US Law and EU Law on Privacy
Jules Polonetsky
CEO @ Future of Privacy Forum | Advancing Responsible Data Practices
Yesterday, the Wall Street Journal published an interesting article that described the complaints of German companies struggling to deal with the strict terms of health related privacy laws in the United States. Here is what one app developer said:
“Honestly, the U.S. had way more regulations than Germany,” said Simon Bolz, whose company, goderma, makes an app called Klara that allows smartphone users to take photos of a skin problem and send it to a dermatologist. He said getting the company’s IT systems compliant with the Health Insurance Portability and Accountability Act (HIPAA), a 1996 law that regulates patient data in the U.S., required more effort than for satisfying German authorities. “We had to set up two separate infrastructures for each country, and Germany was easier,” Mr. Bolz said.
I have long argued that US law better protects health, banking, credit, insurance and childrens data that EU law. EU law better protects general marketing data.
My European colleagues like to describe the US as an unregulated Wild West when it comes to data privacy. But the reality is that in the areas that are most important and for the types of data that are most sensitive, we have strict laws that outstrip the general privacy laws in many EU countries. HIPAA, GLBA, FCRA, COPPA and a virtual alphabet soup of laws are applicable to much of the data in our economy. And even general marketing data, if it is used in a way that can affect credit, insurance, employment or is used in a way that discriminates against people based on race, religion, sex, sexual orientation, disability and more is covered by civil rights laws. Beyond privacy enforcers at the Federal Commisson, the US has major regulatory agencies dedicated to enforcement of the specifics of many of these laws.
Future of Privacy Forum Senior Fellow Peter Swire's recent paper "Lessons from Fair Lending for Fair Marketing and Big Data" provides an important discussion of the scope of current discrimination and lending laws to a broad scope of marketing data. FPF has compiled a partial list of the many laws involving data and discrimination at our web site here.
What about law enforcement and personal data? Despite Snowden, we have more transparency than many EU countries do over law enforcement and intelligence access to data. Given the surprises about the long reach of the NSA, we do need even more oversight for intelligence activities. We do need to do more to provide assurances to non-US residents that their data isn't vacuumed up without any protections. Amending the Privacy Act to offer recourse to non-US citizens would be a good step!
It's also important to recognize that giant swaths of general marketing data in the US are subject to privacy policies and self-regulatory codes that are enforceable by the Federal Trade Commission, by States Attorney General and even by local city Consumer Affairs Commissioners. As the New York City Consumer Affairs Commissioner many years ago, I had authority under the "mini-FTC' act law in New York to bring enforcement actions and many other state or local Consumer Protection boards have degrees of authority as well.
There are many areas where the US can and should improve around privacy and many areas where companies can do better. At the Future of Privacy Forum, we are doing our part drafting best practices, self-regulatory codes, seal programs, privacy pledges and more. There is much more to do, but the Wild West of the United States has long been tamed.
Jules Polonetsky is Executive Director of the Future of Privacy Forum, a think tank focused on advancing responsible data practices.
Photo Credit: Flickr: Giacomo Bettiol
Area Vice President Global Accounts -- Global High Tech Division
10 年In his dissent in Olmstead v. United States (1928), Justice Brandeis defined privacy simply and eloquently as the "right to be let alone". He added that it was "the most comprehensive of rights, and the right most valued by civilized men." Earlier, in the “Right to Privacy”, Warren and Brandeis (1890) argued that our laws must evolve in response to technological change. They noted: “The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world …” The question, therefore, is not merely how far should the right to privacy extend but to what extent should this right be recoverable in the internet age in which entities and individuals can invade various data bases and dig up heretofore obscure and otherwise virtually inaccessible aspects of one’s life based technological progress. Barring a truly compelling, clearly and definitively demonstrable public – rather than private -- interest, private individuals should have an absolute right to require the deletion of personal information from the internet (or other data collection sources) regardless of the nature of the content or whether or not such content was previously voluntarily provided. The right to recover one’s privacy and in the process redefine oneself is part and parcel of what Justice Kennedy referred to as “choices central to personal dignity and autonomy”.
Because hard problems deserve good solutions!
10 年The big hole in the argument that the US might have better privacy ?? regulation is, as pointed out in the article, that it only extends to citizens.
It is a surprise, isn't it? I was a manager for a US company based in Europe. The data privacy laws were a real problem. I had people all over Europe and yet I could not see the detailed files on any of them except in the country where I was based. One Indian IT firm we dealt with had a large office near Heathrow Airport. For some types of projects they could not even take the code out of the country, so the software engineers would be flown in. As for the NSA and Snowden, what strikes me most is the minimal impact it has had on out actual security and privacy. The reality is that most people do not value privacy. The existence and growth of sites like Facebook prove that. Even on the medical side, I am wondering if we have gone too far. I remember one of my relatives, when asked by a casual acquaintance how he was doing, giving a detailed 30 minute descriptions of all his ailments. I was nearby engaged in an activity, and was laughing to myself the whole time at the guy who asked the question. We would be better off baring discrimination on the basis of health (as we do for so many other things) than even trying to keep the stuff secret.
Anglo-American Attorney and Solicitor
10 年A double-edged sword- protect privacy or impose bureaucracy.