We at Tripwire are very excited that RSA Conference 2015 is finally upon us. Not only are we looking forward to all of the attendees who will join us at Booth 3301 over the course of RSA, but we are also eager to hear all of the keynote speakers. Acknowledging this excitement, we decided to sit down with Steven Fox, one of the conference’s keynote speakers, and explore the ideas that will shape his presentation.
Steven Fox is the Senior Cybersecurity Officer at the Internal Revenue Service. His cross-disciplinary, international perspective regarding security issues informs his efforts with numerous working groups, including the IPv6 transition team and the Security and Privacy workgroup. He is also a syndicated security risk blogger, and he frequently volunteers his time to the Ponemon Institute and Circle City Con.
On Tuesday, April 21st, Fox will present “U.S. vs EU Privacy Cage Match: Adapting to Changing Data Protection Laws” in Room 3012 at RSA. His talk, which begins at 4:40 pm, will explore how the privacy conflicts between the United States and the European Union are affecting proposals for data protection legislation, not to mention our organizations more generally.
TRIPWIRE: What do you feel are the main differences between the US & EU privacy laws?
STEVEN FOX: The European Union has passed legislation whose aim has been to protect people’s privacy and outline under what conditions third parties can request customers’ personal data. Two such legislative directives deserve mention. The first is the Data Protection Directive 1995/46/EC. This directive does two important things. First, it requires that data controllers define the purpose for each data collection request and maintain transparent communication with the subject regarding what information they seek to collect at all times. Second, it allows the subject to decline a data request and empowers them to receive information regarding how their data is used and by what entities.
The second directive of note is the e-Privacy Directive 2002/58/EC, which was aimed at ensuring the protection of personal data in the field of telecommunications.
Whereas the European Union has embraced an overarching set of privacy legislation, the United States has not. Instead it approaches privacy from a market perspective, which compartmentalizes privacy issues according to different sectors of life. For example, HIPAA addresses the protection of privacy from the standpoint of individual health data, whereas the Fair and Accurate Credit Transaction Act (FACTA) addresses privacy risks arising from transactions involving credit information. Both HIPAA and FACTA are obviously concerned with privacy, but they are not overarching given their limited scope.
TW: In your opinion, who is doing a better job protecting people’s privacy: the United States or Europe? Why?
SF: The idea that either the United States or the European Union is doing a “better job” at protecting people’s privacy is misleading. After all, both of their approaches have emerged from a distinct historical context. The commercial forces that emerged in the United States have had a direct role in shaping the country’s market-based perspective of privacy. By contrast, the European view of privacy as a human right emerged gradually from a long history of dictatorships that squelched the autonomy of its citizens.
Neither of these perspectives is set in stone, however. For instance, new advances in the areas of cloud computing, reconnaissance, data science, and the Internet of Things (IoT) are driving the European Union to reconsider how it protects its citizens. With these changes come consent requirements and penalties, both of which are raising commercial concerns in the context of our increasingly global economy.
TW: Why is distrust from EU countries in response to U.S. Surveillance revelations a problem for global privacy?
SF:The success of a global economy requires mutual respect of not only customs but also of legislative concerns. However, revelations of surveillance capabilities and governance issues erode this trust and undermine the perceived integrity of commercial ventures and agreements.
In a practical sense, I am concerned that the EU might ultimately retaliate for the Snowden revelations by instituting oppressive data protection and privacy controls that will hamper international trade.
TW: What does the future of global privacy look like?
SF: The economic benefits of international commerce will focus attention on efforts at revising Safe Habor, a framework required for data exchange between the United States and European Union member countries. Towards the goal of reinvigorating Safe Harbor, the European Commission recommends improvements in transparency (increasing the disclosure of privacy policies), redress (fixing investigation and resolution measures of Safe Harbor non-compliance), and intelligence governance (enhanced governance related to the national security exceptions permitted under Safe Harbor).
Please click here to learn more about Fox’s RSA presentation.
To view an agenda for this year’s conference, please click here .