EU Privacy Directive — Coming To the US?

An anonymous reader writes "An article over at ComputerWorld implies that the EU Privacy Directive, or something like it, will soon be signed into law here in the USA. The author seems to think this is a good thing, but I'm not so sure. From the article: 'We've finally come to realize that self-regulation by industry hasn't worked. The states have stepped in, creating the same situation of conflicting regulation that led to the creation of the EU privacy directive. The only question now is if the law that comes out of Congress will be a small step strictly focused on breaches, such as S.239, or whether we take the bigger step of forming a permanent committee under the FTC to monitor privacy as outlined by S.1178. Either way, the U.S. is finally moving away from the fractured environment of the past and toward a comprehensive privacy strategy.' Is it time for a national privacy law or 'Privacy Czar', or are we better off letting things be?"

Is it just me

[kensai]

or has this whole "Czar" thing been way overused.

Re:Is it just me

[WrongSizeGlass]

or has this whole "Czar" thing been way overused.

Yes. Yes it has.

I believe Czar is a Native American word meaning destined for failure.

Re:Is it just me

[PhxBlue]

I believe Czar is a Native American word meaning destined for failure.

Y'know, based on my knowledge of history, I'd have to guess it means the same thing in Russian.

Re:

[jd]

I thought it was Russian for "he who sneezes whilst smoking Cuban imports".

Re:

[daem0n1x]

The Czars ruled the Russian Empire with iron hand for centuries surrounded by luxuries, I wouldn't call it a failure.

Re:

[ichigo 2.0]

These (might) be part of the reason that all the czars are gone (dead).

I suspect senescence had more to do with that. That, or there are a bunch of zombie czars running around in Russia.

Re:

[gkhan1]

You could take that logic even further. Czar comes (like most European words for "emperor") from the name Ceasar (as in "I am Gaius of the Julii, called Ceasar!"), and we all know what happened to him*!

A more appropriate term would be "Augustus", as in "Privacy Augustus", as in "I ruled for more than 40 years, brought peace and founded the most powerful empire the world has ever seen. Bitches!"

Re:

[RedElf]

Hold up a second, they're just trying to be like Ceasar [wikipedia.org] (except with bad spelling) too bad they didn't read the history books to see what happened to him.

Re:Is it just me

[WrongSizeGlass]

too bad they didn't read the history books to see what happened to him.

He had a salad named after him?

Prince Albert has the same problem ...

[freaker_TuC]

... he has a bolt through the c*ck named to him, don't guess that was his dying last wish; A salad sure sounds better to me.

Re:

[WrongSizeGlass]

Among other, more dire things...

I don't know about you, but I can't think of too many things worse than having my legacy associated with a meal of the vegetarian variety.

Re:

[RedElf]

I don't know about you, but I can't think of too many things worse than having my legacy associated with a meal of the vegetarian variety.

Real vegetarians won't eat a caesar salad [wikipedia.org] because of the eggs and sometimes chicken topings. Of course to have a legacy you would have to have offspring, and this is slashdot where leaving your mothers basement is not only strictly prohibited, it's highly discouraged.

Re:

[Arancaytar]

Egg? "Real vegetarian" does not mean "Vegan".

----

As for worse things to be associated with than salads, try surgical procedures. Messy.

Re:Is it just me

[whoever57]

What about the anchovy used in Cesar Salad (either directly or as an ingredient of Worcestershire sauce)? That should put it off the list of edible foods for vegetarians.

Re:

[dosquatch]

Silly poster, fish and chicken don't count* - only the cute animals.

Re:

[whoever57]

Silly poster, fish and chicken don't count* - only the cute animals.

Texas Vegetarian == No beef (chicken isn't "meat" in TX).

Re:

[advocate_one]

don't forget the rennet used to make the cheese

Re:

[gstoddart]

What about the anchovy used in Cesar Salad (either directly or as an ingredient of Worcestershire sauce)? That should put it off the list of edible foods for vegetarians.

Most of us already know that. Though, I occasionally have to tell people about the anchovy thing. You can find Worcestershire sauce with no anchovies, but you have to look very hard. As a pretty strict lacto-ovo vegetarian, there's quite a few products I avoid outright.

Most forms of gelatin is animal derived (an amazing amount of yogurt

Re:

[Guido von Guido]

Yes. "Chicken toppings" came later.

Re:

[sortius_nod]

aren't fish vegetables?

Re:

[cayenne8]

"Real vegetarians won't eat a caesar salad [wikipedia.org] because of the eggs and sometimes chicken topings"

I dunno about chicken toppings (not in a true caesar sald), but, there are anchovies in the dressing when made the real way.

Re:

[MysteriousPreacher]

Many people would also associate Genghis Khan with power and leadership. Czar is a piss-poor title to anyone who has cracked open a history book, unless you want to make it clear that the person being appointed should consider themselves above all legal checks.

You might want to check Julius Caesar's history, then move on to the Russian Czars.

Re:Is it just me

[Bellum Aeternus]

Czar is an English spelling of a Russian word meaning caesar - which means autocrat. So what they're saying when they label somebody a czar is that his a leader who's above the law and with absolute authority. Seems to me, that in the "free" West, terms like czar should avoided for so many reasons.

I mean what western leader thinks he's above the law... oh right.

Anyways, why not follow the British example and refer to everyone as a minister?

Re:

[mike2R]

Anyways, why not follow the British example and refer to everyone as a minister?

Actually we have "Czars" as well (although I presume we copied the idea from somewhere else). I think the idea is that a Czar is someone given complete authority to deal with a particular issue, or at least that's what it is meant to sound like.

Also a minister in the UK must be a member of parliament.

Re:

[pjt33]

A British minister is roughly the equivalent of a US Secretary (of State, of the Treasury, etc). The British equivalent of "Privacy Czar" is the Information Commissioner.

Re:

[Carewolf]

Czar, Caesar or Kaesar means emperor.

Emperor, not caesar or autocrat

[mcvos]

Just to make one thing clear here: "Czar" comes etimologically from "caesar", just like the German word "Kaisar". Both mean "emperor". And emperors are (usually) autocrats. But that doesn't mean that every word related to "caesar" means autocrat.

And not even all emperors are autocrats. I believe Japan's power is firmly in the hands of a democratically elected government nowadays, for example. Just like kings and queens aren't autocrats anymore.

Re:

[teh kurisu]

It depends on whether whatever religious order you've been indoctrinated into uses the word 'minister'. Mine did/does. When I was young I thought Margaret Thatcher was the head of the Church of Scotland.

Czar means Caesar

[burndive]

They are derived from exactly the same word, they just took different routes to get to English.

Re:

[OldHawk777]

Not Czars=Ceasar
NotNot who's there? I don't know, Who?
Who's the guy in the picture with Bush in China?
Putin Bush is in the other picture in Russia.
I don't know, who is putin in a bush in Russia or China in a picture.
At least a picture doesn't stink up everyplace making it unbearable, and unlivable.

I hope there is never a passport required to leave this earth.
I keep my towel close, my thumb up, and my beer mug full ... hoping to escape before any other elections.

REMEMBER, I am an old guy ..., I don't know wh

Re:

[capnez]

Incidentially, I just read my current issue of The Economist, and they have a leader (op-ed piece) about absurd titles. You can read it online at http://www.economist.com/opinion/displaystory.cfm? story_id=9339915 [economist.com].

My favourite sentence from that piece: "What next? Führers, Caudillos, Duci, Gauleiters and Generalisimos must be due for a comeback."

Re:

[ColdWetDog]

Yeah, all the tsars (tsarii?, tsaruses?) seem to be kinda stupid.

Still wouldn't mind being the "nipple tsar". I mean, somebody (apparently) has to do it.

Re:

[ultranova]

or has this whole "Czar" thing been way overused.

It's just there in an attempt to make every libertarian reading this story goes into a screaming rage about evil government controls, and starts posting flamebaits like crazy. Slashdot needs discussion to generate ad revenue, you know. Besides, political discussions provide the most insightful comments and the creationism-bashimg flamebaits provide the most amusing perversions of science and logic (on both sides).

That said, it is a pretty sad attempt.

By the time this thing...

[Anonymous Coward]

...ever makes it into US law (if ever), it will be so watered down and ineffective that it might as well not even exist. The corporations who now run the USA will not stand for it.

Re:

[HomelessInLaJolla]

"We've finally come to realize that self-regulation by industry hasn't worked."

This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding. It was in the transferral of the power to self regulate from the researchers who created the technology to the Wall Street entities which began government appointed overseers and distributors of the technology that the ability to self-regulate was lost.

There is no problem with self-regulation in t

How's the weather in Libertine Fantasy-land?

[Valdrax]

This is some serious disinformation here. Self-regulation by the tech industry worked just fine until the government began allowing business and corporate interests to affect its subsidies, grants, and funding.

I think you meant to put a colon after the word here. It makes more sense that way.

I mean, do you honestly believe that there has ever been some mythical time in US history in which businesses happily kept to themselves and acted like gentlemen in the best interests of their customers before some swi

Re:

[Valdrax]

Care to tell me when? The federal government has been in the business of granting subsidies since the early 19th century when we adopted Henry Clay's American System, which built on Alexander Hamilton's Report on Manufacturers.

The IT industry and all modern privacy concerns are significantly younger than this. There has been no time at which the IT industry has not existed in a climate of bought and sold influence and corporate welfare. After all, the modern IT industry was born from the likes of IBM and

Re:

[Valdrax]

Assuming then that you're the original poster, what else could be construed to be the point of your statement:

There is no problem with self-regulation in the industry. The problem is that the industry is not allowed to self-regulate due to special interest groups and politicians' own greed and egos affecting the funding and legislative favoritism.

I mean, other than to say that the industry would self-regulate privacy better than the government would, what other meaning can be ascribed to this?

The EU Privacy Directive

[Valdrax]

How about the actual EU Directive on Data Retention? (Directive 95/46/EC)

Read a nice summary of it here. [wileyrein.com] It prevents a lot of the data mining and reselling that goes on in this country. If you don't feel that it's been good for anything but providing corporate welfare (...as a largely unfunded mandate), please let me know where it's failed and stripped citizens' rights.

It is already "watered down..."

[msauve]

if you read the bill, it's nothing like the EU privacy laws. The EU laws protect a person's privacy, requiring their permission to disclose personal information (among other things).

The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.

The law is summed up in this paragraph:

A covered entity shall develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards

I have a thing about my Social Security number - I only give it to those who require it to fulfill legal mandates. That includes my employer, who has decided (without my permission, and despite my express denial) to give it to a health care provider. This proposed law does nothing to prevent that.

I want them to be prevented from "selling or transferring" my confidential information, without my voluntary consent (no consent as a condition of employment, etc.).

That's not "watered down..."

[overshoot]

The US bill does nothing to prevent a corporation from deliberately disclosing whatever they want to whomever they want - it's focused exclusively on securing those transactions from third parties.

That is, as you point out, the whole purpose of the Act. It's not "watered down" -- it's specifically designed to enable exactly what you cite (letting corporations do whatever they damn well please with your personal data) without interference from annoying State privacy laws.

Re:

[jandersen]

As a European I take it for granted that my privacy is completely my own, and it seems obvious that I have to give written permission for anybody else to use my data - even government agencies. And that is one of the things about America that I really dislike - it is as if the only thing that matters in America is big money, and whatever big money wants, it gets. Just take the outrage of Microsoft trying to change legislation in the US, which read about here on /. - the reactions of my colleagues here in UK

Re:

[cayenne8]

"As a European I take it for granted that my privacy is completely my own, and it seems obvious that I have to give written permission for anybody else to use my data - even government agencies."

Except for data gathered about you as you move about the city during your days? I guess where you go and when isn't something you take as a privacy matter....completely ok to let yourself be monitored at all times by CCTV, eh? Or, do they ask you for your written permission anytime some constable wants to review t

Re:It is already "watered down..."

[ducomputergeek]

I've been asked for my SSN before on job applications and have told them, I'll put it on a W-4 when hired and you can't force me to give it to you because by law the only people I am required to give it out to is the Federal Government.

Maybe one reason why i had trouble finding a job right out of college.

Re:

[jimicus]

The EU laws protect a person's privacy, requiring their permission to disclose personal information (among other things).

AFAIK, however, they don't prevent a business from making "you granting them permission to disclose information however they please" from being a condition of doing business with them.

All you wind up with is that the organisations who you really don't want being cavalier with such information (like banks) hiding a clause in the small print which broadly says "We may ship your data to thir

There's a big question here.

[sehlat]

Given the history of regulatory agencies (see the history of the Interstate Commerce Commission for starters), just how long will it be before the new regulators end up captive to the industries they regulate?

There's a line in the movie "Absence of Malice" which sums up the problem of government regulators very neatly, even if it wasn't intended that way: "Have you given any thought to what you'll do after government service?"

Re:

[netruner]

This is precisely why, as much as I hate to say it, lawsuits have their place. Don't regulate our privacy - make it a civil offense to invade it and let the bloodsucking attorneys provide the penalties. Dollars are the blood of corporations - rightfully suing for the damage they do will either cause them to change their ways or at least compensate their victims. I'm not against using civil suits to inflict the necessary pain to limit corporate misbehavior.

Re:

[speaker of the truth]

Good luck trying to find an attorney to take the case of someone with the average income against a Microsoft-sized company. Even if they do take it, they're going to need a SHITLOAD of their own money to pay for the case out of pocket, as it will soon consume most of their time.

Privacy Laws are a Good Thing

[ShadeTC]

I think in general privacy laws and government regulation of privacy is a good thing. The problem with self-regulation of privacy is that personal information is a lucrative commodity. It is hard to get companies to do what's right when most people don't even realize how much information they are giving up or what their rights are. I think well crafted legislation can provide a good framework for companies to better their privacy policies as well as provide redress for consumers who are adversely affected by bad policies. Good laws also provide a way for privacy advocacy groups to benchmark companies by providing a baseline as well as providing standards to hold companies to.

The key here will be that the laws need to be broad enough to deal with the rapidly changing business methods as well as provide room for companies to try different methods of achieving the results. At some point you can push companies far enough that they will then try to advertise on how great their privacy is versus some other company, so it's good to set the bar and allow companies to rise above it as well as just meeting it.

Depends

[TubeSteak]

Printer Friendly:
http://www.computerworld.com/action/article.do?com mand=printArticleBasic&articleId=9024784 [computerworld.com]

Anyways, it doesn't matter what the US signs into law if there is no meaningful oversight, penalties and enforcement.

I also can't imagine that the business lobby isn't going to scream and shout about the expense involved with implementing true EU style reforms.

One alternative to all these expensive-to-implement laws is to make it an opt-in industry. By the time they're done culling out all the people who don't want to be in the database (a one-time event), EU style privacy laws won't cost all that much to implement.

Re:

[zCyl]

Anyways, it doesn't matter what the US signs into law if there is no meaningful oversight, penalties and enforcement.

It can, actually. If the American people believe they have a legal right to privacy, and expect it, then eventually oversight, penalties, and enforcement will come around, even if they don't start out in place.

Sometimes we have to aim for gradual cultural shifts if we can't immediately obtain sweeping and effective legislation.

Don't worry, every time their's a Czar...

[iPaul]

appointed, whatever program comes to a screeching failure. Think Drug Czar, Iraq War Czar, etc.

Then why do we want a Privacy Czar?

[Valdrax]

I mean, unless it's a "War on Privacy" Czar, isn't that a bad thing?

Re:

[iPaul]

There's someone to help me find pr0n? Oh happy day!

It's good enough..

[tobe]

In most countries there will hopefully be just enough people exercising their rights under this kind of legislation to compel all concerned to comply. That's mostly what this sort of thing is about. The OP is a fool.. this *is* 'a good thing'.

Yeah, right!

[DimGeo]

And pigs can fly. Not a snowball's chance in hell that this could happen! Restricting business? How dare they! :)

What's the problem?

[lawpoop]

The author seems to think this is a good thing, but I'm not so sure.

What exactly is the problem, AC? We don't need a government function actually serving the interests of the average consumer, instead of large corporations? It will become another bloated, ineffectual government bureaucracy that gets hijacked by industry, like the EPA and the FDA? This is a function that belongs on the state level, like the BBB?

I was going to start to argue *for* another contender on the side of the little guy, but I think I just talked myself out of it.

Re:

[AuMatar]

Nitpick- the BBB is not a state agency. Its a private agency, with corporations and buisnesses as voluntary members. It has no power, and really doesn't do jack shit- they put a little mark in a little file, occasionally ask someone to stop doing something, and give them a 50 dollar or so fine if they're one of the voluntary members. Maybe. They also happen to put out much harsher reports on non-members than dues paying members, but I'm sure thata a *total* coincidence.

Re:

[lawpoop]

Thanks for the information. I wondered about that, after I hit the submit button, of course. But, another nitpick: I only said they were a state level entity ( they *are* state-by-state, aren't they? Or is there a national BBB?), not that they were a government agency ;)

Re:

[AuMatar]

There is http://www.bbb.org/ [bbb.org]

the lines in the privacy field need to be drawn

[siddesu]

in the past, as near as maybe 20-30 years ago, privacy was not a huge issue, because it wasn't so easy and cheap to amass data. of course, files on people have always existed, but they were specialized and compartmentalized, and not easy to correlate and analyse. nevertheless, some governments (mostly associated with ex-communist countries) are known to have excelled at collection, storage and retrieval of files on people, even if they only used paper. these files were very successfully used to make people behave in certain ways.

now, when there is the technology to collect, store and correlate all kinds of data about very many people by just about any entity with a minor budget, and there are no clear rules about what is okay and what is not, it is easy for the individual to be a target of abuse by a more powerful group (be that government, a large company, or some foundation), and it is almost impossible for the individual to counter-balance such groups, as data collection seems, in the absense of rules, quite legal, and, depending on the profile, the person may not be in a position to make a strong stand. so, it is pretty obvious that some levelling of the playing field is in order, and that it should be made a law, so that it has teeth.

to me the reasonable minimum would be the ability of a person to see the information an entity has amassed on them, and to be able to remove parts of their profile or (that being un-possible for some reason) the whole profile at any time, at least from a private organization. exceptions from that rule should be considered carefully, and introduced on a demonstrated need basis.

this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though :(

Re:the lines in the privacy field need to be drawn

[ObsessiveMathsFreak]

this will probably kill a few tabloid publications, and decrease the availability of movie star pictures on the internet though :(

:)

Re:

[siddesu]

we'll see. i for one won't hold my breath, but will plan to watch it from a safe distance just in case ;)

Preemption

[overshoot]

Like the (you) CAN-SPAM and the new (you can) SPY Acts, the main point of both bills is the preemption of (effective) State laws. By pulling all enforcement into a single Federal authority and removing private rights of action, it becomes much less important for the drafters to include explicit language neutering the nominally-beneficial provisions of the legislation.

Done right, these laws get the Legislature some headlines for the voters while effectively insulating the campaign contributors from the risk of being held liable for doing what the Act theoretically prohibits.

Thought experiment: what would either Act have done in the case of HP spying on private parties?

You trust this crap?

[J'raxis]

Just wait. This will be an attempt to stealthily pass a bunch of anti-privacy legislation, such as data-retention laws.

So today privacy is good, but last week....

[ducomputergeek]

Privacy laws were partly the cause of the VT shootings. That's simplfing it a bit, I know, but this is one of those things that I don't think can go both ways in my book. If we agree that privacy is a good thing, then sorry, events like VT could happen again because of the inability of sharing data. (And with the comming national ID cards and such, I really like the idea of having some strong privacy laws.)

Re:

[ObsessiveMathsFreak]

So, are we supposed to all fall prostrate before the spectacle of the Viginia Tech shooting? Should we abandon our principles in the face of the masses of innocent college students who would get gunned down because we wanted unconscionable things like human rights and basic liberties? How long are people going to wave the students bodies around on their own personal flagpole?

You may as well argue about terrorism and child porn. Personally, I'm tired of emotive arguments. Hearing one is a pretty sure fire ac

Re:

[UncleTogie]

... and allow law abiding citizens which have not been declared mentally ill by the courts to CARRY guns in case some nut starts going on a shooting spree.

Having trouble with depression in your past doesn't necessarily mean you can't be trusted to responsibly own a firearm...

To make sure

[Arthur B.]

Disclosing information should not be considered a crime, unless of course you are bound by contract not to disclose it. Similarly, grabbing information should not be considered a crime, unless of course you invade someone's property by doing it (breaking in one's house, trash, computer etc)

Privacy Czar?

[nurb432]

You mean a single point of contact that helps reduce the privacy of the common man, but makes damned sure the elected officials have it?

No thanks.

The fallacy is that compliance = privacy

[Allnighterking]

All too often laws are enacted with the best of intentions only to show that compliance with the law is a hollow shell of the desired objective. Case in point is something like the CanSpam directive. By giving you a link to a page that had all the correct bells and whistles to appear to allow you to de-list yourself, when it actually de-listed you from one list and listed you on 40 others, is the probable end result.

How many times have you had a company ask for ridiculously invasive information for your protection . Similar results will be incurred here. Currently asking information is at best spotty in legality and because of this you have a certain level of push back available to you when they request it. (No I will not give my sons grade school his SSN) however once a law like this goes into play it creates an aura of safety that once an organization appears to comply with it, the loss of your personal data no longer is a high level of liability for them. As a result your privacy is reduced to a level of cookie cutter actions that never get questioned because, 'everyone knows it meets legal requirements'.

Re:

[Allnighterking]

I'll second the correction of my wording. Thanks

What's in your... errrr, the Offshore guys wallet?

[theshowmecanuck]

These laws don't make sense unless the countries/regions also want to deal with how the data is disseminated.

I just got off the phone dealing with someone from my phone company's customer service centre... in India. He was very helpful, so don't get me wrong but... It was disconcerting to know he could check my credit card number. I am sure many/most offshore call centre's employees are honest, but I have to wonder about how this privacy crap matters when we allow corporations to send our private infor

Now quickly!

[OzPhIsH]

"Hand all over your private information over to us, the Government, so we may protect it for you!"
just wait wait for it..

HIPPA didn't work

[r00t]

Do I want to get the health insurance my employer subsidizes? Sure I do. The insurer makes that conditional on waiving my HIPPA rights. I guess they want to post my info on their web site (crap, they do!) and leave it where even the janitor can see it.

I'm also easy to impersonate.

Meanwhile, if she follows the law, my own wife has no ability to get the info. WTF?

My blood relatives should be able to get inheritable disease records. People who lived with me during the past year should be able to get contagious disease records. Anybody sharing finances with me (or recently, as with an ex-spouse) should be able to get billing records.

So HIPPA has pretty much made everything worse for me. I don't need more of the same.

Author didn't read the proposed bill

[Animats]

The author of the original article clearly didn't read the S.1178, "A bill to strengthen data protection and safeguards, require data breach notification, and further prevent identity theft" [loc.gov], the bill they're citing. And nobody else here seems to have read it either.

First, it's not anything like the European Privacy Directive. It has nothing to do with privacy. It's about leaks of information useful for identity theft and about credit reporting. It's actually another one of those bills designed to re

EU could learn from US too

[erik_norgaard]

The EU directive is very good when it comes to specifying what 3rd parties may do with private data and giving the citizen rights to control the use of such data:

* The citizen may request information of what data is kept
* The citizen may require incorrect data to be corrected
* The citizen may require data to be deleted

Further, data must not be shared with states outside EU unless the EU has recognized these as providing adequate protection of personal data. US is not on the list (but Canada is) which is the reason of the current conflict over passenger data on transatlantic flights.

But, the EU directive lacks one think: Supervision. There is no controls implemented, no prior certification of data processing entities, no posterior audit to ensure that data protection is adequately implemented, not even common standards on how data must be protected. AND, there is no obligation to publicly announce data breaches.

Certifying data processing entities and then granting these authorization to handle data is cumbersome and expensive and won't ever happen - fine. But, some control system should be established, and standards or guidelines should be made. Why is there no requirement to encrypt personal data when stored in a non-controlled environment (say mobile devices) and not in use?

And after the data retention directive, which seems also to be on the road into US law, why did they not set strict requirements on protection of these data to ensure that they are only available for the purpose of the retention - investigation of terrorism? Why may companies retain such traffic data and store it unencrypted?

At the very least, we could learn from the many US states that require companies to advice customers about data breaches and risk of abuse.

Re:

[erik_norgaard]

It is not explicit, but as I understand it, it is implied. I just quickly reviewed the directives (95/46/EC):

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:31995L0046:EN:HTML [europa.eu]

In 95/46/EC you have Article 6.e stating that data must be stored for no longer than needed in order to process the data for the purposes the data was collected. Article 7.a requires consent of the data subject or 7.b that processing is required to perform a task on the request of the data subject.

Which, I deduce, means th

A good thing

[Kirth]

Guess why the USA has such a tremendous problem with "identity theft"? A much bigger one than in Europe?

Something which facilitates this is the missing privacy directive. Companies are much more careless with YOUR data if they can't be held accountable. This, of course, makes it easier for criminals to get your data.

Well, it would be a good thing if thy hadn't watered it down already..

Re:

[Frenchy_2001]

Actually, the biggest difference between the US and the EU is WHO owns the data.
In the US, the data belongs to the entity that collects it.
In the EU, the data belongs to the person it represents.

Once that difference sinks in, you'll see that all the rest is just a derivative of it.
If the information belongs to you, the organizations collecting it need your authorization to do anything with it (especially share it) and are responsible if they lose it (as it belongs to you and they are only safe-keeping it).

T

Re:

[sco08y]

Guess why the USA has such a tremendous problem with "identity theft"? A much bigger one than in Europe?

Do you have numbers behind that claim?

This is absolutely a good thing!

[hey!]

US data privacy laws are a bloody mess.

In 1972, Elliot Richardson was the Sec'y of HEW under Nixon. He commissioned one of the first reports on data privacy, which was shaping up to be a great thing. Then he left to become Attorney General to providee some moral credibility during Watergate, and Cap Weinberger (the mentor of Don Rumsfeld and Dick Cheney among others) came in and gutted the report's recommendations.

What was left was a report that said data privacy is a HUGE problem, and recommended a numbe

Re:

[WrongSizeGlass]

I just pooped my cute little pants. (P.S. Since my karma went down recently, I am unable to post as much. Thanks for your patience.)

It's not your posting, but you pooping that's affecting your Karma. Just ask Earl ;-)

Re:

[Sunburnt]

Not at all, I would imagine, since their courts hold that one has no legal expectation of privacy in a public place.

Sort of like ours in the U.S., actually. And having recently moved from one of the most heavily-surveilled cities [wikipedia.org] per capita (thanks to these folks [wikipedia.org]), I'm pretty familiar with the applicable laws, although your mileage may vary by state.

Of course, since the privacy law in question doesn't apply to surveillance cameras anyway, methinks you're just taking a cheap shot at our friends across the p

Re:

[HTH NE1]

Of course, since the privacy law in question doesn't apply to surveillance cameras anyway, methinks you're just taking a cheap shot at our friends across the pond.

Is it flamebait if the question was rhetorical? Apparently one moderator thought so. (A subsequent moderator apparently thought "flamebait" was an overrating.)

I meant to say that while privacy protection against private interests is all well and good, I'm getting more and more concerned about privacy protection against government intrusion. I'

Re:

[Sunburnt]

Indeed. The courts have been fucking idiots about this for some time now.

Re:Gaaah!! Go, go fist of death!

[Gonoff]

You may not want your government monitoring your privacy. They already do.

In the UK, I do not want companies invading my privacy and it is made difficult for them to do so.

Re:

[jimicus]

In the UK, I do not want companies invading my privacy and it is made difficult for them to do so.

I must have missed something. Yeah, it's difficult for the man at the local newsagents to demand your name, DOB, NI number and inside leg measurement then sell it to the highest bidder when you go in to buy your daily paper, but it's a different story for banks, building societies and property rental agencies - most of whom I'd be dubious about trusting with too much information.

Generally in the UK they don't

So, who really worries you more?

[C10H14N2]

On a daily basis, do you protect your valuables and confidential records because you're afraid of a public official confiscating them or some random private citizen busting in and stealing them? Strangely enough, the primary reason we have government in the first place is to guard against the latter (whether through policing, the courts or recognition of property rights in general). Yet, people are /far/ more careless with their information and property in the hands of other private interests over whom they have virtually no control than they are with their public counterparts over whom they have direct control.

This is puzzling.

Re:Gaaah!! Go, go fist of death!

[emm-tee]

No, I do not want the government monitoring my privacy. That is the exact opposite of privacy.

You don't understand (or maybe you are a troll). The government doesn't monitor the individual. This is a set of rules to limit what organisations can do with information about individuals.

I know almost nothing about the EU Privacy Directive, but I think the UK's Data Protection Act implements all or part of it, and I have a basic understanding of this. Please note my knowledge is very limited, there may be factual errors in my post, I'm not a lawyer.

The Data Protection Act restricts what an organisation can do with any personal data (such as your address), which it processes.

For example, the organisation:

• can only use your data for the purposes stated when you gave them the data.
  
• cannot keep much more data than is necessary for the purpose stated.
  
• cannot pass your data on to a third party without your permission (this means that I get no junk post at all).
  
• must ensure that any data they hold on you is accurate.
  
• is not allowed to hold the information for longer than is necessary.
  
• must keep the data secure.
  
• may not export your data to a place where it is subject to less stringent privacy rules.
  
• must provide you a copy of any data they have on you for a small fee (this is what allows people to request copies of closed-circuit television tapes they may appear in).
  

See http://www.direct.gov.uk/en/RightsAndResponsibilit ies/DG_10028507 [direct.gov.uk] for more information.

Re:

[Anonymous Coward]

"For example, the organisation:"

The problem, even in Europe are -of course, corporations lobbying States, so the laws are not so-so on them.

"can only use your data for the purposes stated when you gave them the data."

But the law won't forbid putting the customer on such a position but to sign agreement for almost any purpouse (while there are quite a lot of laws about abusive clauses in contracts, I have yet to see one contract without the default "you agree on the cesion of your personal data for whatever

Re:

[MROD]

Sorry to burst your bubble, the DPA doesn't allow for a catch-all clause of "any purpose," the purpose must be defined reasonably tightly. Any company who tries the "any purpose" clause in a form is in breach of the act (from what I remember of the course I went on).

Also, permission has to be given by the individual explicitly, it's an opt-in and not an opt-out.

Oh, and unlike the first DPA, the second version covers paper copies of information as well.

Re:

[cdrguru]

In the US because of the way credit reporting works you would just get a form that says you authorize them to (a) send your information to various third parties as required and (b) allow these third parties to keep that information as long as necessary to validate future credit inquiries. This would be required for every purchase not paid for in cash or over some absurdly low amount, like $100.

Basically, you would be authorizing the collection and distribution that goes on today anyway. Except now there w

Re:

[Bill, Shooter of Bul]

Yeah, I was confused why I was modded insightful as well. I was more than anything trying to be funny, not a troll or deeply insightful as some have thought. You know with a subject of "Gaaah!! Go, go fist of death!" I thought people would get it. maybe I needed a Oh well. You must admit that "monitored privacy" is a bit of an oxymoron.

Re:

[notamisfit]

Where have *you* been the past 140 years?

Guess he wishes he was in Dixie.

[Valdrax]

The United States of America is a voluntary union comprising of many independent states. These states have the right to self-governance and popular sovereignty; the Constitution does not allow for any such federal restrictions.

Me: What about the interstate commerce clause and the Civil War?
AC: LAH LAH LAH LAH LAH! I'M NOT LISTENING!

Re:

[cdrguru]

You can do that now in the US. And the US Information Commissioner does the same thing when the spammer can be traced to a whole bunch of compromised Windows boxes in California or some rented server it Korea.

No matter what laws are passed, unless there is cooperation from both the ISPs and foreign governments spam isn't going anywhere anytime soon.

Re:

[cdrguru]

Given the way credit is handled in the US, that would be a very, very large change. You would essentially be dismantling the credit reporting and credit agency organizations. This isn't just Experian and the like - this would include the smaller regional credit service bureaus.

We're probably talking about a few billion in revenue here, so it isn't a small change. It would also affect (if not eliminate) the concept of a "finance company". Add a few more billion to this.

What would you do? Require a new g

Re:

[freedom_india]

All will be done, if you can cough up $1.75 million as campaign funds for about 50 senators or congressmen.

Re:

[The Angry Mick]

This looks generally good, except for this one part:

and have personal information policies that are clear, understandable and readily available.

I would like to this amended to say: "have fixed personal information policies".

Lots of web sites have pretty good privacy policies, but they generally contain a line the the effect of "we reserve the right to update this policy...please check this page for the latest version". What's to stop a site from updating it's policy to say "We pwn j00r data, and now we