By Hayes, Benjamin S.
Security Management , Vol. 46, No. 6
DOZENS OF LAWS, regulations, and self-regulatory programs govern privacy around the world. Further complicating a company's efforts to protect confidential client information are the nuances of privacy Even when a practice that involves the sharing of some personal customer information is legal, a company may be penalized if that practice offends the sensibilities of mainstream citizens. The obvious example is that of the Internet advertising giant DoubleClick, which suffered a 40-point collapse in its stock price following its announcement that it intended, despite earlier promises to the contrary, to merge nonpersonally identifiable behavioral information that it had collected through the use of special online software called cookies with personally identifiable information obtained through its purchase of a massive offline marketing database. Several ultimately unsuccessful but costly lawsuits were filed against the company, and investigations were initiated by the U.S. Federal Trade Commission (FTC) and s everal state attorneys general. To stop this avalanche of repercussions, DoubleClick shelved its plan. Although the FTC later exonerated DoubleClick of any wrongdoing, the damage to the company's image had already been done.
To help ensure that a company will meet its privacy obligations, security professionals or designated privacy officers first need to know what the laws require. They then need to be able to convey to senior management some sense of the risks of noncompliance.
To understand privacy laws, it is important to realize that international laws have relatively little to do with privacy in the personal sense of being the right to be left alone. Instead, privacy laws, which are also called data protection laws, create property-like rights for personal information.
Privacy laws tend to assume, without ever stating it, that individuals in some sense own their personal information. The privacy notice given by companies to individuals at the time their personal information is collected serves as a sort of contract between the company and the individual governing the use of that personal information. Any choices exercised by the individual with respect to the use of the information are terms of this contract that must be honored by the company.
Privacy law can be viewed, then, as a species of intellectual property law. Recognizing that fact is crucial because companies are quite used to managing and defending property generally, and intellectual property specifically. They are accustomed to making sure that property is properly acquired and used, maximizing the economic potential of property, and managing the risks associated with its use.
Similarly, personal information is often in electronic form, and managing it can, therefore, be viewed as another form of the digital rights management with which intellectual property lawyers are familiar. Only by treating personal information assets the same way they treat other intellectual property assets will companies be able to effectively manage the risks presented by the privacy issue.
Models. Laws governing the way businesses must treat personal information are already in effect in the European Union, Eastern Europe, Canada, and elsewhere. In just the last year, Argentina, France, Germany, Japan, the Netherlands, and Paraguay have passed new laws regarding the protection of personal information. New laws are being considered in the Bahamas, India, and Malaysia.
The trend in much of this new legislation is to shadow the restrictive terms of the European Union Data Protection Directive. It is also important to note that, as in the case of Argentina, these laws often become effective soon after passage, catching unwary companies off guard.
The legal regulation of the collection and use of personal information is developing across two different general models: the omnibus model and the sectoral model. …