Those that are familiar with this blog may have heard it said more than once that the United States lags far behind Europe with respect to the protection of consumer information.  The European Union, in fact, has been operating under the penumbra of the European Directive on Data Protection for 15 years.  The EU actually recognizes the protection of personal data as a fundamental human right.   That is a far cry from the legislative activities surrounding data privacy in the United States.  The US has traditionally take piecemeal approach to data protection, often leaving the regulation of data privacy and security to the states, and in some cases to individual industries.  Given the political culture of the United States, such an approach is not terribly surprising.  However, the rapid advancement of technologies has perhaps been enough to spur the federal legislature into evaluating the lessons of the EU directive to see if, or how, similar regulation might work in the US.

On Friday, Sept 16th, the House Energy & Commerce Committee’s Commerce Subcommittee will be holding hearings on the issue of privacy, and specifically the impact of the EU regulations.  In Rep. Bono-Mack’s published opening comments, she states “The purpose of the Directive is to harmonize differing national legislation on data privacy  protections within the European Union, while preventing the flow of personal information to  countries that – in the opinion of EU regulators – lack sufficient privacy protections.”  She goes on to discuss the large number of unintended consequences of the regulatory regime.  To be fair, unintended consequences are almost always found the in wake of new legislation, particularly such sweeping legislation as the EU Directive on Data Protection.  It should be noted, though, that with 15 years of implementation history and lessons, the US should be able to draw sufficient parallels without also reaping the same number of “unintended consequences.”

In looking at the purpose of the directive one can immediately see the attraction of such a regime in the US.  As stated by Rep. Bono-Mack, the purpose is to “harmonize differing … legislation on data privacy…”  In looking at the domestic regulatory landscape surrounding data privacy and protection, it is difficult to conclude that some “harmonizing” would not benefit both businesses and consumers.  As of this writing, more than 45 states have data breach notification laws.  While there are some major commonalitites to these laws, there are also significant variations.  There are differing definitions of “personally identifiable information,” “breach,”  “trigger,” and other critical terms.  Some states include data security protections in those laws, while others have separate laws for data security, and still others have no laws regarding data protection and security.  The situation becomes even more confusing when one considers the federal legislation impacting privacy and security (FERPA, HIPAA/HITEC, GLBA, SOX, etc) and industry self-regulating programs.

While there are some concerns that tomorrow’s hearing is too slanted towards industry, ignoring or downplaying the concerns of consumers, I believe that it is a positive step. Bill McGevern, professor of law at University of Minnesota does bring up an interesting point, though.  That is the different conceptions of data privacy between the US and Europe.  According to McGevern, Europeans think of privacy as a fundamental human right, while Americans (and particularly American businesses) conceive of privacy as a market force with which they have to deal.  That being said,  this author does believe that it is possible to create a European-style privacy directive that accounts for American sensibilities.

Dr. Heather Mark, PhD; SVP of Market Strategy