Contrasting Views on Data Privacy
The Sunday New York Times "Week in Review" has an interesting article (subscription req'd), comparing the very different legal frameworks for privacy protection in the US and the EU (and much of the rest of the world ).
The article suggests that, in the US, 2005 is the "year of the consumer privacy breach" -- as the "personal information" for 50 million consumers "has been lost, stolen and even sold to thieves."
Things are different in Europe, the article notes:
One reason may be that every other Western country has a comprehensive set of national privacy laws and an office of data protection, led by a privacy commissioner.The United States, by contrast, has a patchwork of state and federal laws and agencies responsible for data protection.
"In Europe, the question has been settled: citizens have strong legal rights," said Joel R. Reidenberg, a Fordham University law professor who is an expert on international data privacy rules. "In the United States, we basically have a mess, and we are still trying to sort it out."
In the US, laws restrict government collection and use of personal data; in Europe, the comprehensive privacy regulatory structure restricts the private sector's collection and use of such information. This is because: "In general, Americans are far more comfortable than Europeans with business handling their information, and far more skeptical of putting it in government hands. The tradition of making government records - like tax records, mortgage information and census data - easily accessible to the public is uniquely American." Thus, "American businesses are given relatively free rein to collect and sell information."
Interestingly, while the Europeans proclaim privacy to be a personal right of the consumer and, on paper, ample protections apparently exist, we know very little about how often European privacy breaches occur, or how serious they have been, because EU regulators quietly discipline companies when these problems arise. Data breach disclosure obligations, now being imposed by an increasing number of US states, coupled with class-action lawsuits and corporate fines, have no counterpart in European law.
"We don't know how often or how serious any breach of the E.U. directive actually has been because there is no need to disclose," said John Holland, an executive in charge of Europe and the Middle East regions for Cybertrust, a global security firm.
The article concludes with a warning, comparing "the current situation to the stock market meltdown after the 1929 crash," which led to the creation of the SEC and various financial disclosure and accounting reforms. The need to safeguard sensitive data, Professor Reidenberg says, "will necessitate the United States focusing on the legal way we structure information processing, just like we needed to do in the 1930's to put the economy back on stable footing."
Of course, the disparate treatment of data privacy between the U.S. and other countries can cause headaches for multinational corporations, and even domestic corporations who do business with foreign customers, especially over the Internet. Businesses must take heed not just of the legal implications of such transactions, but also the potential impact on corporate goodwill of not being sensitive to the cultural expectations of foreign customers.