If you are reading this blog post then you have access to the internet, a network that you are currently sharing with 2.4 billion other people, some of which may not have your best interests at heart. Many people use this network for daily activities, ranging from shopping to social networking. As internet users interact with the web they leave behind data that, if acquired by people with malicious intent, can leave them vulnerable to identity theft, credit card fraud, and embarrassment. While internet users can and should take precautions to avoid scams, interacting with the internet necessarily requires leaving personal information in the hands of others. This fact of the internet presents many challenging legal issues regarding the responsibilities of the parties that acquire personal data.
Late last year, Target – a large American retail store with recently expanded operations in e-commerce – was hacked, compromising the credit card information and personal data of millions of customers. Within a month of Target’s hacking disclosure, Neiman Marcus announced that hackers exposed the customer payment card data collected by their systems. While data breaches seem to be occurring more frequently than ever, these particular incidents caught the attention of enough influential people to make this issue a political priority in the United States.
In early February the US Congress met twice to discuss whether the Federal government needs to take action concerning the increasing prevalence of major data breaches. One of the main issues discussed during the hearings was the lack of a unified policy regarding companies’ responsibility to disclose data breaches to their customers. Currently, laws requiring disclosure exist in forty-six U.S. states, but differences in the law of each state provide companies with a complex and unclear view of how to handle data breaches. Staying true to their recent form, Congress has yet to take any legislative action with regard to the issues discussed during the hearings.
In order to avoid being accused of taking a US-centric view of the problems posed by internet information governance I should note that many countries besides the US are acting quickly to legislate around issues concerning data breaches. In Russia, data collection is regulated under the Personal Data Law which was implemented on July 27, 2006. This body of law requires e-commerce companies to obtain written consent before they can collect certain private personal information and also ensures these companies take the appropriate technical measures to protect their customers’ data. The European Union identified the advantages of a unified data protection scheme back in 1981 when it proposed the Data Protection Directive. In 2012 the European Union announced its intent to remain at the forefront of data protection when it proposed a currently pending major reform to the data protection legislation in place.
If the increasing frequency of data breaches is any indication, the time for a more comprehensive and global legal framework to data protection is approaching rapidly. At the world economic forum in early 2014 Brad Smith, Microsoft’s chief legal officer, called for an international convention to establish cross-border data-access rules. Many challenges to an international legal framework for data protection remain, including the many separate legal issues with varied stakeholders, the technical complexity and continuous innovation of the internet, and the difficulty of international agreement. Despite these challenges, the internet is a global system which at some point will require international legal solutions.
Matthew Aeschbacher is a 3LE law student at the University of Denver Sturm College of Law and a staff editor for the Denver Journal of International Law & Policy.