1 / 20

EU and US Privacy Law

EU and US Privacy Law. David L. Baumer North Carolina State University College Of Management. Comparing EU and US Privacy Law. In this paper we compare current US and EU Privacy law

Audrey
Download Presentation

EU and US Privacy Law

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EU and US Privacy Law David L. Baumer North Carolina State University College Of Management David Baumer, ALSB, 2003

  2. Comparing EU and US Privacy Law • In this paper we compare current US and EU Privacy law • We also compare the 2002 EU Directive on Privacy and Electronic Communication and the 2003 version of OPPA (Online Privacy Protection Act) • Paper is organized around the Fair Information Practices (FIPs) David Baumer, ALSB, 2003

  3. Comparing EU and US Privacy Law • The 2002 EU Directive requires national legislation by Member States to implement it by Oct. of 2003 • The latest version of OPPA (H.S. 69) is considerably stripped down from earlier versions • Does not have two layers of protection for PII, that is merely identifyingbut not private information and • Sensitive PII, such as ethnicity, sexual orientation, religion, political affiliations David Baumer, ALSB, 2003

  4. US Law: PII and Sensitive PII • 2003 OPPA • PII is defined as name, address, email address, SS#, telephone number, • Any other identifier that the FTC determines identifies an individual, or • Information that is maintained with or can be searched by means of the data above • 2002 OPPA had a category for sensitive PII that included: health, financial, ethnicity, race, political party affiliation, sexual orientation • There is no special treatment for sensitive PII in the 2003 version of OPPA David Baumer, ALSB, 2003

  5. EU Law: PII and Special PII • In the 1995 Information Directive PII is defined as: • Any information relating to an identified or identifiable natural person; • An identifiable person is one who can be identified, directly indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic or cultural or social identity David Baumer, ALSB, 2003

  6. EU Law: PII and Special PII • In the 1995 EU Directive, Special PII (categories of data) includes: • Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and processing data concerning health and sex life. • The 1995 EU Directive makes processing such data illegal in Member States with some exceptions for • enforcement of employment law, data gathering by political, philosophical, or religious organizations • Data made public by the data subject or in connection with legal claims David Baumer, ALSB, 2003

  7. Comparing EU and US Privacy Law • To date there is no comprehensive law in the US protecting online privacy • Exceptions occur in health information (HIPAA), financial information (GLB), and information acquired from children (COPPA) • During the last few years, Members of Congress have introduced various bills that would, if adopted, comprehensively regulate web sites and service providers to ensure the privacy of online users David Baumer, ALSB, 2003

  8. Comparing EU and US Privacy Law • If OPPA was enacted into law it would basically require web sites and online service providers to adhere to the FIPs • Notice, choice, access, security, and remedies • The FIPs were composed in 1973 • The FTC has advocated that web sites adhere to the FIPs for several years, but adherence is not mandatory David Baumer, ALSB, 2003

  9. Notice Requirements • Currently under US law, firms (web sites and online service providers) can collect PII without notifying users • In general, most web sites have accessible privacy policies so complying with this portion of OPPA would not be much of change for most businesses • HIPAA, GLB, and COPPA are exceptions which do require notice David Baumer, ALSB, 2003

  10. Notice Requirements • EU Law does require that data subjects be notified if an organization is collecting PII about the person • Identity of the controller, his representative • Purposes of the processing • Any further information such as • Recipients or categories of recipients • Existence of right of access and right to rectify • Users must be notified if cookies are being attached under the 2002 EU Directive David Baumer, ALSB, 2003

  11. Notice Requirements • EU or OPPA regulations would not change some US commercial practices • Notice could be accomplished by hyperlinks to privacy policies on web site home pages • Cookies are routinely attached in the US without separate notice David Baumer, ALSB, 2003

  12. Consent/Choice • The second FIP requires that data subjects should have a choice as to whether their PII is collected, used, or transferred • Not currently part of US law, with the same three exceptions mentioned earlier • If OPPA was enacted, collectors of PII would be required to obtain consent • OPPA essentially requires that users be given a non-burdensome and understandable opt-out David Baumer, ALSB, 2003

  13. Consent/Choice • The 2002 EU Directive requires that data processors (websites and online service providers) obtain consent • Before using information on the “private life of natural person…” • Basically an option to opt-out after full information is provided to them • Must erase traffic data it is used to complete the transaction for which the data was collected • Access to web sites can be conditioned upon willingness to accept cookies David Baumer, ALSB, 2003

  14. Access/Participation • In the U.S. as with notice and consent, • for most information that is collected, processed, or transmitted online, users • have no right to access the file or • participate in correcting inaccuracies • In some privacy policies access and rights to propose corrections exist—often hard to find • The 2003 version of OPPA would grant access but not the right to correct David Baumer, ALSB, 2003

  15. Access/Participation • EU Law does allow users • Access to data collected about them • If the information is inaccurate, users have the right to have errors erased or corrected and • If the information was transmitted to third parties, these third parties are required to be apprised that they received inaccurate information. David Baumer, ALSB, 2003

  16. Security and Integrity • For most web sites in the US, there is no statutory requirement to have adequate security for data that is collected, stored or transmitted • Three exceptions for health, finance, children • There are increasingly severe criminal sanctions that can be used against hackers under the CFAA • 2003 OPPA does require web sites and online service providers to use reasonable procedures to protect confidentiality of PII David Baumer, ALSB, 2003

  17. Security and Integrity • 2002 EU Directive • Requires providers of publicly available communications services to take appropriate technical and organizational measures to safeguard security • There is a recognition that threats to confidentiality often come from within an organization • There are some risks that providers are not willing to bear • In such cases, providers of networks must inform subscribers David Baumer, ALSB, 2003

  18. Enforcement and Redress • Current US law protects users through actions by the FTC • If a web site does not adhere to its stated privacy policy, it is considered an unfair and deceptive trade practice • There have been suits by state attorney generals for deceptive practices online • If OPPA was enacted into law, it is envisioned that state attorney generals and the FTC would continue to file suits for violations of OPPA • OPPA would not preempt state common law fraud suits David Baumer, ALSB, 2003

  19. Enforcement and Redress • The 2002 EU Directive requires member states to pass national legislation implementing the Directive by Oct. 2003 • There is no private right of action • National legislation requires police actions in for the form of ministers of data protection to take appropriate prosecutorial actions to enforce the Directive David Baumer, ALSB, 2003

  20. Implications • I sense little urgency on the part of US lawmakers to comprehensively regulate online privacy • EU countries seem committed to extensive statutory regulation of privacy • So far Safe Harbor Principles, fashioned by the US DOC have bridged intercontinental differences • It remains to be seen whether commercial practices in the US evolve—empirical research is warranted David Baumer, ALSB, 2003

More Related