Thursday, January 11, 2007

We Need to Update European Privacy Laws for the Information Age

The global flow of information is one of the most powerful trends of our age. Every time we use a mobile phone, a credit card, or the Internet, our information races across computers networks, and often around the globe. But many European privacy laws were designed for another era, before the Internet. These laws restrict the flow of personal data outside of Europe. It’s time to take a fresh look at technology trends and to update privacy laws. We should be able to protect privacy, without sacrificing the amazing benefits of global information flows.

Under the 1995 EU Data Protection Directive, it’s illegal to transfer personal data to a country that does not have “adequate” data protection, as defined by the European Commission. The Commission has taken the approach that only countries with a clone of European privacy laws (e.g., Hong Kong, Argentina, Guernsey) have “adequate” laws, while countries like the US, Brazil and Japan do not. Moreover, many privacy laws require a company to obtain prior approval from the local data protection authority to transfer data to a third country, even to its own subsidiary, despite the fact that the authorities are often over-worked and under-staffed, and sometimes need months to review a request for transfer.

Efforts to fix this conundrum have been well-intentioned, but remain unsatisfactory. Transfers of data from Europe to the US can be legalized under the so-called Safe Harbor Agreement, but that arrangement does nothing for data flows to all the other countries of the world. Another regulatory initiative, to impose “binding corporate rules” on companies so that they can transfer data within their corporate group, has become bogged down in the bureaucratic maze which requires companies to obtain separate approval from every data protection authority in Europe.

But the whole idea of regulating privacy based on restrictions on transfers of data across borders is obsolete. Increasingly, data lives in the Internet “cloud”. In other words, information and applications are migrating from the architecture of PCs and their mainframe servers to “cloud” computing, with information and applications hosted in cyberspace. And the total amount of information is exploding, as more people come online, as more information is digitized, and as more devices become Internet-enabled.

The key to protecting privacy for the Information Age is to make sure that people can control their data, wherever it is located: 1) they need to get clear notice about the privacy practices of companies that collect their data, 2) they need to be given meaningful choices about how their data will be used, and 3) they need to trust systems to provide a higher level of protection for sensitive data like credit card numbers and personal health information.

Today, a huge amount of effort is spent on regulating the transfers of data outside of Europe. But we should confront the bigger challenge of making sure that privacy is respected, regardless of its location. Yes, this will require better international collaboration amongst governments and companies across borders, and indeed, a flexibility to respect privacy regimes which may be different from our own. If companies and privacy regulators work together, we will certainly be able to develop a simple and unbureaucratic system to ensure that privacy is respected while data flows in the “cloud”. We’ll have to focus more on the key principles of privacy protection and international collaboration. Europe led the way on inventing privacy laws, and now we have a chance to lead the way on updating them for the Information Age.

1 comment:

Anonymous said...

Great post.

We're a US company contemplating collecting personal information for European subsidiaries of our US customers.

Can you provide any links to info regarding safe harbor agreements for European (including UK, France and Germany) data that we collect?