Internet Privacy, European Style
By Lincoln D. Stein
A couple of months ago, I registered for an Internet security conference. The online registration screen was nothing unusual. There were the usual fields for my name, affiliation, address, and telephone number, plus options for selecting the hotel and other accommodations. A few weeks later, I started receiving junk mail (the paper kind, not email) from various exhibitors at the conference. Clearly the conference organizers had shared my registration information with conference exhibitors. A common enough occurrence, and certainly nothing to write home about.
Except for one thing. If I had been European, and this had happened after October 28, 1998, this sharing of my personal information would have been unlawful under European Union regulations. In fact, the very act of collecting my online registration information would have been prohibited by law, and the conference organizers could be subject to lawsuits brought by the European state I belonged to.
This sounds extreme, but it's true. Under the European Data Protection and Privacy Directive issued in 1995, all European Union member states are required to enact laws by October 1998 that ensure the privacy of personal information collected and stored electronically. Historically, most European states have taken a much stricter attitude towards the sharing and dissemination of electronic information than the U.S. For example, the practice of aggregating and cross- correlating databases -- which is routinely done in the U.S
