[comp.org.eff.talk] Should there really be a law?

peter@taronga.hackercorp.com (Peter da Silva) (04/12/91)

jp@tygra.UUCP (John Palmer) writes:
>    2> A privacy amendment, setting out certain principles and 
>       rights in this area, including an order for congress to pass
>       any neccessary laws to protect this level of privacy both
>       from invasions by the govt. and by one person(s) against
>       another person(s) [This includes corporations].

Downside: Exxon sues Greenpeace for keeping a dossier on oil spills.

Etcetera. I think you can see the problems.
-- 
               (peter@taronga.uucp.ferranti.com)
   `-_-'
    'U`

jkp@cs.HUT.FI (Jyrki Kuoppala) (04/14/91)

In article <CE630X3@taronga.hackercorp.com>, peter@taronga (Peter da Silva) writes:
>jp@tygra.UUCP (John Palmer) writes:
>>    2> A privacy amendment, setting out certain principles and 
>>       rights in this area, including an order for congress to pass
>>       any neccessary laws to protect this level of privacy both
>>       from invasions by the govt. and by one person(s) against
>>       another person(s) [This includes corporations].
>
>Downside: Exxon sues Greenpeace for keeping a dossier on oil spills.
>
>Etcetera. I think you can see the problems.

The privacy laws in Finland only protect information about persons.
Unless Exxon can convince the officials that the dossier on oil spins
is really information about persons, it won't do much good to Exxon.

From an article here or alt.privacy, it seems that the law in Denmark
works pretty much the same way.

In my opinion the privacy law in Finland is quite good, for the most.
Well, of course it has these backdoors for 'the country's security' etc,
but at least it regulates the companies doing things like the Equifax
/ Lotus thingy.  That couldn't have happened here.

Basically the law works like this (register == file).  All information
is from memory, and probably has googols of errors in it, but the
spirit is like this, ask me more if you want to know:

- it regulates registers (when kept on a computer or on a paper, when
  the information is easily accessible) which contain information about
  persons.  Registers used for solely private purposes are not regulated.
- there has to be a document of every such register, visible on the
  register-keepers premises
- if there's information about a person in a register, the person is
  allowed to review the information stored
- registers are restricted in what data can be collected - for example,
  it's often illegal to collect personal ID numbers (SSN's) or other
  data which isn't essential to the register's purpose
- mass-transfer of data from the register to other organizations / registers
  is regulated - at least in same cases it's supposed to be reported
  to the Data Protection Board
- mass-marketing is specially regulated - for example, on every mailing
  from a mass-marketing register there has to be an indication of origin
  (what register the recipient's address was gotten from)
- some data, like race or ethnic origin, social, political or religional
  conviction, criminal records, state of health, sexual behaviour
  etc. are not allowed to be stored in a register at all.  So also the
  health insurance stuff about two woman who has checked twice in a half year
  would have been impossible in Finland.

Enforcement of this law is like this:

- there's a Data Protection Board whose purpose is to see that the
  laws are respected.  Mostly they do this by asking questions
  about the register keepers, with them answering (this works because
  the usage of the registers is by nature often quite public).
- individual citizens can report things they see to the Data Protection Board.
  They're no requirement for the individuals to prove anything etc.,
  generally they just ask a question like 'this company wants to
  know my SSN when I do business with them, is this OK ?' and then
  the Data Protection Board takes care from thenon.  This seems to me
  an enormous win over the US style where you have to put millions
  in lawyer costs if you want something gotten right.

So, to me it seems that the focus of the law is right (nothing is
regulated about computer files in general, just those containing
personal information) and the enforcement style seems to be quite good
also - no information police needed, and no megabucks needed from the
citizens whose rights have been violated.

//Jyrki