Wednesday, January 25, 2012

EU updates privacy policy

Yesterday, Google announced a major overhaul of it's privacy policy to some loud criticism.

It's nice to see today that the EU has come out with its own updates to its privacy policy.

Let's compare the new EU data privacy rules to the US ones being proposed throughout 2011 in both the House and the Senate, as well as the ones offered by the White House.

Probably the biggest difference comes in fines. The EU rules define specific levels of fines for infractions, starting at 0.5% of a corporation's turnover going all the way up to 2%. Keep in mind that this is "turnover" not profit. But the difference here is sharp. The US laws all set caps on damages, from $500,000 to $15,000,000. The US laws don't have any regard to the size of the company...presumably this would be determined by the FTC when they settle a claim. The definitions of how to determine what infractions merit what damages don't exist in the proposed US laws.

The EU has a host of other requirements. Every company with more than 250 people is required to have a Data Protection Officer, and there are strict rules around how this new position is to be treated. The position can only be fired for cause, for example. This presumably protects the position from being terminated if they take a hard line approach to privacy. The SAFE Data Act requires the appointment of "an officer as the point of contact with responsibility for the management of information security." In the US the position's tasks aren't defined. This person could be a janitor and still fulfill the requirements of the law. No offense to any janitors out there.

The law requires mandatory security assessments and 24 hour turnarounds on breach notifications. It creates the right to be forgotten and creates erasure and data portablility standards. The US takes a different approach to looks at security on an industry by industry basis. While the US has offered up an "Online Privacy Bill of Rights", but does nothing for changing the status quo on security assessments or breach notification. While the FTC has issued recent rulings requiring Facebook to have annual security assessments, the feeling seems to be you are assumed to be secure until proven insecure. The better model would be the other way around.

No comments:

Post a Comment