European Union charts a new course for data privacy
United Kingdom makes plans for identity registry and national ID card
- By Judi Hasson
- Jun 27, 2005
From Japan to the 25-nation European Union, governments are struggling to protect personal data while also re-examining privacy in the wake of the Sept. 11, 2001, terrorist attacks.
"No one wants to be perceived as harboring terrorists," said Mary Kirwan, an international security and privacy expert based in Toronto. "You have very strong data-protection laws in the European Union but far more draconian laws for wiretapping and interception."
In Britain, Prime Minister Tony Blair has unveiled plans for the nation's first national identification card since World War II. It will contain biometric data to combat fraud and protect personal privacy.
The British government also wants to create a national identity registry that would contain biometric information. The registry would track foreign visitors, much like the Homeland Security Department's U.S. Visitor and Immigrant Status Indicator Technology program.
Italy and the Netherlands have progressive privacy laws, but few protections exist in EU law on the use of wiretap evidence. In Canada and the United States, wiretap evidence is tightly controlled.
Canadian officials often look to the United States or the EU for leadership on data privacy, said Rosaleen Citron, chief executive officer of WhiteHat, an information security company based in Canada.
"Our banks work worldwide," Citron said. "A lot of our corporations are international. If we don't work with the strongest laws, then we're going to fail somewhere and lose business."
Canada has many privacy laws, including protection of medical records and business data. But in past years, the public has witnessed some serious data privacy breaches. "I don't think it matters whether we're north or south of the border," Citron said. "We're concerned about the threats out there. We're concerned about our privacy."
Swedish officials are concerned, too. Sweden is taking an unusual approach to protecting citizens' data privacy rights, said Knut Rexed, director general of the Swedish Agency for Public Management.
The Church of Sweden assigns a unique personal identification number to every Swedish citizen at birth. Personal addresses are updated in a registry, but the personal ID number is never used on any public document, such a driver's license.
Instead, people receive separate IDs from each agency. As the Swedish government begins to offer more services online, officials have advised against using single sign-on authentication. They want people instead to use different passwords for different e-government functions.
"It makes it possible for every agency to have control over how the information is being used, when and how and why we are handing out a person's information," Rexed said.
But it is the EU that is defining cross-frontier flows of personal data and data protection among its member states. Within the EU, data-protection policies have been standardized. EU officials have also met with officials of non-EU countries to ensure that they protect personal data during information exchanges.
The principles of data protection should apply to any personal information, according to the EU's published privacy regulations.
Tougher privacy laws make it harder for U.S. corporations to do business with the EU, said Lisa Sotto, a privacy expert at the New York law firm Hunton and Williams. In Europe, it doesn't matter whether it's financial, health care or employee data, Sotto said. "It's one standard rather than a patchwork quilt," she said. "It's a very onerous standard that seriously affects the manner in which the company does business."
The tighter controls include restrictions on companies that, for example, exchange data when an employee from an EU country changes jobs.
"Those kinds of privacy regulations have elevated the custody of personal ID numbers to a level of sanctity within the EU," said Michael Aisenberg, director of government relations at VeriSign and chairman of the Internet Security Alliance's Policy Committee. The alliance is a public interest group that promotes privacy and security standards.
The struggle over privacy rights should abate as countries better handle data privacy problems, he said. "We're seeing a sea change ... of policies regarding the Internet and, hopefully, a new model for custodial obligations that will be more or less global within the next five years."