IT departments in multinationals are collecting personally identifiable data on European citizens, sometimes in violation of E.U. privacy mandates. Mark Underwood compares U.S. and E.U. attitudes to PII and offers a checklist for network and database admins to follow for protection.
They know where you live. They know when you go to sleep. They know which coffee shops you visited. They know which hotels you stayed in, and for how long. With a little database cross-referencing, they can learn that you bought wine in a local restaurant while your spouse was traveling in another part of the country. They know where you're planning to travel next summer. They know everywhere you've lived for the past decade or more.
They know all this without tailing you, without setting foot in your house, and without speaking to you or your friends and family.
"They" is any private or public firm doing business with citizens of European Union countries. "They" is your IT department if your systems collect IP addresses or other personally identifiable information (PII) from E.U. citizens or exchange such data with E.U. systems.
For those of you needing a Cold War refresher, the Stasi, or Staatssicherheit in German, was the official state security service of East Germany. The Stasi has been compared to the Gestapo, but in some ways the comparison is not apt, because the Stasi was a kindler, gentler, more insidious apparatus of the State. The Stasi were sometimes no more intimidating than, say, the network administrator working on the third floor, or the shiny new database consultant.
Think this issue unimportant? Due to privacy concerns in the E.U., until recently the United States did not have access to 2010 bank transaction data from the SWIFT database, a Europe-based system. This data was regarded as essential to U.S. law enforcement attempts to identify such transactions as money laundering and transfers to terrorist organizations. In a recently agreed upon compromise, the E.U. placed one of their officials at the U.S. Department of Treasury on a permanent basis, and will house the data within the E.U. instead of shipping it out en masse to the U.S.
(Image at left is the badge suggested for U.S. Dept of Commerce Voluntary Privacy Framework.)
IP = "Invaded Privacy" address?
Network and database administrators may be unwitting perpetrators of such surveillance. All this became clear when Google first entered the E.U. market, and concern peaked again when Google Street View was rolled out to Europe. While case law in the U.S. has been ambiguous, with federal courts deciding that IP addresses are not PII, and others deciding that a grand jury subpoena is required before an ISP is required to disclose a subscriber's IP address. As can easily be seen from online ad targeting, i.e., "localized behavioral advertising," it requires little effort to obtain city name and more from IP addresses.Regardless of its current legal standing in the U.S., the public attitude that IP addresses were not PII shifted in 2006 when AOL released search logs from its members and New York Times reporters were able to identify and profile a single "anonymized" individual within days. Though many web site privacy policies say otherwise, when IIS or Apache collects IP addresses of users, PII data is being collected.
As DePaul's Joshua McIntyre writes in a piece arguing for treatment of IP addresses as PII, "what prevails today is an online world that lulls its inhabitants into a false sense of anonymity while secretly recording their every move for future discovery." In the U.S., privacy is viewed as a secondary concern in telecommunications policy. It's been often mentioned that "privacy" does not appear in the U.S. Constitution. Not so in Europe, with its dark history of secret police, citizen-spies, and totalitarian regimes that obtained information clandestinely and used it to chase down individuals for imprisonment or death. As shown in the table, the U.S. and Europe have taken different approaches.
Attitudes About Personally Identifiable Information
|European Union||United States|
|European Union Data Privacy Directive 95/46/EC sets high standards for the protection and movement of personally identifiable information between E.U. member countries and to outside Data protection is granted even after the consumer has passed on the data.||Focus on informed consent, with relatively few legal restrictions on the use of information provided voluntarily. What rules do exist are primarily state-by-state.|
|Firms are responsible for protecting PII data once it has been collected, and also for managing its transfer to others by monitoring compliance of recipients.||Once the data has been yielded to a company, the company is largely free to use it as it wishes, subject to local state regulations.|
|E-privacy rules introduce mandatory notifications for personal data breaches by providers of communications networks and services, "regardless of sector or type of the data concerned."||In the U.S., violations are rarely prosecuted. According to a Business Week analysis, only seven cases have been brought to court, and none were proven to be actual non-compliance. (As a cautionary tale, though, consider the case of Twitter's 2009 security breach.)|
|Medical records are no different from other E.U. citizen's personal information because a degree of data protection is already afforded.||Concern over medical records privacy may increase with the push to reduce health care costs through greater automation.|
|As shown in the case of Germany's export oversight, data to be transferred from Germany to the U.S. requires that the sender verify the recipient's Safe Harbor certification and adherence to notification principles, and be prepared to show auditors the results of such analysis of third parties.||Companies can self-certify through the voluntary Safe Harbor framework suggested by the Department of Commerce. Except for certain areas (e.g., airline passenger data), enforcement is primarily through the private sector.|
A checklist for U.S. multinational IT departments
This columnist is neither a lawyer nor a compliance specialist. Still, it is obvious to anyone working in IT that privacy considerations are often more lax here than in the E.U. and other countries. This could create risks for U.S. firms and nonprofits that have customers, contacts, and coworkers based in E.U. member states. Accordingly, this proposed checklist for proactive network and database administrators is just a starting point.
- Learn about the Department of Commerce Safe Harbor framework. Consideration of voluntary compliance might enhance awareness of the issue, even if that official route isn't ultimately selected. If you have a Compliance Officer, make an appointment to discuss the current state of affairs in your company. Get a feeling for the climate about PII in Europe; a 2009 RAND-Europe report covers the pros and cons of the E.U. Data Protection Directive.
- Treat IP addresses as PII. Educate other IT professionals about privacy considerations associated with IP addresses (as well as other network data such as connection details) to minimize unnecessary or inadvertent collection of PII.
- Update data protection policies to include web logs and other PII-containing repositories if they are not already included. Encrypt when not in use, and review data expunging policies. Consider at most a 6-month policy for IP address retention.
- Verify that cybersecurity best practices are in place to protect PII. This should include pragmatic considerations such as authentication unique to the type of data to be protected, logging of access to PII archives, and proactive aggregation.
- Review and update web site privacy policies.
- Be alert for emerging sources of PII, such as bar codes scanned, photos with location and timestamp data in the EXIF, electronic ID, security access logs, GPS, wireless communications . . . the list goes on.
- If you're already in over your head, look for expertise from specialty outfits like DataGuidance, Hunton and Williams, Covington and Burling, Proskauer - to name but a few.
- RELATED Check out a previous post on the Massachusetts privacy law.