Coming to America: The EU privacy directive
The House and Senate get to the party at last.
June 14, 2007 (Computerworld) — The Senate is finally getting around to pushing a national data breach law out of the Committee on Commerce, Science and Transportation (thanks, TJX! ). This represents a major change in how the federal government views the privacy of personal information, shifting away from a mix of self-regulation, state laws and industry-specific requirements (HIPAA, GLBA) toward a comprehensive national policy. The road to this point has been long, but it’s worth examining to understand what’s ahead.
The EU Privacy Directive
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (aka the EU privacy directive), was implemented to standardize the requirements for the protection of personal information across all the countries that make up the EU. The directive defines personal data in an extremely vague manner:
Any information relating to an identified or identifiable natural person (’data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; [...]
