The EU and US Data Protection Approaches and their Sustainability - Essay Example

? The EU and US Data Protection Approaches and their Sustainability MN30281: Privacy, Trust and Security in Information Systems Dr. Richard Kamm School of Management, University of Bath City and State: Date: The EU and US Data Protection Approaches Introduction The world is increasingly becoming data driven as information technology is rapidly advancing and spreading. The issue of data security has become the centre of reputation building for organizations and governments. Personal data, especially, has become so important that some scholars have termed it as the currency for the information economy (Gutwirth, 2011). Individuals’ privacy hence becomes very important. Personal data is information about an individual who can either be identified or identifiable (Maria, 2013). Armed with this information these organizations can gain comparative advantage over their competitors as they can use this information to make key decisions on consumer focus. However, of late data breaches have increased and many individuals are complaining that their personal data is being used without their consent and to their detriment. The governments have thus started putting measures and legislations in place to enforce data protection practices. The US and the EU are among the blocs that have been on the forefront to promote data protection and hence privacy. The right to privacy is a fundamental human right (Warren and Brandeis, 1890). Whereas the US has no specific regulation scheme that is designed to regulate the collection, processing and transfer of personal information, the EU has one. The EU regulation scheme is known as the UE Data Protection Directive and was instituted in October 1995. All the member countries are signatories to it and apply the Directive by incorporating its provisions in their laws governing data protection (Kuner, 2003). Victor (2013) notes that the US has been reluctant to institute a national omnibus framework instead opting to regulate organizations using the industry sectors. This involves legislating laws and acts that regulate data collection, storage, processing and dissemination. This reluctance have made some EU countries to perceive the US as having weaker data protection mechanisms because they are not explicit and centralized like in Europe (De Busser, 2009; Baumer, 2004). The US has also mounted a scathing attack at the EU Data Protection Directive claiming that it is fast becoming outdated and with time its practicability in implementation will deteriorate (Bercic and George, 2009). Herein after this paper takes a look at the different approaches used by the US and the EU to protect individual’s personal data and which among the two approaches is sustainable in the long run. Data Protection in the Europe With the internet boom starting to take place in the mid-90s, the European countries saw it fit to come up with one regulatory framework that will ensure that the data is about to be generated and shared among users will be safe. Instead of each country independently regulating their own information technology industry, common guidelines were instituted on where each country will base their data protection laws. This regulatory framework was known as the EU Data Protection Directive (Long and Quek, 2002). All member countries, who are also signatories of the European Commission on Human Rights (ECHR), were required to enforce the provisions therein in within the first three years. The EU Data Protection Directive This is a directive that is meant to protect data and regulate its usage within the European Union. It has 34 articles providing specific instructions about how data should be handled in specific situation. It is based on 3 principles; transparency, legitimate purpose and proportionality (Tavani, 2007). The issue of transparency is covered from article 7 through 12. Using this principle the Directive states that the data subject reserves a right to be informed when his personal data is being collected for processing. The data controller is the person or the organization that is requesting for the personal data for processing. Under Article 10 and 11 of this Directive, the controller is required to provide his name and address and state the purpose for which the data is required, who the recipients of the data will be, and any other information that will be sought by the data subject so as to promote transparency and ensure that the processing is fair (Fuster and Gellert, 2012). Article 7 of the directive goes to the heart of data protection by prescribing the circumstances under which data processing can be undertaken. It states that data processing can only be done where there is explicit consent from the data subject, where the processing is deemed necessary for the performance of a specific contract or in order to comply with a legal obligation or protect the interests of that data subject (Bergkamp, 2002; Bennett and Roab, 1997). The other circumstances are to protect the interests of the public or for any other legitimate interest provided that these interests do not interfere with the fundamental freedoms and rights of the data subject. Article 12 further provides that the data subject should be granted access to his personal data processed. Of interesting implication is the provision that the data subject also reserves the right to demand that the data processed be rectified or deleted. Data that is incomplete, inaccurate or inconsistent with the other regulations of the Directive may also be deleted on those grounds (Bercic and George, 2009). Article 6b provides direction on data usage as a measure to protect data by stating that the data collected for a specific purpose shall be used for that purpose alone, unless further consent is provided (Solove, 2006). This is in line with the proportionality principle that provides that such personal data obtained should only be used as long as it is relevant for that purpose for which it was collected and must not be processed excessively. Furthermore, its storage should be in a form that does not enable the identification of the data subject and the data should also not be stored any longer than necessary. If for any justifiable reason it has to then necessary measures should be put in place to ensure the data is adequately protected. Article 8 of the Directive provides extra restrictions for sensitive personal data while Article 28 establishes authorities that will supervise data protection in the specific countries within the EU. The supervisory authorities established under this Directive will be responsible for advising the government on data security issues, receiving and acting on complaints from individuals relating to breach of data protection regulations and institute legal proceedings in the cases where such violation is detected (Bellman, 2004). Lastly, for there to be transparency, Article 19 instructs the data controller to explicitly ask for consent from the data subject before, and not after, collection of the data. The Directive further limits the transfer of data to a third country, a non-EU member; unless that receiver of the data proves that they have adequate data security measures in place. Most of the EU members feel that this Directive is adequate and has been performing the regulatory function quite well. The majority’s view is that it just needs to be updated once in a while to reflect the changing circumstances and environments as time goes by (Fuster and Gellert, 2012). Data Protection in the US The US does not have a national regulation framework like the one that applies for the EU countries. Instead it has adopted a ‘sectoral’ approach to data protection (Victor, 2013). Using this approach every sector where personal data is being used institutes the necessary measures to protect such personal data from misuse or falling into the wrong hands. The US prefers to use a number of legislations and self-regulation measures rather that have the federal government having a central regulation. So far these ad hoc policies are working in the US. Some scholars are however arguing that the privacy rights in the US are not being taken as seriously as they are in Europe. They argue that privacy rights in EU are taken as fundamental individual rights as opposed to the US where such rights are merely consumer rights because they are somewhat lightly regulated (Fischer-Hubner, 2001). In the US the main focus is on the data protection from misuse by the federal government and not necessarily all data controllers like in Europe. There is thus limited provision on data protection for the private sectors and businesses such as internet service providers, cloud computing service providers and other telecommunications services providers. In relation to governing the federal government use of personal data there are two legal authorities concerned; the Foreign Intelligence Surveillance Act of 1978 (FISA) and the USA PATRIOT Act of 2001 (Baumer, 2004). FISA is the policy instituted to regulate collection and protection of foreign intelligence. This foreign intelligence should be on a non-US person and the person should be located outside the US. Wiretaps and other forms of data interception are permitted to be used. This policy maintains a database known as PRISM. This directive however does not require the government to specify the purpose of the data gathering or the rationale behind the individual targeting (West, 2008). The intelligence gathering agency is required to apply to the Foreign Intelligence Surveillance Court (FISC) for certifications or warrants. Furthermore, it is not necessary to have a different or specific warrant for each data collection. With that warrant the intelligence agency can prompt the internet service providers and other technology companies to produce the required data. The purpose for the foreign intelligence collection is not clear but may mostly relate to political activities. Its scope is strictly on non-US and should not be located in the US at the time of the data collection. FISA has no geographical scope and can collect data stored in the US, kept in a US cloud or an American company with a subsidiary in Europe (Gutwirth, 2011). The US PATRIOT Act of 2001 is the second legal authority that focuses on foreign intelligence and specifically on international terrorism. It permits the FBI to retrieve metadata on individuals suspected to be international terrorists (Moerel, 2012). The FBI has to apply to the law court in order to be granted permission to go ahead and collect the information. However, they are barred from collecting the content of the phone calls but they may obtain the call durations, number dialed and such like metadata. While the aforementioned act focuses on international terrorism the Executive Order 12333 provides the general framework on gathering intelligence that does not necessarily relate to international terrorism. While it provides the legal basis for this type of information collection and dissemination it does not give any restriction on data collection except for the provision that such collection, even bulk, should not contravene the US constitution (Kuner, 2003). Apart from these legal authorities that ensure data protection when being used by the federal government there are no other legislations apart from the narrowly applicable laws. Some of these laws include; the Tax Reform Act which regulates the disclosure of personal information with regards with taxation; the Fair Credit Reporting Act, the 13 USC 9 and several other laws are being used in specific contexts. There are also several proposed drafts aimed at data protection for example the proposed Social Security Number Protection Act, the proposed Identity Theft Act and the Anti-phising Act. The US versus the EU Approach and the Sustainability Aspect As is evident the US and the EU are employing different approaches and both are seen to be working. The only edge that one approach will have over the other will be the sustainability aspect advantage. The world is increasingly becoming conscious of the need for data security; individuals would like to live free of the fear that they will wake up one day and find their identity stolen and a fraud committed using their identities. In 2012 alone there were recorded 1200 data breaches in the US and EU (Victor, 2013). Stringent measures to curb such acts therefore have to be put in place. While the US has no objections on the implementation of the EU Data Protection Directive, it would like its companies handling personal data in the EU to operate freely as they are doing in the US. The US therefore is lobbying for the watering down of the EU Data Protection Directive so as to free the market for its companies in Europe (Moerel, 2012). This lobbying has brought about what is known as the International Safe Harbor Principles that is designed to streamline and make clear the process of US company’s compliance with the EU Data Protection Directive. The International Safe Harbor Policy Agreement This agreement was prepared by the US Department of Commerce in collaboration and consultation with the EU. It provides a platform for US companies that are handling personal data in European nations to comply with the EU data protection provisions (West, 2008). The legislation had to be put in place since the EU has already formalized its data protection policies while the US has not. Furthermore, companies operating in the EU are being limited in their data transfers to countries outside the EU; a legal framework therefore had to be put in place. In the US, in order to be a signatory of this agreement then one has to comply with the data protection principles stated therein. These following are the seven principles. Notice is the first and it states that the data subjects be informed prior to their personal information being used or otherwise processed (Gutwirth, 2011). The second principles choice that provides an opportunity for those data subjects to opt out at any stage of the collection or processing or transfer to a third party of their personal data. The third principle is onward transfer that provides that such transfer can only happen to other countries or organizations that have sown sufficient or adequate levels of data protection. Data security is the fourth and is designed to make the companies handling the information to have sufficient and secure mechanisms for handling data. Data integrity is the fifth principle which ensures that only the relevant data is collected and processed. The sixth principle is access and states that the subject data should be able to access data about themselves that has been collected. They can review it and demand deletion of the data that is incorrect or is not up to date (Fuster and Gellert, 2012). Lastly, Safe Harbor demands that these companies that want to operate in EU and will handle personal data to have enforcement mechanisms. They are required to have dispute resolution mechanisms and procedures that will be able to verify compliance by the member organizations. The organizations should also have a system of remedying the situation once the provisions of the agreement have been violated. If the dispute resolution body decides to impose sanctions then they must be as severe as possible for deterrent purposes (De Busser, 2009). Apart from the Safe Harbor Agreement the US and EU are at loggerheads with regards to data protection. The US system is proposed by many scholars since they viewed it as an accurate, localized and tailored mechanism of dealing with personal data protection. Bercic and George (2009) argue that the specific sectors can individually regulate data processing when in their hands. If every sector, governed by its own relevant regulation, manages to effectively prevent data breaches and ensure data protection then the whole country will be safe. As for sustainability, Victor (2013) points out that the US approach is more sustainable because of its flexibility. The relevant or affected legislations can be amended as and when required to accommodate the changing circumstances. The world is fast changing and many countries are bent towards globalization. The issue of practicability of the US approach therefore does not raise concerns as it does not inherently hinder data transfer as that of the EU (Pearce and Platten, 1998). The US approach is designed to liberalize the commodity and the information market (Fromkin, 2000). To that end it has succeeded and that is why those countries that are not very keen on their personal data security or want more flexibility with their treatment of their data will rush for US based clouds or technology companies such as Facebook, Yahoo, Google, and YouTube among others. But despite this flexibility the US approach is subject to exploitation as it is not a cohesive legislation and the different states may apply the provisions of the acts differently. It does not do enough to promote trust in the protection of data. The EU Data Protection on the other hand has been in force since 1995. The major undoing, argues Baumer (2004), is that it is not specific; it just provides the general guidelines and lets the member countries determine the specifics. In as much as it seeks to harmonize the data protection regulations across Europe there are major differences that occur due to the different interpretations of the Directive by the different member countries unlike in the US where an Act is very clear and applies uniformly (Solove, 2006). The other disadvantage is that it is fast becoming outdated as the technological environment is undergoing a metamorphosis. When it was put in place nearly two decades ago the information economy was not this immense yet no major amendment has been made. It is evident that the principles have stood the test of time. The recent move to put in place a more updated version of the Directive will solve this problem once and for all. The proposed General Data Protection Regulation will usurp the EU Data Protection Directive. It will provide more consistency in the implementation and will take into consideration the drivers that influence privacy. These drivers include the social and economic reasons for personal data collection, e-commerce, e-government and many more services that require personal data for them to be effectively discharged (De Hert and Papakonstaninou, 2012). Conclusion and Recommendation After taking into considerations all these factors, it is clear that the EU approach is more sustainable in the long run. The reasons are that though it is sparingly flexible it does not require this flexibility as it is not the final regulation but just the framework, the member countries can revise their data protection rules as the environment changes provided they are within the framework (Fuster and Gellert, 2012). Of more importance is the proposed draft that is much updated in terms of the technologies to be covered, its objectives are clearer than the former, its control mechanisms diverse, less burdensome and bureaucratic and more accommodative of international data transfer (Victor, 2013). The Directive will still be comprehensive like the former and maintain high human rights standards with regards to data security. Bercic and George (2009) conclusively state that if there were no plans to put in place a more updated versions of the regulation then the US approach would have been the obvious option, but the looming changes in the EU approach definitely makes it the more sustainable approach as compared to the US approach. The current EU Data Protection Directive is still serving the critical stimulus role to taking data protection very seriously, abandoning it would be disastrous, and instead it should be a reference model for other countries or blocs (De Hert and Papakonstaninou, 2012). The idea of an international standard is the only way to foster globalization in this technological era. References Baumer, D. (2004). Internet privacy law: a comparison between the United States and the European Union. Computers & Security, 23(5), 400-412. Bellman, S. (2004). International Differences in Information Privacy Concerns: A Global Survey of Consumers, The Information Society, 20(5), 123-134. Bennett, C. & Raab, C. (1997). The Adequacy of Privacy: The European Union Data Protection Directive and the North American Response, The Information Society, 13(3), 245-264. Bercic, B., & George, C. (2009). Investigating the legal protection of data, information and knowledge under the EU data protection regime. International Review of Law, Computers & Technology, 23(3), 189-201. Bergkamp, L. (2002). The Privacy Fallacy: Adverse Effects of Europe's Data Protection Policy in an Information-Driven Economy, Computer Law & Security Report, 18(1), 31-47. De Busser, E. (2009). Data Protection in EU and US Criminal Cooperation: A substantive Law Approach to the EU internal and Transatlantic Cooperation in Criminal Matters between Judicial and Law enforcement Authorities. Brussels: Maklu. De Hert, P., & Papakonstaninou,V. (2012). The proposed data protection regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Report, 28(2), 109-121. Fischer-Hubner, S. (2001). IT-Security and Privacy: Design and Use of Privacy Enhancing Security Mechanisms, Issue 1958. New York: Springer. Fromkin, A. (2000). The death of privacy? Stanford Law Review, 52, 1461-1543. Fuster, G., & Gellert, R. (2012). The Fundamental right of data protection in the EU: In search of an unchartered right. International Review of Law, Computers & Technology, 26(1), 73-82. Gutwirth, S. (2011). Computers, Privacy and Data Protection: an Element of Choice. New York: Springer. Kuner, C. (2003). European Data Privacy Law and Online Business. London: Oxford University Press. Long, W. & Quek, M. (2002). Personal data privacy protection in an age of globalization: the US-EU safe harbor compromise. Journal of European Public Policy, 9(3), 325-344. Maria T. (2013). Is Data Protection the same as Privacy? An analysis of telecommunications' metadata retention measures. Journal of Internet Law, l17(3), 21-34. Moerel, L. (2012). Binding Corporate Rules: Corporate Self-regulation of Global Data Transfers. London: Oxford University Press. Pearce, G. & Platten, N. (1998). Achieving Personal Data Protection in the European Union. Journal of Common Market Studies, 36(1), 529–547. Solove, D. (2006). A Taxonomy of Privacy. University of Pennsylvania Law Review, 154(3), 477. Tavani, H. (2007). Philosophical theories of Privacy: Implications for an adequate online privacy policy. Metaphilosophy, 38, 1-22 Victor, J. (2013). The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy. Yale Law Journal, 123(2), 513-528. Warren, S., & Brandeis, L. (1890). The right to privacy. Harvard Law Review, 4, 193–220. West, R. (2008). The Psychology of Security. Communications of the ACM, 51(4), 34-40. Read More