peter@taronga.hackercorp.com (Peter da Silva) (04/12/91)
jp@tygra.UUCP (John Palmer) writes: > 2> A privacy amendment, setting out certain principles and > rights in this area, including an order for congress to pass > any neccessary laws to protect this level of privacy both > from invasions by the govt. and by one person(s) against > another person(s) [This includes corporations]. Downside: Exxon sues Greenpeace for keeping a dossier on oil spills. Etcetera. I think you can see the problems. -- (peter@taronga.uucp.ferranti.com) `-_-' 'U`
jkp@cs.HUT.FI (Jyrki Kuoppala) (04/14/91)
In article <CE630X3@taronga.hackercorp.com>, peter@taronga (Peter da Silva) writes: >jp@tygra.UUCP (John Palmer) writes: >> 2> A privacy amendment, setting out certain principles and >> rights in this area, including an order for congress to pass >> any neccessary laws to protect this level of privacy both >> from invasions by the govt. and by one person(s) against >> another person(s) [This includes corporations]. > >Downside: Exxon sues Greenpeace for keeping a dossier on oil spills. > >Etcetera. I think you can see the problems. The privacy laws in Finland only protect information about persons. Unless Exxon can convince the officials that the dossier on oil spins is really information about persons, it won't do much good to Exxon. From an article here or alt.privacy, it seems that the law in Denmark works pretty much the same way. In my opinion the privacy law in Finland is quite good, for the most. Well, of course it has these backdoors for 'the country's security' etc, but at least it regulates the companies doing things like the Equifax / Lotus thingy. That couldn't have happened here. Basically the law works like this (register == file). All information is from memory, and probably has googols of errors in it, but the spirit is like this, ask me more if you want to know: - it regulates registers (when kept on a computer or on a paper, when the information is easily accessible) which contain information about persons. Registers used for solely private purposes are not regulated. - there has to be a document of every such register, visible on the register-keepers premises - if there's information about a person in a register, the person is allowed to review the information stored - registers are restricted in what data can be collected - for example, it's often illegal to collect personal ID numbers (SSN's) or other data which isn't essential to the register's purpose - mass-transfer of data from the register to other organizations / registers is regulated - at least in same cases it's supposed to be reported to the Data Protection Board - mass-marketing is specially regulated - for example, on every mailing from a mass-marketing register there has to be an indication of origin (what register the recipient's address was gotten from) - some data, like race or ethnic origin, social, political or religional conviction, criminal records, state of health, sexual behaviour etc. are not allowed to be stored in a register at all. So also the health insurance stuff about two woman who has checked twice in a half year would have been impossible in Finland. Enforcement of this law is like this: - there's a Data Protection Board whose purpose is to see that the laws are respected. Mostly they do this by asking questions about the register keepers, with them answering (this works because the usage of the registers is by nature often quite public). - individual citizens can report things they see to the Data Protection Board. They're no requirement for the individuals to prove anything etc., generally they just ask a question like 'this company wants to know my SSN when I do business with them, is this OK ?' and then the Data Protection Board takes care from thenon. This seems to me an enormous win over the US style where you have to put millions in lawyer costs if you want something gotten right. So, to me it seems that the focus of the law is right (nothing is regulated about computer files in general, just those containing personal information) and the enforcement style seems to be quite good also - no information police needed, and no megabucks needed from the citizens whose rights have been violated. //Jyrki