CEO Blog
New Global Privacy and Breach Regulations
Monday, November 2nd, 2009
There have been two very significant developments this week that indicate just how seriously governments globally now take the threats identity theft and data breach pose to our basic freedoms and economic development. On Tuesday, Canada passed tough new regulations that empower law enforcement to more easily prosecute perpetrators of identity theft. By making the theft, trafficking, or possession of illegally obtained personal information crimes punishable by up to five years in prison, the Canadian government is showing global leadership on this issue that I hope many other countries will emulate.
Then Wednesday the European Commission announced that they are rethinking their policy on data breach disclosure. Specifically, Viviane Reding, the EU Commissioner for Information Society and Media, gave a speech in which she announced that the Commission will evaluate new EU-wide legislation that would require most European enterprises to disclose data breaches both to those affected and the authorities. Previously, the commission had opposed such regulation. So this constitutes a pretty significant change in policy if the Commission proceeds with the plan disclosed by Reding.
Much of the path forward here is complicated by the political process inside the European Parliament and conflicting policies in individual EU member countries. However, the fact that the European Commission has agreed to even debate the issue is a significant step forward. As I’ve observed previously, it’s going to be very difficult to make material progress in protecting individual privacy in an era of rampant cybercrime without harmonizing the basic regulatory environments amongst world’s major economic zones. It’s bad enough that the U.S. has 46 separate state data breach laws. I’m confident Congress will resolve that issue in due time. The larger issue here is that we can’t even begin to have a harmonization discussion with the EU because at the moment the official policy is that no breach disclosure is required.
I’m heartened by the actions of both the Canadian parliament and the European Commission. They both demonstrate, in their own way, that our elected officials are paying attention to the threats we now face. Even more significant, these developments demonstrate that the public sector is prepared to act to protect our confidential information and that they are prepared to act against those that intend to harm us through its misuse. It is also my hope that the regulatory bodies in all three global trading blocks not only continue this momentum, but leverage these actions to pursue the harmonized regulatory environment that will allow us to better address the escalating threats to our privacy and safety online.