Cross-Border Data Flows and Increased Enforcement
by Peter McLaughlin
The term "privacy" is subject to many definitions and descriptions. According to Jim Harper of the Cato Institute, "Properly defined, privacy is the subjective condition people experience when they have the power to control information about themselves and when they exercise that power consistent with their interests and values." Regardless of whether we agree with Harper about the precise phrasing, the definition he posits reflects internationally accepted ideas that the collection, use, sharing, and protection of personal information should be subject to some degree of informed notice to and consent from the affected individual. (For more on this, see the "For further reading" sidebar.) The EU Data Protection Directive takes a somewhat different tack and defines personal data as data relating to an identified or identifiable individual, and then allocates a series of rights to the individual regarding the data, particularly regarding notice, consent, and other principles intended to grant an individual reasonable control over the data relating to him or her. (For more on the directive, see http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.)
Agreement in principle, however, doesn't mean agreement in detail. While companies, search engines, Web sites, and governments collect ever-increasing amounts of personal information, the world's national data protection agencies (DPAs) continue to implement relatively common principles in markedly different ways. (I use DPA as a generic reference to governmental regulators, such as the Information Commissioner's Office [UK], the Office of the Privacy Commissioner [Australia], or the Commission nationale de l'informatique et des libertés [CNIL] in France.) The problem that confronts all involved, from consumers to companies to regulators, is that although principles might be regional or even global, implementation—and thus enforcement—continues to be highly localized. And because the flow of personal information is increasingly global and DPAs wish to protect their citizens, enforcement at a local or national level will impact these data flows more significantly than in the past because of the complexity of complying with so many inconsistent rules. The concern for companies should be that compliance is only going to become more complex and difficult because there’s little genuine incentive for government authorities to work toward a consistent standard and enforcement will only increase.
Read more ...
Share this article
