Who has better privacy laws: USA or European Union?

Filed Under: Data loss, Featured, Law & order, Privacy

EU thumbprint

A recent article by PCWorld proposed a bill of rights for digital consumers. Many of the rights focus on reasserting control over how companies manage and use our personal data and digital assets.

Key suggestions include the following:

  • reasonable protection of your data and digital assets, with compensation for their loss or theft
  • a right to 'quit' a service, allowing you to transfer your data to another provider
  • a 'right to know' what is being done with your data, informing you about whether it is being shared with or given to third parties (such as governments or companies).

A common way that companies communicate these terms is through privacy policies. Sadly, privacy policies are often convoluted and unclear. Even if you plough through the legalese, you are rarely in a position to renegotiate terms anyway. If you don't agree, you can't use the service, and that's that.

The thing to note here is that this PCWorld article was written from a US perspective. It struck me how many of the rights suggested already exist, or are at least on the horizon, in Europe.

Privacy and data protection in the EU today

Probably the most important information privacy legal tools in the EU are the EU Data Protection rules, the 1995 Data Protection Directive (DPD) and the amended 2002 Privacy and Electronic Communications Directive (PECD).

These include comprehensive rules for public and private bodies on access rights, user consent, data minimisation requirements and many good governance obligations on data controllers.

Enforcement of these rights is through adjudication of the European Court of Justice. In the UK, that's the job of the underfunded Information Commissioners Office.

Broader privacy protections exist within the European Convention on Human Rights and EU Charter of Fundamental Rights.

It is true that new technologies can often challenge, and even frustrate, established legal norms, but at least we have a comprehensive system of rules in place.

For example, the growth of online connectivity, networked services and ubiquitous computing has seriously challenged pre-internet definitions of consent and personal data in the Data Protection Directive (DPD).

internet law wordle
Advisory Article 29 Working Party does indeed provide EU Member States with some guidance on data protection law compliance in new online technologies, like behavioural advertising, but it of course required wholesale reform of the pre-existing DPD.

Last month, the EU Commission released their draft data protection reforms. And what is notable is that the Data Protection Directive has been replaced with an EU Regulation. This harmonisation measure means the law, if passed, will be enforceable across all 27 EU member countries, unlike a Directive that has to be adopted into national law by each country.

The shiny new law will introduce pro-consumer rights including a broader interpretation of what data is personal, demand 'explicit' consent for data processing, develop a right to be forgotten, a right to object to data profiling and require greater portability of electronic data.

Plus, in respect of data loss, there are new 24-hour data breach notification obligations.

So for consumers, this law provides rights that are fit for the internet age. Industry and government might however regard them as creating a bigger burden. These higher standards may impact US companies involved in marketing services, like cloud computing, to EU customers.

The new higher standards will likely also expose further inadequacies in the voluntary "US-EU Safe Harbor program", when EU personal data is processed in the US.

EU head and shoulders above the US

US thumbprintIn the US, the Data Protection picture is more fragmented, with use of industry self-regulation, sector-specific standards (for finance, children rights, federal bodies and healthcare), and state-level rules. Broad constitutional privacy protections in the Fourth Amendment exist too.

The US Federal Trade Commission plays an enforcement role, has privacy guidelines, and pushes initiatives like Do Not Track for online marketing.

But there is no single body with a sole data protection focus in the US.

And perhaps European consumers should be really thankful for the comprehensive standards of data protection. Although not perfect, it is head and shoulders ahead of what the US is currently offering its residents.

Image of EU thumbprint courtesy of Shutterstock
Image of US thumbprint courtesy of Shutterstock
Image of privacy wordle courtesy of Shutterstock

, , ,

You might like

2 Responses to Who has better privacy laws: USA or European Union?

  1. John Lincoln · 919 days ago

    Good afternoon, Lachlan. And in addition to the above points, and on top of the Data Protection Act 1998, an amendment should be considered that the rights of the individual should include complete removal of information from a database. Apparently very few companies have methods for removing data, even though that data is held in unencrypted format. Tesco say they will remove data, but will not confirm deletion, ASDA will over-write an account, but not remove it, ASDA direct have no method of removing or over-writing an account.

  2. Sharp · 918 days ago

    @John
    The issue of removing data is costly. Say a customer decides they no longer want a service and request their info removed. So the company deletes all their account info. 4 months later the customer decided to file a lawsuit saying they where taking money from them without consent. What information does the company hold to prove that it was legit since 4 months down the road the data can no longer be retrieved from a backup? How will you go back and review records and legiticy? I don't know what the law are on timely filing, but I know there will be a lot of people who attempt to use this as a means of getting money back through loopholes.

    How do you think the company got your data? You personally supplied it to them, or some other organization that you supplied this data to that works with this secondary company, and you agreed to their terms. I agree that any site that is not charging you for services, but somehow has your data should be required by law to delete the data per user request, but its a different story if you paid them at any point in time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lachlan Urquhart is a legal academic from Edinburgh, Scotland who has completed an LL.B at the University of Edinburgh and recently concluded a postgraduate LL.M in Information Technology and Telecommunications Law at the University of Strathclyde. For more articles from Lachlan, visit his blog.