far, all pretty straightforward. But then it gets interesting. First, both bills have a clause for enforcement by the states. That's right, they're letting the states act as pit bulls:

(a) IN GENERAL -- Except as provided in section 8(c), a State, as parens patriae, may bring a civil action on behalf of its residents in an appropriate state or district court of the United States to enforce the provisions of this Act, to obtain damages, restitution, or other compensation on behalf of such residents, or to obtain such further and other relief as the court may deem appropriate, whenever the attorney general of the State has reason to believe that the interests of the residents of the State have been or are being threatened or adversely affected by a covered entity that violates this Act or a regulation under this Act.

Since I've never met an AG that didn't want to be governor (at least), and since identity theft is a hot-button topic with the electorate, this provision will ensure that the law is enforced with great gusto.

S.239 punts the administration of the law to the Secret Service. S. 1178 goes much further and requires the FTC to set up an "Information Security and Consumer Privacy Advisory Committee" to "collect, review, disseminate, and advise on best practices for covered entities to protect sensitive personal information stored and transferred." However, the bill specifically prohibits "regulations that require or impose a specific technology, product, technological standards, or solution." What does this mean? Most likely the establishment of an entity similar to California's Office of Privacy Protection, to define best or recommended practices.

The biggest change I see, however, is that these bills openly repudiate the long-held position of the U.S. government that, as the FTC's workbook on Safe Harbor puts it, "Self-regulatory initiatives are an effective approach to putting meaningful privacy protections in place."

In other words, we've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon