Over the last 20 years, international concern about citizen data privacy on the Internet has grown into a patchwork of national and regional legislation. In addition to the U.S., both federally and the 50 states, there are laws in the European Union, Israel, Argentina, Canada, Australia and various other countries. Each country follows a different approach. The U.S., the European Union and Israel provide good examples of how these different national approaches vary.
The U.S. does not provide a single consumer data protection law. Instead, there is a patchwork of different industry specific state and federal privacy laws and court-based decisions. For example, at the federal level, these laws include the Electronic Funds Transfer Act for money transfers, the Fair Credit Reporting Act for credit information, the Health Insurance Portability and Accountability Act for medical information. At the state level, there are the Oklahoma Bill 1989 on student information and Vermont Law 69 on digital tracking of license plate information. Several states now require data services providers to notify the user of an unauthorized access. New Jersey, Connecticut, Puerto Rico and several others mandate a risk-harm analysis. Based on legislation alone, a U.S. company needs to consider what industry it is in, where it is incorporated and what state the affected consumer, customer or client resides in to adequately assess its potential obligations and liabilities.
The EU has taken a far more consolidated and developed approach to citizen data privacy. The principal law on the topic is Directive 95/46/EC of the European Parliament and of the Council on Oct. 24, 1995, “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The directive sets forth guidelines for all 27 countries of the EU, each of which must set up a national authority to enforce domestic protection.
Under the directive, a citizen’s online data may be processed only with the citizen’s consent, when its processing is necessary to entering into a contract, when it is necessary for compliance with a legal obligation such as credit check, when the processing is necessary to protect the citizen from for instance a hacking investigation or when conducted by law enforcement in the public interest. The citizen has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn’t being processed in compliance with the data protection rules.
A great deal of legislative effort in the EU has gone into strengthening these safeguards in the last few years.
A problem that has arisen between the EU and the U.S. on data protection comes from the obligation under the directive that data not be disclosed to third parties without the citizen’s consent and without disclosing the breach to the user.
Early application of the USA Patriot Act to allow anonymous access to data was curbed in the 2008 decisions of Doe v. Ashcroft and Doe v. Holder. Nonetheless, recent news reports about widespread information disclosures to law enforcement by U.S. companies help promote these concerns. Likewise, court decisions such as the Securities and Exchange Commission v. Straub (S.D.N.Y, Feb. 8, 2013), in which the court held the SEC could access data belonging to foreign companies that was stored on cloud servers in the U.S., bring into question the ability to reconcile U.S. and European interests.
In an attempt to protect its citizens’ online businesses abroad, the EU issues notices on the adequacy of protection and regulation in foreign countries. These notices implicitly create enforcement and liability obligations for EU companies doing business abroad. One country that has been approved by the EU is Israel.
Protection In Israel
The key pieces of Israeli law governing data privacy are paragraph 7 of the Law on Human Dignity and Liberty and the Protection of Privacy Act of 1981. Based on these laws in 2006 Israel created ILITA, the Data Protection Commission.
Under ILITA regulation databases containing information on more than 10,000 people, sensitive information and used in the public sector must be registered. Sensitive information, which includes private information including financial, relationship and medical data, is broadly interpreted to cover most businesses.
ILITA is allowed to impose fines of more than $70,000 for breaches of security that expose citizen data. Recent efforts by the Ministry of Justice to narrow these obligations, in particular the registration requirement, have so far been unsuccessful.
A detailed review of all of the obligations created by these laws is far beyond the scope of this article. However, it behooves the corporation conducting business on the Internet internationally to learn the obligations in each country. A careless or unplanned Internet presence could cost a company hefty fines as well as the immeasurable value of the client’s goodwill.