Europe vs. America: different approaches to privacy - Essay Example

Europe v. America - different approaches to privacy Introduction Everything that people do within the internet leaves behind some digital fingerprints. This means that it is logical that most users of the internet worry a lot about the matter of privacy. Because laws of privacy are different from one country to another, a company may not be obligated legally to make sure that personal data processing will conform to the requirements of the law from the nations with which individuals whose data were collected come from. A good example is that where a company has been incorporated within a nation that is offshore, this company could not be under obligation to adhere to whatever data protection laws. On the other hand, due to the internet’s global nature, this kind of a company might as well provide internet services to individuals who reside within nations where there are strict laws that protect data. Even large organizations as well as countries, for instance the united States and Europe or the European Union, have dissimilar methods that they utilize in their trials to regulate personal information use within the information society. This paper looks at the different approaches that are used in America and Europe in the protection of privacy. Multinational companies that are based within the United States of America could be obligated to adhere to data privacy laws both within the United States as well as in the rest of the nations within which they operate. Compliance with such laws could pose challenges that are not easy for the companies. This is due to fundamental dissimilarities within global approaches to privacy of data. As it has been explained by the United States Department of Commerce, as the European Union and the United States share their objective for the enhancement the protection of their citizen’s privacy, the European Union takes some different approach to privacy from the one the United States takes. The United States utilizes the sectoral approach, which relies upon a mix of legislation, self-regulation, as well as regulation. On the other hand, the European Union relies upon comprehensive legislation, which, for instance, requires the formation of government agencies for protection of data, databases registration with such agencies as well as at times earlier approval before the beginning of personal data processing. It is quite easy for companies that operate within the current information economy to gather, store as well as transfer private data through electronic communication. This makes it most likely for these companies to expose themselves to, as well as to probably, violate the laws that protect the privacy of data (NATASHA). The Approach of Data Protection in Europe Within the European Union, two key legal instruments regulate protection of data within the information society. Such legal instruments are the e- privacy directive 2002/58/EC (Sect 2.2) and the Data Protection Directive 1995/46/EC (Sec 2.1), Data Protection Directive 1995/46/EC European Union Data Protection Directive 1995/46/EC happens to be applicable to private data processing that is automated as well as other personal data processing, which forms some part of the filing system (Solveig). The definition given to personal data by this directive is whatever information is in relation to an identifiable or an identified natural person. It is worth noting that the processing of data that is related to the security of the public, security of the state, defense, as well as activities with criminal law areas does not fall under this directive. Below, the responsibilities for the individual who is responsible for the determination of the purposes as well as ways for the personal data processing (the data controller) as well as the rights of the data subject or one whose data is processed (Solveig). Obligations of Data Controller With regard to Directive 1995/46/EC, a data controller should make sure of compliance with a number of principles that that relate to the quality of data. Such principles include: (1) Data collection has to be done lawfully as well as with fairness, (2) data collected has to be gathered for clear, specified as well as genuine purposes and not processed further in some manner that is not compatible with such purposes; (3) the data that is collected needs to be relevant, adequate as well as not in excess with regard to the purposes of which they have been collected or/and further processed; (4) The data collected has to be accurate as well as where necessary updated, and; (5) The data that is collected has to be maintained in some form, which makes it possible for data subject’s identification for not longer than expected, for the purposes of which data were gathered or for which the data are further processed (Solveig). The controller of data does not only have to adhere to those principles outlined above, however, they should as well provide particular information to the data subject. Particularly, this information includes: (1) The controller’s identity as well as the controller’s representative if any exists (2) The intended purpose of the data processing (3) whatever additional information for instance receipts or receipts categories for the data, if it is voluntary or obligatory to reply the questions or even possible consequences for failure to reply, and finally if there is a right to access as well as edit data that concerns the data subject. A data controller has the obligation to implement satisfactory organizational and technical measures against any access that is unauthorized, destruction, accidental loss, as well as alteration of data. Data subject’s rights In respect to the E Directive 1995/46/EC, a data subject enjoys these rights: a right of accessing the personal data that relates to the data subject, right to court remedy and right of objecting specific practices of data processing. The data subject’s right of accessing personal data involves rights to: be provided by data controller with copies of processed data; statement that indicates whether data that is in relation to the subject is under processing; information processing purposes, and information on concerned data categories and recipients to whom data is exposed to. Another right is to obtain rectification, removal, or blocking of data processing that fails to comply with EU Data Protection Directive 1995/46/EC’s provisions (The Economist). Personal websites have to comply with EU Data Protection Directive 1995/46/EC Personal data processing by some natural person as purely private as well as household activities has been exempted from the directive. On the other hand, within a landmark resolution (Case C-101/01, Bodil Lindqvist, Judgment of 6th Nov. 2003), European court of justice discovered that a lady who identified as well as included information on colleagues who were church volunteers on the ladies personal website had breached the data protection directive. Reason for this was that a personal website creation was not a private activity that fell outside the directive’s scope (INFOSEC INSTITUTE). The e- Privacy Directive 2002/58/EC This aims at protecting personal data within the telecommunications field. The e- privacy directive’s scope includes electronic communications services within the EU public telecommunications network that are available to the public. Particularly, this directive regulates location data (data device’s geographical location) as well as traffic data (data essential for provision of communications). The directive still regulates communications that are unsolicited (spam), spyware, and cookies (INFOSEC INSTITUTE). Pursuant to e-privacy directive, communications services providers that fall under the scope of this directive need to alert corresponding national authorities of any breaches. Subscribers as well as customers as well have to notify of breaches as well as the manner in which they could affect them. Proposed measures for encountering such breach needs to accompany the notifications. In respect to cookies, the directive states that cookies may only be installed on a subscriber’s device after the subscriber’s explicit consent. It is noteworthy that a subscribers consent should be attained after the subscriber has been provided with information that the e-privacy directive requires as well as after being offered the right of refusal to such access. With regard to spam, e-privacy directive makes it clear that remedies of infringements for provisions on communications that are unsolicited may be obtained through legal proceedings (INFOSEC INSTITUTE). The Approach of the United States Despite the fact, the United States lacks the EU- style inclusive data protection regulation; there exist a number of United States laws for the protection of personal data. As mentioned earlier, the US keeps a sectoral approach for protection of private data on the federal level. The United States regulatory agencies with regard to measures like Sarbanes-Oxley law, compelled companies to disclose information as well as keep transparent practices in business, both, which could involve information on personal data. These measures various requirements may lead to companies having difficulties with ensuring the compliance with both the European and United States law. At state level, a number of states have already enacted some privacy legislation forms (HG Org.). Some of the United States federal data protection legislations include the following: HIPPA (Health Insurance Portability and Accountability Act) HIPAA ensures that individually identifiable health information is protected. Generally, it identifies the persons who are allowed to access health information. Mostly, this kind of information is utilized by heal practitioners as the use it for the purposes of treatment as well as care coordination. The kind of information subject to protection include notes from medical providers as well as their records, computer recorders for health insurers, medics conversations about the patient’s treatment and care, and the billing information too (INFOSEC INSTITUTE). FACTA (Fair and Accurate Credit Transaction Act) FACTA assists in the protection of credit information for customers from risks that are in relation to data theft. As per the requirements of FACTA, debit card and credit card receipts, with an exception for receipts that are handwritten, must not list excess of the final five digits of such card number. Another thing is that under this act, an individual requesting for credit report possesses the right to make a request for the first five digits for the person’s social security number to be excluded on the file (Solveig). COPPA (Children’s Online Privacy Protection Act) COPPA aims at protecting the privacy of those children who are below 13 years of age. The Act’s scope encompasses websites, which are directed towards kids or those that are aware that these kids are paying a visit to the websites. The act does impose an obligation on these websites’ operators to publish policies of privacy that specify if personal information is under collection, how such information is being utilized and the website operators’ practices disclosure. The operators of such websites have to acquire direct permission from the parents of the children in order to be able to gather such information from the children. On a parental request, this operator has to give the parent a description of what kind of information being gathered as well as the end data collection on a particular child (HG Org.). Conflicts Potential conflicts in European and United States policies of privacy readily appear. Some parts of Sarbanes-Oxley law as well as the regulations it encourages, for instance, needs the public to come up with an approach for workers to anonymously report on probable financial misappropriations as well as to develop some code of ethical conduct. Global applications for the resultant policies have formed conflicts with various EU nations’ laws. Latest decisions with France canceled unidentified reporting hotlines as overbroad as well as violating the French principles for individual privacy, human dignity, as well as human rights. Turning to Germany, the labor court canceled the ethics code of Wal-Mart that needed workers to report any possible violations of the company’s code, making it possible for the workers to do that in an anonymously manner. It was found by the court that most of the requirements of the Ethics code, for instance a telephone hotline implementation, needed the works council’s approval, and proposed that some provisions could violate the law of Germany, irrespective of the agreement of the Works Council (Steven, p. 46). Such decisions did not address directly the substantial conflicts, which could exist between policies of whistleblower and the privacy directive of the EU. Under this directive, persons have a right to know the kind of personal data that has been collected about them. The Sarbanes Oxley law does not prohibit such notification, however, there is a possibility that such notification to persons (especially wrongdoers) may hinder with investigations through the increment of a chances for cover up (Bob). Another problem is raised by anonymous ethics hotlines. This is due the fact the many of these transmit information to the US headquarters. The sending of private data information to the US might violate the directives provisions. This directive does prohibit transfer of personal data to destinations or nations that lack satisfactory law for protection of personal data (Donald, p.8). The fact that the United States lacks a comprehensive privacy protection, then it could be categorized as one of such nations. Companies of the United States adhere to the safe harbor privacy principles of the United States department of commerce. Their ethics hotlines could violate the privacy directive of EU. Outsourcing is the other area within which US compliance could create conflicts with the law of the EU. Federal trade commission, which is under Gramm- Leach- Bliley Act’s Safeguard rule, needs that financial institutions that are defined broadly to implement programs which are aimed at minimizing risks related to storage and utilization of non-public personal data. FTC safeguards rule requirements include an obligation for overseeing service providers’ security practices, including offshore providers. Though such requirements raise data protection obligation levels for the companies of the United States, they do not essentially ensure compliance with the private data directive of the EU (European Commission). Efforts to investigate the activities of terrorists could as well has impact on the way companies end up treating personal data. The Court of Justice of Europe invalidated an arrangement through which European Commission was going to make it possible for commercial airlines to give personal information of passengers to the United States customs service. This decision was reached after the court findings that the European Commission did not have proper lawful basis of the agreement. Suggestively, this decision reached by the court does not mean that the airlines have to hold back all information about the passengers. The findings of the court were that passenger information, even though gathered as part for commercial enterprise, happens to be exempt from the directive due to its use within international defense (Jean and JuriP. 18). Conclusion Under the law of the European Union, collection for personal data may only be done under strict conditions as well as for purposes that are legitimate. The key component for the EU law for data protection happens to be the Data protection Directive 1995/46/ EC. On the other hand, the United States does not have an all-encompassing law that regulates personal data collection as well as processing. In its place, regulation of data protection is done through many federal and state laws. Probably, these different data protection approaches for the US as well as the EU stem from history. Within Europe, where individuals have experienced dictatorships, protection of data was declared as a right for humans and regulated trough a comprehensive legislation for data protection. With regard to this, it happens to be of significance mentioning that the German Democratic Republic’s Official State Security Service employed five hundred thousand secret informers. Among these secret informers, ten thousand were tasked with listening to as well as transcribing citizens’ phone calls. Contrary, within the United States, market forces are the key governing factor of the attitude towards protection of data. The United States Patriot Act adoption following the 9/11 events of the years 2001, United States significantly decreased its restrictions on personal data collection by agencies that enforce the law. References Bob, Sullivan. La Difference is Stark in EU, U.S. Privacy Laws. 2006. http://www.nbcnews.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws/#.VSzcCvmUe0w. 14 4 2015. Donald, C, Dowling. "International Data Protection and Privacy Law." White & Case ( 2009): 1-36. http://www.whitecase.com/files/Publication/367982f8-6dc9-478e-ab2f-5fdf2d96f84a/Presentation/PublicationAttachment/30c48c85-a6c4-4c37-84bd-6a4851f87a77/article_IntlDataProtectionandPrivacyLaw_v5.pdf. European Commission. Protection of personal data. 2014. http://ec.europa.eu/justice/data-protection/index_en.htm. 14 4 2015. HG Org. Data Protection Law. 2015. http://www.hg.org/data-protection.html. 14 4 2015. INFOSEC INSTITUTE. Differences between the privacy laws in the EU and the US. 2013. http://resources.infosecinstitute.com/differences-privacy-laws-in-eu-and-us/. 14 4 2015. Jean, Slemmons, Stratford and Stratford Juri. "Data Protection and Privacy in the United States and Europe." IASSIST Quarterly ( 1998): 17-20. http://www.iassistdata.org/downloads/iqvol223stratford.pdf. NATASHA, SINGER. "Data Protection Laws, an Ocean Apart." Business Day Technology ( 2013): 1. http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=0. Solveig, Singleton. Europe, Privacy and Human Rights: Comparing the United States to. 1999. http://www.cato.org/pubs/wtpapers/991201paper.html. 14 4 2015. Steven, C, Bennett. "The Clash Of European Union And United States Data Privacy Laws." The Metropolitan Corporate Counsel (2008): 46. http://www.metrocorpcounsel.com/pdf/2008/April/46.pdf. The Economis. "Private data, public rules." Privacy laws ( 2012): 1. http://www.economist.com/node/21543489. Read More