So the last two summers, I was working in London for an international market research / customer service company. Part of my job was working with the staff attorney to evaluate the requirements for data protection and data privacy in all the different countries we collected data from. The interactions between different privacy laws are pretty interesting.
The EU as a whole passes legislation (for instance, the Data Protection Directive [http://en.wikipedia.org/wiki/Data_Protection_Directive]) which member countries are expected to pass. Just as states in the US pass customized versions of legislation (MN's version of the UCC, for instance), the EU member states customize the legislation in ways that they see fit. This is where things get really tricky.
In Germany, data protection standards are really high. In the UK, they're about medium, and the US has notoriously low data protection standards. For instance, in Germany, you have to opt in to any sort of marketing calls, including follow-up calls after your car is repaired. Even online, for a website to collect any sort of personal data, you have to opt in by at least checking a box. This "personal data" is anything that can be traced to you personally. This does NOT mean the data has to provide name or address. "Personal data" is anything that carries information about an individual. In the US, Google tracks your search results, Facebook tracks your interests, and Amazon knows what you shop for. Each of these companies use that information to customize products to advertise to you. In Germany, you have to opt in to such a service through every single website, and generally none of that information can be tracked.
Things get really interesting when people interact between countries. Whose laws govern when a German and an American exchange emails about a future product? What data can be recorded? And whose data? Both? Neither?
These are some of the issues at stake with upcoming legislation. The EU is about to increase its standards for data privacy. Lobbyists from the US, including those from companies like Google and Facebook, are attempting to influence that legislation in order to preserve or expand their markets in Europe. European legislators are complaining about "unprecedented" and "fierce" lobbying efforts.
It's unclear what impact the lobbying will have. Obviously the companies want lower data privacy standards, but when some legislators are telling off American companies ("You're not going to change your Fourth Amendment because of a business model in Europe, are you?"), it seems that backlash against the efforts could have the opposite affect.
The next round of voting occurs in April. In the meantime, the drafting process continues. At this point it's anyone's guess how things will turn out.
Read more about the situation here: news.cnet.com/8301-13578_3-57567467-38/privacy-groups-tell-u.s-to-stop-lobbying-eu-on-data-law-changes/
A good start to the blog!
ReplyDeleteWe will cover some of what Drew is talking about in a couple of weeks. Meanwhile, the NY Times reported yesterday on the continued negotiations in the EU that Drew mentions. The current proposal would make the rules stricter in a number of ways and also upgrade them from a "Directive," which can be adopted to different degrees in different countries as he described, to a "Regulation," which becomes binding law in all the EU nations automatically.
How should we handle the kinds of cross-border differences Drew describes?
Here is the Times story: http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html
- Professor McGeveran
A couple ideas of how to handle cross-border issues.
ReplyDelete1: Every country has an agreement with every other country about how to handle data transferred between the two. This is tedious, but could be divided into classes for ease of amending and updating.
2: A single worldwide data transfer scheme regulating any and all data transfers. This would be cumbersome, difficult to adapt, and harder to pass.
3: Data regulations based on origin of data. That way, Germany could regulate what information leaves its country, and the US could regulate what information leaves the US, without having to conflict. Again, this is difficult because you'd have to know the origin of the data. General location information, like generalized IP addresses could help. Pass-through transfers wouldn't count as an origin unless information was added to the message.
4: Information collection schemes based on a global maximum, and with higher restrictions at an opt-in basis by country. Violations of higher restrictions would be litigated in the country of violation, and against companies with an established location of business within the country.
I think the biggest issue with all of these points is asking where the data "is." For me, since it can be on several servers in many countries at once, the biggest issue may be to ask where it originated. A creator's IP address or similar tag could help, though that information can be sensitive in itself.