Privacy and data security are not the same things

June 11, 2013

By Bob Johnson, NAID CEO

When I address an audience of privacy professionals, especially an international audience, I often point to the fact that the U.S. has the strongest data protection regulations in the world. In such occasions, I get two reactions: confusion, as if they are struggling to understand how I could possibly be so misguided or blatant disagreement. The issue is usually resolved quickly, as I point out the difference between strong data protection laws and strong privacy laws.

Over the last decade there have been many more costly fines assessed to organizations allowing private information to fall into unauthorized hands in the U.S. compared to anywhere else in the world. Data breach notification laws are on the books in 48 of the 50 states and, under HIPAA since HITECH, the country now has a strong national health data breach notification law. Europe, Canada and Australian do not. Sanctions, fines and breach notification laws indicate a high regard for data protection.

Developed regions of the world have stronger privacy laws, there is no doubt. In the U.S., if I want to require you to give me your shoe size before I sell you a sandwich that is my prerogative. In regions that originally concentrated on privacy, it is illegal to collect information that is not necessary to the transaction. In the U.S., I do not have to inform you that you are under CCTV surveillance in my store. In Europe, I must inform you. These different approaches are the reason for the misconceptions about data protection and privacy.

Current U.S. data protection laws are strong because of the ongoing specter of identity theft, not privacy. Breach notification requirements do not protect your privacy, they warn you to be on the lookout for fraud. On the other hand, laws such as the Patriot Act in the U.S., drive the international privacy community nuts. In many cases, the privacy laws of other countries will not allow them to do business with U.S. organizations. My guess is that the recent fallout from the National Security Agency monitoring all international Web browsing going through a U.S.-based network will have many privacy-centric countries asking a lot of questions.

The evidence is clear, while the U.S. has inferior privacy regulations. However, when compared to other developed nations, it has a much stronger data protection regime in place. With revelations such as the cellphone and Internet monitoring over recent days in the U.S., I am guessing privacy may get a little more focus. And, with identity theft increasing dramatically in all developed nations, data protection laws will undoubtedly become more intense.