When regulators set different rules as to what is insufficient practice, what are the consequences for the marketplace? Furthermore, what might this say about what players in the marketplace and their priorities, especially regarding privacy and security?
When data breaches occur, there are consequences for the victims who may be directly or indirectly tied to such data, the legal owners of that data, the legitimacy of the systems managing that data, and the companies who manage those systems. However, the laws regarding data protection are not uniform, and today we may look no further than the recent PlayStation Network data breach to observe this reality.
In the European Union, a number of member states have regulators that monitor and impose duties upon controllers of data, whereas in the United States, there are no such duties, although public opinion would set expectations. However, while in the European Union the regulators will impose fines upon data controllers for breaches, in the United States the only reasonable recourse is to target the company in class-action litigation.
In a global, interconnected world, where the “cloud” is the future, in which data travels and is stored across multiple jurisdictions at lightning-fast speeds, some form of uniformity regarding duties should be imposed upon any party deciding to engage in activity that deals with data that is expected to be secure. If a general expectation of privacy and security to be provided by a party exists, a subsequent general duty to meet that expectation for the sake of the consuming party should also exist. For that reason, continental regulation is not enough. In the situation in which a party may be breaching laws in one country yet may not be in another is not good enough, especially when the law in question deals with material that is intended either to be used or to be stored from around the world. In the situation in which a party may be facing a class-action lawsuit yet not a regulatory fine, while the same party may face the latter elsewhere, the law is confusing and counter-productive.
Either everyone should adhere to a system of data protection regulation and incur penalties as necessary, everyone should adhere to civil litigation, or both. Data controllers should be reminded that their actions have global consequences, but they should also have a reasonable expectation of a consistent penalty regarding those consequences.