EU Privacy Directive — Coming To the US?

An anonymous reader writes "An article over at ComputerWorld implies that the EU Privacy Directive, or something like it, will soon be signed into law here in the USA. The author seems to think this is a good thing, but I'm not so sure. From the article: 'We've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.' Is it time for a national privacy law or 'Privacy Czar', or are we better off letting things be?"

Re:Is it just me

[Arancaytar]

Egg? "Real vegetarian" does not mean "Vegan".

----

As for worse things to be associated with than salads, try surgical procedures. Messy.

Re:Is it just me

[whoever57]

What about the anchovy used in Cesar Salad (either directly or as an ingredient of Worcestershire sauce)? That should put it off the list of edible foods for vegetarians.

Re:Is it just me

[capnez]

Incidentially, I just read my current issue of The Economist, and they have a leader (op-ed piece) about absurd titles. You can read it online at http://www.economist.com/opinion/displaystory.cfm? story_id=9339915 [economist.com].

My favourite sentence from that piece: "What next? Führers, Caudillos, Duci, Gauleiters and Generalisimos must be due for a comeback."

Re:Gaaah!! Go, go fist of death!

[emm-tee]

No, I do not want the government monitoring my privacy. That is the exact opposite of privacy.

You don't understand (or maybe you are a troll). The government doesn't monitor the individual. This is a set of rules to limit what organisations can do with information about individuals.

I know almost nothing about the EU Privacy Directive, but I think the UK's Data Protection Act implements all or part of it, and I have a basic understanding of this. Please note my knowledge is very limited, there may be factual errors in my post, I'm not a lawyer.

The Data Protection Act restricts what an organisation can do with any personal data (such as your address), which it processes.

For example, the organisation:

• can only use your data for the purposes stated when you gave them the data.
  
• cannot keep much more data than is necessary for the purpose stated.
  
• cannot pass your data on to a third party without your permission (this means that I get no junk post at all).
  
• must ensure that any data they hold on you is accurate.
  
• is not allowed to hold the information for longer than is necessary.
  
• must keep the data secure.
  
• may not export your data to a place where it is subject to less stringent privacy rules.
  
• must provide you a copy of any data they have on you for a small fee (this is what allows people to request copies of closed-circuit television tapes they may appear in).
  

See http://www.direct.gov.uk/en/RightsAndResponsibilit ies/DG_10028507 [direct.gov.uk] for more information.

HIPPA didn't work

[r00t]

Do I want to get the health insurance my employer subsidizes? Sure I do. The insurer makes that conditional on waiving my HIPPA rights. I guess they want to post my info on their web site (crap, they do!) and leave it where even the janitor can see it.

I'm also easy to impersonate.

Meanwhile, if she follows the law, my own wife has no ability to get the info. WTF?

My blood relatives should be able to get inheritable disease records. People who lived with me during the past year should be able to get contagious disease records. Anybody sharing finances with me (or recently, as with an ex-spouse) should be able to get billing records.

So HIPPA has pretty much made everything worse for me. I don't need more of the same.

EU could learn from US too

[erik_norgaard]

The EU directive is very good when it comes to specifying what 3rd parties may do with private data and giving the citizen rights to control the use of such data:

* The citizen may request information of what data is kept
* The citizen may require incorrect data to be corrected
* The citizen may require data to be deleted

Further, data must not be shared with states outside EU unless the EU has recognized these as providing adequate protection of personal data. US is not on the list (but Canada is) which is the reason of the current conflict over passenger data on transatlantic flights.

But, the EU directive lacks one think: Supervision. There is no controls implemented, no prior certification of data processing entities, no posterior audit to ensure that data protection is adequately implemented, not even common standards on how data must be protected. AND, there is no obligation to publicly announce data breaches.

Certifying data processing entities and then granting these authorization to handle data is cumbersome and expensive and won't ever happen - fine. But, some control system should be established, and standards or guidelines should be made. Why is there no requirement to encrypt personal data when stored in a non-controlled environment (say mobile devices) and not in use?

And after the data retention directive, which seems also to be on the road into US law, why did they not set strict requirements on protection of these data to ensure that they are only available for the purpose of the retention - investigation of terrorism? Why may companies retain such traffic data and store it unencrypted?

At the very least, we could learn from the many US states that require companies to advice customers about data breaches and risk of abuse.

Re:A good thing

[Anonymous Coward]

No, it's simpler. We (almost) all have id cards. Here the identity theft it's almost impossible, and if it's done its very easily demostrated in court.