Here the Bill calls for user privacy options that are simple, prominent and offer fine-grained control of personal data use and disclosure. But services that do not collect information that is reasonably linkable to individuals will be free to offer more limited privacy options.
Despite its name, the US Bill does not have the force of law, says Feiler. Rather, it is a form of self-regulation specific to the online sector only.
“Companies will be free to declare compliance with [the Bill] and only if they do will the FTC be able to sanction violations as a deceptive business practice under FTC Act Section 5,” he says. “[The Bill] is only a set of vague principles that still have to be implemented by codes of conduct … specific to particular types of companies.”
Today America, tomorrow the world
Are we now entering a time when global laws will finally catch up with global data traffic? The proposed EU and US data protection policies certainly have global elements to them, says Watson.
Economic reasons – as well as looking after the interests of citizens – are driving the move, says Conor Ward, partner at Hogan Lovells and chair of the recently formed Cloud Industry Legal Forum.
“Inadequate protection will affect [a country’s] ability to trade internationally as it becomes difficult for firms to transfer data through that country,” he adds.
Ward points out that the UK’s 1984 Data Protection Act was passed in response to a lost business opportunity to print credit cards because customer data could not be sent to the UK as it would not be protected.
Some Asian countries have had data protection and privacy laws for some time: Hong Kong (1996), India (2000), Japan (1995), Australia (1988) and New Zealand (1993).
“Some of these offer more protection than in Europe,” says Ward. “For example, the Australia Act applies to data collected anywhere relating to Australian citizens.”
There has been a flurry of activity across Asia in the last year or so, with laws either updated or, in countries which do not have such laws, proposed for the first time. Again, some of these changes go further than the European equivalents.
Feiler is less ebullient about global co-operation. “The US is continuing its path of sector-specific self-regulation, which has produced questionable results in the past and fundamentally differs from the approach in the EU,” he told Computing.
His book, Information Security Law in the EU and the US, published last year, takes a risk-based approach to analysing cyber security regulation on the two continents and makes recommendations for how regulation could be tightened to improve security.
“In light of these fundamental differences of what it means to ‘regulate’ privacy, it seems unlikely that a common global standard will emerge anytime soon,” he says. “However, as a generation of digital natives is growing up, data privacy is becoming a top political priority worldwide.”
The CIO of a global business will benefit from increasing consolidation of data protection laws in Europe, but will still face varying levels of regulation across the globe.
“Planning ahead for fluid movement of data within global organisations means taking a more holistic approach to data laws,” says Bange.