As Congress weighs new laws to regulate how businesses gather, store, share, and secure consumer data, should it take a page from the tough, consumer-focused privacy protections already in place in the European Union?
Notably, all of the 27 EU member states have implemented EU-wide privacy directives–through national legislation–which offer a strong model for protecting people’s online privacy, including obtaining their consent before using any personal data, storing that data securely, and letting people view and correct the data collected about them.
Although those protections are stronger than what’s now on offer for U.S. consumers, “it’s where the rubber meets the road that makes a difference,” says Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum. “It’s whether the protections are enforced, and whether companies are paying attention to them.”
In fact, even though EU countries have privacy laws on the books, enforcement can be a mixed bag, even a bit flaky. For example, prosecutors in Italy convicted three Google executives of privacy law violations because someone else uploaded an offensive video to its YouTube. They’ve also pursued cases involving people’s “right to be forgotten,” including a case involving Google links to an allegedly defamatory newspaper story, as well as a case featuring the unflattering results sometimes generated by Google auto-complete.
Deduplication at the disk and network level makes it easier to store critical information in your DR environment.
Discover how to use deduplication to optimize DR.
“Without evaluating the merits of any of those things, they don’t appear to be mainstream privacy issues that affect vast numbers of people,” Wolf says.
In the United States, the situation is different. “We have a lot more enforcement against violations of the various laws, which really does serve to create a vigilant regime in companies,” Wolf says. For example, HIPAA enforcement actions have been increasing of late, and he predicts compliance levels will follow suit. Likewise, he points to a study from University of California at Berkeley researchers which found that data breach notification laws in particular are driving companies to take privacy much more seriously, not least by adding chief privacy officers.