03/23/2011 03:29 pm ET | Updated May 25, 2011

Learning From Europe in Designing a Privacy Bill of Rights

U.S. lawmakers have begun debating updated privacy legislation in the United States to protect consumers from intrusive online tracking and other violations of privacy in the Internet world. Unfortunately, many privacy advocates fear a bill will be too influenced by industry interests that won't really protect against companies converting personal information into profit centers.

In fact, advocates need to highlight the much tougher privacy standards being developed in Europe and the lessons for U.S. policymakers. France fining Google yesterday for illegal wi-spy monitoring of personal data through Street View cars and apparently individual smart phones is one example of tougher European standards.

Principles for European Union Privacy Policy: And a speech by Viviane Reding, European Union Justice Commissioner late last week, entitled Your data, your rights: Safeguarding your privacy in a connected world, laid out key principles for privacy policy:

  • The first is the "right to be forgotten"... people shall have the right - and not only the "possibility" - to withdraw their consent to data processing. [Data controllers...must prove that they need to keep the data rather than individuals having to prove that collecting their data is not necessary.
  • The second pillar is "transparency". Individuals must be informed about which data is collected and for what purposes. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated.
  • The third pillar is "privacy by default"... rules would prevent the collection of such data through, for example, software applications. The use of data for any other purposes than those specified should only be allowed with the explicit consent of the user or if another reason for lawful processing exists.
  • The fourth principle is "protection regardless of data location". ..Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

European governments did become especially active in developing these principles in response to the revelations last year that Google had been collecting emails and other personal information through tapping data from personal wi-fi networks all over the world. The United Kingdom concluded that Google's actions violated U.K. data protection law. Last May, German prosecutors based in Hamburg opened a criminal investigation into Defendant's conduct.

Learning from Germany's Data Protection Policies: And Germany, for example, is leading the charge in promoting more specific legal rules that largely dovetail with the principles laid out by EU Commissioner Reding. Just two weeks ago, German Interior Minister Thomas de Maizier announced that a a business consortia involving eight companies, including Google and Microsoft, had agreed to a new data protection code for spatial data services like Street View. Reflecting the "right to be forgotten" principle, individuals will gain the power to edit and even delete information collected about them. The "transparency" principle is reflected in the creation of central Internet portal will be established which will outline what info services are being provided in their city, what their rights are and how they can improve or obscure details they don't want shared publicly. Companies will have to give one month advance notice ahead of recording trips in a community. The Interior Minister indicated he wants to extend similar rules to all data collection on the Internet.

Lower Saxony, a German state, is moving to make it illegal to pass along IP addresses of web visitors to a third party without their permission, which has included requiring a web marketer to remove Google's AdSense and an Amazon widget that features books from the US online retailer, unless users give their permission before IP addresses of visitors are passed on to advertisers.

More creatively, the German Bavarian state government is working with technology companies to develop their own transparent system for providing spatial location information to consumers, as an alternative to Google's more intrusive system that tracks consumer movements. Spatial data would be collected without tracking individual SSID or personal payload data in personal wi-fi systems, while the databases will be compiled and downloaded directly to individual cell phones, meaning no company like Google will get to track your location every time you check your location -- a big plus from a privacy perspective.

U.S. Advocates Need to Demand More: Privacy legislation being discussed in the U.S. Congress looks to prevent only the most outrageous privacy violations. But the more the public understands that other countries are moving towards a more radical pro-consumer direction, one where consumers hold onto personal data unless they agree otherwise, the more likely they are to demand more comprehensive accountability for how companies like Google and other online retailers have used personal data for their own profit motives, instead of being guardians of individual privacy.

Crossposted from Tech-progress