The differences between EU and US data laws

The recent announcement about the Safe Harbor law in Europe had divided opinions. It encompasses security and sovereignty issues that can have a massive impact on your business.

European data laws have been in place since 1995. They were brought in as a reaction to the growing amount of internet-based businesses owning large amounts of private data. The main idea behind the act is to ensure that the use of private data either doesn’t happen or that it is consensual.

Below are some of the key tenets of the European Data Protection Directive:

Data may be processed only under the following circumstances. (art. 7):

  • When the data subject has given his consent.
  • When the processing is necessary for the performance of or the entering into a contract.
  • When processing is necessary for compliance with a legal obligation.
  • When processing is necessary in order to protect the vital interests of the data subject.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion, or blocking of data that is incomplete, inaccurate, or isn’t being processed in compliance with the data protection rules. (art. 12)

This focus on human rights and the interests of the individual rather than the collective is stark in comparison to the U.S equivalent. The U.S data protection law is more reactive and tends to pander to the concerns of big industries. This was best demonstrated during the creation of the ‘Framework for Global Electronic Commerce’ when Bill Clinton and his vice-president Al Gore recommended that ‘the private sector should lead’ and that ‘companies should implement self-regulation in reaction to internet technology’.

This type of small-government attitude is indigenous to the United States and their laissez-faire attitude to digital privacy is a hallmark of the American constitution. The implicit right to privacy is guaranteed by the age-old legislature, so they aren’t too concerned with creating a new one.

Cultural differences

One of the reasons that the approach to privacy laws in the EU is so radically different from our American counterparts is due to history. We don’t have a uniform constitution and tend to hold historical documents with less reverence. Another reason is that our history dictates our political philosophy. During WWII and the period after, Europe was rife with Communist regimes that actively used personal information as a way of benefiting themselves.

One massive example of personal data used in a malicious way was the use of personal information to send certain demographics to Nazi concentration camps. Although this type of situation will never happen again, there is now a certain stigma attached to the way that large governments and institutions manage private and personal data.

As a reaction to this, certain companies and individuals have started to call for the EU to loosen their grip on data protection and start operating in a similar way to the U.S. There is a large group of service providers who would much rather see a more lenient system that operates on an ad-hoc basis, one that’s more responsive to changes in technology and the market.

While the privacy of users must be valued, legislation needs to be able to move with the times and technology. Where do you stand on the issue?