Security Experts:

Privacy: Why Europeans Think You're Inadequate

Adequate versus inadequate. The juxtaposed words bring much to mind, but this column is focused on privacy.  In my previous column, I reviewed the hurdles to passing a national data breach notice standard. This week I will answer the question, “Why do Europeans consider Americans inadequate when it comes to privacy?”  I’m not putting words in their mouth.  The European Union (EU) uses the term “inadequate” to refer to countries that do not have sufficient privacy controls to ensure the protection and privacy of its citizens’ personal and sensitive information.

In 2000, the European Parliament took a vote and declared that U.S. data privacy protections do not meet the adequate level of protection required by European legislation. Apart from the personal indignation you may feel, when Europe considers you inadequate, as a business, you can't move personal info on Europeans over to the US without jumping through a number of safe harbor hoops. In practice, not all US companies abide by this decision. Just about every US company with employees in the EU is violating this rule when they ship EU employee info back to the US. Folks respect this ruling to the same extent they do blue laws prohibiting mowing your lawn on Sundays.

Reality is also that this is not a new issue.  Nothing has changed on the inadequacy front since 2000. If anything, the EU thinks we’re getting worse, especially with the privacy equivalent of "clear cutting" courtesy of US companies like Google and Facebook. But why the divide? Why do Europeans care and Americans, to a large extent, not care?  To answer that question, we will look at a few different things. First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US and EU?  And third, what financial incentives does the EU have in declaring the US inadequate?

What does privacy mean to folks in the US and the EU? In the EU, privacy is considered a fundamental right of the individual. That’s a very strong starting point. The US doesn’t go that far. We have protections from illegal search and seizure, but that isn’t focused on personal information. The writers of the Constitution included many rights, but personal privacy was not one of them.  On a more granular level, US and EU laws differ widely in how they define personal information. In the US, personal information is financial and medical information. Many state privacy laws grew out of laws to prevent identity theft so their focus is on social security numbers and bank account numbers and PINs.  HIPAA is focused on medical information. The EU definition of privacy covers those forms of information, as well as a lot more.

The EU also protects what is known as “sensitive information.” Sensitive information includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.  And while the US generally defines personal information almost mathematically as Name + SSN/Bank or Health Info = Personal Information, the EU is much more broad with their circular definition of personal information as "any information relating to an identified or identifiable natural person."

Privacy in the US focuses from a legislative standpoint on preventing the theft of one’s identity, resulting in a negative financial impact. Privacy in the EU is far broader, not limited to financial concerns, and regulated by data protection authorities at the EU and country level.

So how has history played a role in defining privacy in the US and EU? When discussing the US/EU divide with a colleague from France, he asked me, “How many times has your country been occupied by a foreign power? Have you had your government and its agents spying on your own people and incentives for citizens to incriminate other citizens?” I got the message. The World Wars of the 20th century still echo in the levels of privacy demanded by citizens of the EU following years of having none. US citizens have been more fortunate with a fairly functional and stable democratic government trusted by its citizens.

Having seen how privacy laws differ in the US and EU, why, from a historical basis, can there be any other reason to declare the US inadequate? Well, as they said in the movie All the President’s Men, “follow the money.” Cloud computing is the new frontier, and the US is winning big. EU companies putting big data on US servers has a privacy as well as financial impact on the EU. Tariffs and trade protection won’t bolster good tidings between the US and EU. Perhaps privacy allows the same conduct but with a highbrow delivery.

The US isn’t likely to become adequate any time soon. Our economy is not designed to run on that level of protection, what with personal information fueling high flyers on the US stock markets and legions of start-ups right behind them. Europeans can’t help but see the US’s lead in social networking and mass storage widening. At the same time, Europeans bring a different historical perspective to the privacy discussion. So in the end, Europeans have two powerful drivers for viewing the US as inadequate; history and money.

Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.