Eu and us privacy law
Download
1 / 20

EU and US Privacy Law - PowerPoint PPT Presentation


  • 409 Views
  • Updated On :

EU and US Privacy Law. David L. Baumer North Carolina State University College Of Management. Comparing EU and US Privacy Law. In this paper we compare current US and EU Privacy law

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'EU and US Privacy Law' - Audrey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Eu and us privacy law l.jpg

EU and US Privacy Law

David L. Baumer

North Carolina State University

College Of Management

David Baumer, ALSB, 2003


Comparing eu and us privacy law l.jpg
Comparing EU and US Privacy Law

  • In this paper we compare current US and EU Privacy law

    • We also compare the 2002 EU Directive on Privacy and Electronic Communication and the 2003 version of OPPA (Online Privacy Protection Act)

    • Paper is organized around the Fair Information Practices (FIPs)

David Baumer, ALSB, 2003


Comparing eu and us privacy law3 l.jpg
Comparing EU and US Privacy Law

  • The 2002 EU Directive requires national legislation by Member States to implement it by Oct. of 2003

  • The latest version of OPPA (H.S. 69) is considerably stripped down from earlier versions

    • Does not have two layers of protection for PII, that is merely identifyingbut not private information and

    • Sensitive PII, such as ethnicity, sexual orientation, religion, political affiliations

David Baumer, ALSB, 2003


Us law pii and sensitive pii l.jpg
US Law: PII and Sensitive PII

  • 2003 OPPA

    • PII is defined as name, address, email address, SS#, telephone number,

      • Any other identifier that the FTC determines identifies an individual, or

      • Information that is maintained with or can be searched by means of the data above

  • 2002 OPPA had a category for sensitive PII that included: health, financial, ethnicity, race, political party affiliation, sexual orientation

    • There is no special treatment for sensitive PII in the 2003 version of OPPA

David Baumer, ALSB, 2003


Eu law pii and special pii l.jpg
EU Law: PII and Special PII

  • In the 1995 Information Directive PII is defined as:

    • Any information relating to an identified or identifiable natural person;

    • An identifiable person is one who can be identified, directly indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic or cultural or social identity

David Baumer, ALSB, 2003


Eu law pii and special pii6 l.jpg
EU Law: PII and Special PII

  • In the 1995 EU Directive, Special PII (categories of data) includes:

    • Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and processing data concerning health and sex life.

    • The 1995 EU Directive makes processing such data illegal in Member States with some exceptions for

      • enforcement of employment law, data gathering by political, philosophical, or religious organizations

      • Data made public by the data subject or in connection with legal claims

David Baumer, ALSB, 2003


Comparing eu and us privacy law7 l.jpg
Comparing EU and US Privacy Law

  • To date there is no comprehensive law in the US protecting online privacy

    • Exceptions occur in health information (HIPAA), financial information (GLB), and information acquired from children (COPPA)

    • During the last few years, Members of Congress have introduced various bills that would, if adopted, comprehensively regulate web sites and service providers to ensure the privacy of online users

David Baumer, ALSB, 2003


Comparing eu and us privacy law8 l.jpg
Comparing EU and US Privacy Law

  • If OPPA was enacted into law it would basically require web sites and online service providers to adhere to the FIPs

    • Notice, choice, access, security, and remedies

    • The FIPs were composed in 1973

  • The FTC has advocated that web sites adhere to the FIPs for several years, but adherence is not mandatory

David Baumer, ALSB, 2003


Notice requirements l.jpg
Notice Requirements

  • Currently under US law, firms (web sites and online service providers) can collect PII without notifying users

    • In general, most web sites have accessible privacy policies so complying with this portion of OPPA would not be much of change for most businesses

    • HIPAA, GLB, and COPPA are exceptions which do require notice

David Baumer, ALSB, 2003


Notice requirements10 l.jpg
Notice Requirements

  • EU Law does require that data subjects be notified if an organization is collecting PII about the person

    • Identity of the controller, his representative

    • Purposes of the processing

    • Any further information such as

      • Recipients or categories of recipients

      • Existence of right of access and right to rectify

    • Users must be notified if cookies are being attached under the 2002 EU Directive

David Baumer, ALSB, 2003


Notice requirements11 l.jpg
Notice Requirements

  • EU or OPPA regulations would not change some US commercial practices

    • Notice could be accomplished by hyperlinks to privacy policies on web site home pages

  • Cookies are routinely attached in the US without separate notice

David Baumer, ALSB, 2003


Consent choice l.jpg
Consent/Choice

  • The second FIP requires that data subjects should have a choice as to whether their PII is collected, used, or transferred

    • Not currently part of US law, with the same three exceptions mentioned earlier

    • If OPPA was enacted, collectors of PII would be required to obtain consent

      • OPPA essentially requires that users be given a non-burdensome and understandable opt-out

David Baumer, ALSB, 2003


Consent choice13 l.jpg
Consent/Choice

  • The 2002 EU Directive requires that data processors (websites and online service providers) obtain consent

    • Before using information on the “private life of natural person…”

    • Basically an option to opt-out after full information is provided to them

      • Must erase traffic data it is used to complete the transaction for which the data was collected

      • Access to web sites can be conditioned upon willingness to accept cookies

David Baumer, ALSB, 2003


Access participation l.jpg
Access/Participation

  • In the U.S. as with notice and consent,

  • for most information that is collected, processed, or transmitted online, users

    • have no right to access the file or

    • participate in correcting inaccuracies

  • In some privacy policies access and rights to propose corrections exist—often hard to find

  • The 2003 version of OPPA would grant access but not the right to correct

David Baumer, ALSB, 2003


Access participation15 l.jpg
Access/Participation

  • EU Law does allow users

    • Access to data collected about them

    • If the information is inaccurate, users have the right to have errors erased or corrected and

    • If the information was transmitted to third parties, these third parties are required to be apprised that they received inaccurate information.

David Baumer, ALSB, 2003


Security and integrity l.jpg
Security and Integrity

  • For most web sites in the US, there is no statutory requirement to have adequate security for data that is collected, stored or transmitted

    • Three exceptions for health, finance, children

    • There are increasingly severe criminal sanctions that can be used against hackers under the CFAA

    • 2003 OPPA does require web sites and online service providers to use reasonable procedures to protect confidentiality of PII

David Baumer, ALSB, 2003


Security and integrity17 l.jpg
Security and Integrity

  • 2002 EU Directive

    • Requires providers of publicly available communications services to take appropriate technical and organizational measures to safeguard security

      • There is a recognition that threats to confidentiality often come from within an organization

      • There are some risks that providers are not willing to bear

        • In such cases, providers of networks must inform subscribers

David Baumer, ALSB, 2003


Enforcement and redress l.jpg
Enforcement and Redress

  • Current US law protects users through actions by the FTC

    • If a web site does not adhere to its stated privacy policy, it is considered an unfair and deceptive trade practice

    • There have been suits by state attorney generals for deceptive practices online

    • If OPPA was enacted into law, it is envisioned that state attorney generals and the FTC would continue to file suits for violations of OPPA

      • OPPA would not preempt state common law fraud suits

David Baumer, ALSB, 2003


Enforcement and redress19 l.jpg
Enforcement and Redress

  • The 2002 EU Directive requires member states to pass national legislation implementing the Directive by Oct. 2003

    • There is no private right of action

    • National legislation requires police actions in for the form of ministers of data protection to take appropriate prosecutorial actions to enforce the Directive

David Baumer, ALSB, 2003


Implications l.jpg
Implications

  • I sense little urgency on the part of US lawmakers to comprehensively regulate online privacy

    • EU countries seem committed to extensive statutory regulation of privacy

    • So far Safe Harbor Principles, fashioned by the US DOC have bridged intercontinental differences

    • It remains to be seen whether commercial practices in the US evolve—empirical research is warranted

David Baumer, ALSB, 2003


ad