European Union charts a new course for data privacy

United Kingdom makes plans for identity registry and national ID card

Eurobarometer survey

From Japan to the 25-nation European Union, governments are struggling to protect personal data while also re-examining privacy in the wake of the Sept. 11, 2001, terrorist attacks.

"No one wants to be perceived as harboring terrorists," said Mary Kirwan, an international security and privacy expert based in Toronto. "You have very strong data-protection laws in the European Union but far more draconian laws for wiretapping and interception."

In Britain, Prime Minister Tony Blair has unveiled plans for the nation's first national identification card since World War II. It will contain biometric data to combat fraud and protect personal privacy.

The British government also wants to create a national identity registry that would contain biometric information. The registry would track foreign visitors, much like the Homeland Security Department's U.S. Visitor and Immigrant Status Indicator Technology program.

Italy and the Netherlands have progressive privacy laws, but few protections exist in EU law on the use of wiretap evidence. In Canada and the United States, wiretap evidence is tightly controlled.

Canadian officials often look to the United States or the EU for leadership on data privacy, said Rosaleen Citron, chief executive officer of WhiteHat, an information security company based in Canada.

"Our banks work worldwide," Citron said. "A lot of our corporations are international. If we don't work with the strongest laws, then we're going to fail somewhere and lose business."

Canada has many privacy laws, including protection of medical records and business data. But in past years, the public has witnessed some serious data privacy breaches. "I don't think it matters whether we're north or south of the border," Citron said. "We're concerned about the threats out there. We're concerned about our privacy."

Swedish officials are concerned, too. Sweden is taking an unusual approach to protecting citizens' data privacy rights, said Knut Rexed, director general of the Swedish Agency for Public Management.

The Church of Sweden assigns a unique personal identification number to every Swedish citizen at birth. Personal addresses are updated in a registry, but the personal ID number is never used on any public document, such a driver's license.

Instead, people receive separate IDs from each agency. As the Swedish government begins to offer more services online, officials have advised against using single sign-on authentication. They want people instead to use different passwords for different e-government functions.

"It makes it possible for every agency to have control over how the information is being used, when and how and why we are handing out a person's information," Rexed said.

But it is the EU that is defining cross-frontier flows of personal data and data protection among its member states. Within the EU, data-protection policies have been standardized. EU officials have also met with officials of non-EU countries to ensure that they protect personal data during information exchanges.

The principles of data protection should apply to any personal information, according to the EU's published privacy regulations.

Tougher privacy laws make it harder for U.S. corporations to do business with the EU, said Lisa Sotto, a privacy expert at the New York law firm Hunton and Williams. In Europe, it doesn't matter whether it's financial, health care or employee data, Sotto said. "It's one standard rather than a patchwork quilt," she said. "It's a very onerous standard that seriously affects the manner in which the company does business."

The tighter controls include restrictions on companies that, for example, exchange data when an employee from an EU country changes jobs.

"Those kinds of privacy regulations have elevated the custody of personal ID numbers to a level of sanctity within the EU," said Michael Aisenberg, director of government relations at VeriSign and chairman of the Internet Security Alliance's Policy Committee. The alliance is a public interest group that promotes privacy and security standards.

The struggle over privacy rights should abate as countries better handle data privacy problems, he said. "We're seeing a sea change ... of policies regarding the Internet and, hopefully, a new model for custodial obligations that will be more or less global within the next five years."

The European Union's directive on privacy

The European Union does not pass laws; instead, it provides a common framework on privacy policies for its 25 member countries. Here are highlights of those policies:

  • Data-protection laws are enforced by authorities within each country, not by the EU.
  • Privacy is considered a fundamental human right, so people have the right to control the use and disclosure of information about themselves.
  • Formal actions against companies that misuse data might include fines and public reprimands.
  • New uses of information require the consent of people whose data was collected for other purposes.
  • Personal data can be transferred to other countries only if those countries offer adequate privacy protections.
  • Some EU countries have adopted laws requiring telephone operators and Internet service providers to retain data for at least 12 months to aid terrorist or other law enforcement investigations. Others forbid the retention of data beyond a limited time.
  • The principles of data protection should apply to any information concerning an identified or identifiable person.
  • The EU directive is not intended to change existing procedures and practices that member states have lawfully implemented for national security, law and order, or prevention, detection, investigation and prosecution of criminal offenses.
  • Data-protection laws apply to the collection, use and disclosure of information, regardless of the technology used to collect it.
  • The policies cover all types of information, including consumer, insurance, health, employment and financial data.

— Judi Hasson

Privacy around the world

What countries are doing about privacy:

Canada — Laws protect business and medical records.

Sweden — Church of Sweden issues a personal identification number to every citizen, but it is not used for legal purposes.

United Kingdom — Officials plan to distribute identification cards with biometric components.

The Netherlands — Law enforcement can obtain information without a warrant.

Japan — Law enforcement must notify a person when electronic information is stolen.

Data privacy highly valued among European Union members

The European Union responded via e-mail to questions about data privacy from Judi Hasson, Federal Computer Week's editor at large. Here are those responses.

Q: Are concerns about privacy issues as great in the EU as they are in the United States?

A: Privacy is important in Europe, and this is not new. It is a fundamental right recognized in the European Convention on Human Rights and, more recently, in the EU's Charter of Fundamental Rights, which is in the EU Constitution. Privacy also contributes to consumer confidence, which is essential for e-commerce growth. The proliferation of PCs, networked organizations and the Internet raise concerns about privacy. The growth of e-business and e-government increase the need to protect the vast amounts of personal information that are routinely collected by Web sites, used by the collecting party and shared with third parties. At the same time, privacy-enhancing technologies can be developed to further privacy.

It may be useful to point out the results of two Eurobarometer surveys on data-protection awareness in the European Union carried out in autumn 2003. Those surveys tell us that significant numbers of citizens are concerned, to a greater or lesser degree, about the broad issue of protecting their personal privacy.

Q: Do cultural differences between the United States and the EU affect how data privacy is perceived?

A: In Europe we have strong data-protection legislation embedded in EU data-protection directives and in corresponding national legislation. That has led to higher standards of privacy protection and, hence, a more relaxed approach to the issue. One thing is certain: People want to interact securely and safely via the Internet, for example, while maintaining control of their personal data. Surveys have shown, however, that many Europeans feel their privacy is at risk from identity theft. Many are unaware of their rights and how to protect themselves. Others are concerned about the erosion of individual rights.

Q: Are the EU member nations increasing their spending on software to protect personal data?

A: Consumers' and citizens' identities on the Internet are nowadays fragmented across various identity providers. Consumers and citizens create identities and exchange information with organizations such as Web shops, employers, e-government sites and Internet portals. Service providers and their customers may not be realizing the full potential of e-business and e-government applications because of this fragmentation. Consumers register and create new identities for each new application. The user experience could be more positive and the identity management costs for service providers could be much lower than they are today.

Compliance with privacy regulations is a strong driver for enterprises to build privacy features into information systems. Companies are introducing identity management and developing other privacy-enhancing technologies, offering a way for individuals to control the nature and amount of their personal information that is disclosed. Identity management is usually part of an end-to-end security solution that addresses the need for secure authentication, access control and user management.

The European Commission, the EU's executive arm, has been promoting the use and development of privacy-enhancing technologies for compliance with data-protection legislation and to avoid unnecessary processing of personal data. At the same time, commission members are aware of obstacles to developing such technologies, such as insufficient incentives for companies to develop them and a lack of consumer awareness.

Q: How have privacy concerns changed since the Sept. 11, 2001, terrorist attacks?

A: The long-term impact of Sept. 11 on data privacy is difficult to measure. Some evidence, however, shows that the balance has shifted somewhat toward security, at least regarding public authorities' right to know about the private lives of individuals. Commission members are reflecting intensively about how to take account of this new situation, and EU member states have proposed creating EU-wide data-retention rules. The commission intends to work out rules that would maintain a good balance between the new security needs and the privacy of our citizens and that would take into account the economic impact of such rules on the telecom industry.

Q: Are Europeans debating privacy rights vs. the government's right to know?

A: Privacy is not an absolute right. The challenge is finding a proportional balance. The biggest challenge in the privacy debate is the increasing capability of new technologies to "survey" individuals, to encrypt communications, to break encryption, to disguise identity. Virtual identities are being created for security, profit, convenience and fun but also for criminal purposes. More formal forms of identification such as national ID cards are becoming more high-tech as biometrics are incorporated. People are no longer represented by simple numbers or ID keys but by complete personal datasets.

At the same time, EU member states manage identities in different ways. In Germany, for instance, every adult must carry an ID card. The United Kingdom has not issued state ID cards. But in light of current needs for tighter global security, identification systems must be interoperable.

Against this background, we are funding research projects such as the Future of Identity in the Information Society and Privacy and Identity Management for Europe. Their purpose is to develop a deeper understanding of how appropriate identification and ID management can create a fairer European information society.

Since December 2004, Europe has a council regulation on common security standards and biometrics in passports and other travel documents issued by European community member states. The regulation sets out common security standards for passports and requires two biometric identifiers. An EU committee charged with establishing technical specifications chose a radio frequency identification chip for storing the biometric identifiers. Technical specifications related to storing facial images were adopted in February. A further set of specifications related to extended access control for fingerprint images will be adopted later.

Q: Does the EU's legal infrastructure offer special privacy exemptions for law enforcement?

A: Exceptions to privacy exist if those exemptions are organized in accordance with the law, are necessary in a democratic society and respect legitimate interests of the European Convention on Human Rights. Those conditions imply a proportionality test.

Q: Is identity theft a major problem in EU countries?

A: ID theft seems to be gaining in importance, although reliable figures are scarce. It is becoming the target for organized crime on an international scale.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above