The ability to store and share data nationally and globally over the internet creates massive opportunities but also substantial threats. Data protection, once the concern of a small group of professionals, has become a major focus of politicians, company directors, the public sector and private individuals.
Data and the databases in which information is stored lie at the centre of business and government. From banking to the health service, from the lowliest marketing database to the national databases of the state, data drives services and industries.
Recent high profile data breaches in the UK, with HM Revenue & Customs losing personal data on 25 million individuals in December 2007, and in the US, where 45.7 million customers of the TJX Companies had their account information stolen by hackers, has pushed data protection concerns up the corporate and political agenda.
In the US, the new job title of Chief Privacy Officer is appearing in both corporate and state organisations. In the UK, a new breed of data protection manager is finding responsibility thrust upon them to ensure that their organisation does not appear in tabloid headlines for the latest embarrassing data breach.
Regulators are gaining confidence that the public shares their concern about the use of personal data. The UK Information Commissioner is arguing for both greater powers and tougher penalties for misuse of data, while in the US, 39 states have now passed data breach legislation.
Social networking and the e-STOP Act
Social networking sites have been the latest organisations to feel the pressure to comply with privacy obligations. In January 2008 the UK Information Commissioner’s Office (ICO) announced that it was in talks with Facebook over the retention of user data once people have deleted their account.
In the US, New York State Attorney General Andrew Cuomo announced in January 2008 the introduction of a bill to protect social networking users from sexual predators. The Electronic Security and Targeting of Online Predators (e-STOP) Act is designed to “restrict certain sex offenders’ use of the Internet and updates Megan’s Law for the Internet age”, according to a press release from the Attorney General’s Office. It:
- requires sex offenders to register all of their internet accounts and identifiers (email addresses and designations used for chat, instant messaging, social networking or other similar internet communication) with the State Division of Criminal Justice Services;
- authorises the State Division to release state sex offender internet identifiers to social networking sites that may be used to stop sex offenders from using sites’ services;
- requires mandatory restrictions on an offender’s access to the internet, as a condition of probation or parole, where the offender’s victim was a minor, where the internet was used to commit the offence or the offender was designated a level 3 (highest level) offender.
Google is at the forefront of the debate about the balance to be struck between protection of personal privacy and the provision of commercial services. In a January 2008 hearing of the European Parliament’s Civil Liberties Committee on monitoring of internet users activity for marketing purposes, Peter Fleischer, Global Privacy Counsel for Google said, “We have to know who is consulting what – otherwise our business would not work”. He emphasised that internet services are normally supplied for free and that their growth is “partly due to advertising”.
The need for global standards (or at least, global information)
For many companies, the challenge of compliance is not confined to observing the requirements of a single regulator. There have been a number of moves to create a global structure for data protection, starting with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, but the achievement of a global approach is still a work with much progress yet to be made. Even within the EU where there has been a Data Protection Directive in place since 1995, the implementation of that data protection legislation in the individual jurisdictions has resulted in significant differences in practical compliance requirements.
Google, with its global operations and reach has been one of the companies campaigning for the establishment of international privacy standards. In the October 2007 issue of Data Protection Law & Policy, Fleischer wrote, “we have a fragmentation of competing local regimes, at the same time as we have the massively increased ability for data to travel globally. Data on the internet flows around the globe at nearly the speed of light. To be effective, privacy laws need to go global. It is absolutely imperative that these standards are aligned to today’s commercial realities and political needs, but they must also reflect technological realities.”
The evolution of international privacy standards is, however, a slow process. Organisations today have no choice but to comply with the range of regulations in every jurisdiction within which they operate. For many data privacy managers this is where their nightmare starts; establishing whether the privacy rules for email marketing are the same in Germany, France, the Czech Republic and Italy can be challenging; seeing if the procedures for the transfer of employee data from Lithuania, Latvia, Estonia and Sweden to outside the EU are the same can prove even more time consuming and expensive.
Much of the regulatory material in these countries is unavailable in English and even when available, the attitude of the regulator, rather than simply what is on paper, can be the most significant factor in compliance. Faced with this challenge, data protection professionals have struggled to devise programmes that will work across many jurisdictions.
Several law firms and larger in house legal departments have attempted to create their own international data protection databases but all have either given up, daunted by the scale and costs involved, or have scaled down to providing links to regulators or repurposing research done for clients.
As Managing Editor of Data Protection Law & Policy at Cecile Park Publishing, I was frequently asked if I knew of a single source for data privacy information. Tired of saying no, I set out to create a global data protection and privacy compliance platform.
In January 2007, we convened a focus group, including a representative of the UK Information Commissioner’s Office, a number of specialist data protection lawyers, data protection managers and accountants. The group, although concerned at both the scale of the work to be completed and the need to find an effective retrieval method, were enthusiastic about the creation of a global data protection and privacy compliance platform.
Twelve months later with the launch of DataGuidance Europe, the first stage of the global project has been completed. DataGuidance Europe brings together all the legal and regulatory information from all relevant data protection and privacy sources in the European Union and the European Economic Area. DataGuidance Europe also provides expert Guidance Notes on data protection and privacy compliance, written by experts in each jurisdiction.
The sources and Guidance Notes are accessed and retrieved using Guided Navigation powered by vertical search software, from US head-quartered Endeca.
Reaction has been positive. Eduardo Ustaran, data protection specialist and Partner at Field Fisher Waterhouse said, “this is a magnificent and much needed service. It is an exciting development for the data protection world”. Shirley Lofthouse, Head of Information at Travers Smith, said, “I think the database is genuinely original and shows a real leap in thinking about the way such databases should work”.
Privacy regulators and privacy professionals have had their work cut out in the last few years trying to keep pace with the high-speed growth in the use of data. Perhaps using some of the latest technological developments to ease that burden is fitting.
Lindsey Greig is Managing Editor of DataGuidance published by Cecile Park Publishing Ltd whose publications include Data Protection Law & Policy, E-commerce Law & Policy, E-finance & Payments Law & Policy, World Sports Law Report, World Online Gambling Law Report and E-commerce Law Reports.