Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

USA and EU Data privacy differences

Varonis Systems : 12 February, 2013  (Technical Article)
Andy Green of Varonis explains the cultural divide between the USA and Europe in legislative attitudes towards data privacy expectations
USA and EU Data privacy differences

In the last few years, US companies have not been shy about expressing their feelings on the EU’s Data Protection Directive (DPD). There’s a major social media player, for example, with a European HQ in Ireland that’s been publicly critical of a proposed “right to be forgotten” rule for letting consumers delete their online data. There’s also a search engine service that, while not openly objecting, is instead suggesting it’s already doing a good job of meeting the DPD’s rules.

US companies have begun to learn that the data privacy rules and expectations they’re accustomed to in the US are viewed differently on the other side of the Atlantic. The EU Charter--their constitution--explicitly lists data protection as a fundamental right. That’s roughly like having a US amendment devoted to encryption, which, at this time, there isn’t.

This is not to say there’s a complete privacy compliance chasm between the US and EU.

Healthcare companies have long had extensive regulatory obligations under HIPAA for securing health information, alerting consumers about breaches, and gaining consent on information transfers. US companies in the banking and credit sectors could point to parallels in Gramm-Leach-Bliley and the Fair Credit Reporting Act.

While US medical and financial companies have had to deal with privacy and security legal burdens, that’s not been the case with the social media players. Because the Data Protection Directive covers all companies collecting data--not just ones in select, albeit important, industries—and through its Safe Harbor treaty it snags US firms as well, it’s not surprising that US Internet-based companies face the most culture shock when conducting business in the EU.

The ultimate issue of course is that in the new information economy data is revenue, and so deleting it is like, well, burning legacy paper currency.

Besides the right to data erasure differences, another sticking point between US social media companies and the EU is on rules for reasonable data retention limits. But this again reflects mostly differences between old and new economies.  After all, outside the social media world, it’s generally considered good security policy--limiting data breach liabilities-- to keep PII data to a minimum and erase it when it’s no longer necessary. For example, the credit card vendors, through their PCI industry standard, emphatically remind corporations with regard to credit card numbers that “if you don't need it, don't store it!  “

But new regulatory forces along with changes in consumer attitudes may tilt social media companies towards a European view.

The FTC’s new privacy framework that was published earlier last year—and that I always come back to—calls for minimizing data collection of consumer data and sensible retention limits. There’s a (stalled) bill in the Senate, revealingly entitled “The Commercial Bill of Rights”, which will implement some EU-style data and privacy protections. The bill’s scope, by the way,  covers any company that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals.”   

Good data protection and privacy best practices may one day become as American as espressos and lattes.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo