Cool. The European Privacy Counsel at Google, Peter Fleischer, has a blog. And it is a good one. I found the post on three ideas to update data protection especially interesting, as yours truly’s slowest PhD ever is looking at the failings of Data Protection Law, SOX and software.
However, several principles of EU privacy law are out of date and need to be adapted to the global information economy. Foremost among these are the restrictions on transfer of personal data outside the EU. In past years, such transfer meant packing a computer tape or paper files into a box and shipping them to a far away location. However, nowadays almost any activity on the internet involves a transfer of data outside of the EU, so that strict application of these laws would cause the Internet to shut down
The FSA is clearly taking coaching lessons from the SEC, dishing out harsh fines for accidents and mistakes. The latest miscreant, Nationwide Building Society, got slapped with a £980,000 penalty after a laptop which contained sensitive customer data was stolen. The fine would have been £1.4 million but they were given a 30% early settlement discount
Dennis picks up on the audit failure angle in the case, and James and I both have an interest in Data Protection law and its lack of teeth.
I recently wrote that from a shareholder value perspective it makes very little sense for companies trading primarily in the UK to invest significantly in more effective data protection controls because of a lack of penalties for not doing so. While it seems the Information Commissioner has done some useful lobbying work in this space lately, he has just been made to look rather ineffectual by the Financial Services Authority.
The size of the fine is impressive, masses bigger than anything the DP authorities have ever levied.
Returning to DP law, the the lost laptop clearly falls foul of the 7th Principle of the Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
I’m not aware of any DP prosecutions for lost laptops. (If you know of any, please drop me a note btw If you follow UK technology law, then Nakedlaw is a must read.)
I’m all for a stricter implementation of privacy law. Why have a law if you can’t- won’t enforce it? If it had been a company outside of the financial services sector, and therefore FSA regulation, then who would have fined them? I suspect that the FSA’a budget dwarfs that of the Information Commissioner.
Another James commented on James’ post, and linked to Ben Adida’s presentation. It is well worth a watch, it is a short sharp introduction into why privacy matter. Ben’s site is here, and his blog here. He is now in my feed.
The other day James wrote about the Sun Privacy Team, another worthwhile read. Gosh, so much to read….
My prediction, warning: I’m not great at predictions.
In about 10 years time, Privacy will be the new Green.