The EU has strong standards and enforcement. And the rest of the world is playing catch up.
While the United States is again mired in soul-searching debates about personal privacy and how companies collect data, a slew of privacy protection laws have already taken hold around the world.
Of the many regions that have passed regulations, the European Union stands out for its overarching and comprehensive approach. The 27-country EU directive, passed in 1995, restricts the use, sharing, storing and collecting of personal data. This holistic view of personal data, defined as anything that can identify an individual — including a person’s address and their image — is seen as the gold standard for many countries. It differs from the patchwork laws in the US and some other countries.
“The EU has strong standards and enforcement,” said Daniel Cooper, a partner at the London office of Covington & Burling. “And the rest of the world is playing catch up.”
Billions of consumer data bytes are spewed through smart phones, video cameras and social media every day. The amount of data is so vast that terra bytes have morphed into zeta bytes, which is 1,000,000,000,000,000,000,000 bytes (that’s 21 zeros, if you are counting). Several US firms like EMC Corp and IBM Corp are eyeing big profits from analyzing and storing this new digital gold because it can more easily predict buying behaviour.
This flood of data about individuals, from the last website someone visited to the phone numbers people call to even more personal information, has worried regulators around the globe.
Even the EU is considering stricter, and controversial, personal privacy measures, such as the right to be forgotten. If approved, a person’s past could be wiped off the internet and their data could no longer be processed or stored. US companies in Silicon Valley, among others, are fighting these proposed EU regulations, but the effort has continued to move forward.
The EU and elsewhere
The EU’s data privacy laws are folded into a directive that identifies core principles that member countries must observe, including adequate data security and an individual’s consent to have their data collected. Data that identifies a person is considered personal, including email addresses and even the IP address that identifies each computer.
“Transparency is a core tenant,” said Cooper.
Each EU country has its own data privacy czar to enforce laws, although enforcement varies greatly between countries. Within the EU, Spain and Germany are widely seen as swinging the toughest data privacy sticks. Regulators there slap violators with large fines when they violate consumer privacy rights. Spain, for example, logs the most data protection complaints and hands out the most severe fines in the EU. Spain’s data agency has handed out several 300,500 euro ($393,355) fines for illegal data transfers, according to the law firm White & Case. Germans are sensitive about data privacy too, including employee data, said Martin Munz, a partner in White & Case’s Hamburg Germany office. And data regulators there also issue stiff fines — up to 250,000 euro ($327,250).
Asia, meanwhile, is also coming along the data privacy curve pretty quickly. Singapore passed a data privacy law last year that protects all personal data ten years after a person’s death. And South Korea has some of the strongest data privacy laws in Asia, even covering a person’s image or voice. The laws, which passed in 2011, are strictly enforced.
The EU has also used its collective clout to drive change in privacy rules in other countries, too, mainly through trade. Central and South American countries such as Peru, Uruguay, Costa Rica and Mexico have hammered out data privacy laws in the past few years in hopes of complying with the EU Data Protection Directive to further open trade with South American businesses. Argentina, which offered its own data privacy rules in 2000 mainly to do more trade with Europe, also meets the EU’s standards.
Enforcement among these countries varies widely, though, said Cooper. Argentina, along with other South American countries, is widely seen as having lax enforcement that leaves individuals with less privacy protection than they believe they have.
Several other South American countries, including Brazil, are in the midst of formulating privacy laws. Australia has also hammered out a bare bones data privacy law that has been added to over the years, although the country’s laws do not meet the EU standards, since Australian data isn’t as rigorously protected.
How the US lags behind some parts of the world
While much of the developed world seems to be acting to protect personal data the lack of overarching privacy law increasingly sets the US apart. Its laws protect healthcare and financial data, but little else. HIPAA, a US law passed in 1996, protects any healthcare information that identifies a person. And Gramm-Leach-Bliley law protects financial data that is also identifiable, such as peoples’ bank account numbers and addresses.
Some states have their own privacy laws, separate to the federal statutes. Massachusetts and California are the best at protecting consumer data among states, said Daren Orzechowski, a partner in White & Case’s Intellectual Property Group.
But otherwise, consumers must scrutinize the policies posted by retailers and decide what privacy they are willing to give up making a purchase.
There is little hope right now for a single blanket data privacy law to pass in the US Congress. And even widely-touted the Consumer Privacy Bill of Rights, which would give Americans some control over all their data, has lost momentum in Congress.
“In Europe, your data is an asset you can protect,” said Terence Craig, co-author of Privacy and Big Data. “The US doesn’t have that history.”