Data security is the system that ensures that data (information of value) is kept safe from corruption and piracy and its access is restricted. Data security helps assure privacy while protecting personal data.

As assorted and diverse information structures with varied privacy policies prevail in the IT scenario covering all over the world, technical control and logging mechanisms are required to enforce and monitor privacy rules, laws and by-laws to ensure accountability for information use. While several technologies address privacy protection in enterprise IT systems, they are categorized into two primary divisions, namely, Communication and Enforcement. Policy Communication platform for Privacy Preference is P3P which is a standard for communicating privacy practices as well as matching them with the preferences of individuals. Policy Enforcement, however, covers the Extensible Access Control Mark up Language or XACML, which along with its Privacy Profile is the standard for expressing privacy policies in a machine-readable language that a software system can use in enforcing the policy in enterprise IT systems.

Though the Enterprise Privacy Authorization Language or EPAL is fairly similar to XACML, it is not an industry standard while Web Service Privacy or WS-Privacy will be a specification for communicating privacy policy in web services only.

Despite several measures taken to catch hold of electronic offenders in the United States, data privacy is not highly legislated there. Credit report generation of individuals for employment, housing, purchase of consumer durables are accepted norms in many states to which nobody seems to object, no matter how much the federal government tries to restrict the practice. Apart from meager regulations involving children’s privacy protection (Children’s Online Privacy Protection Act) and HIPPA, there is hardly any all-encompassing law in the United States, restricting the use of personal data. Probably the First Amendment that protects free speech in the US gives rise to conflicts with any attempt on part of the government to restrict privacy even in the electronic age. The matter seems to gain more momentum in the light of many countries where privacy works as a tool to suppress free speech.

In order to demonstrate compliance with the European Commission directives on corporate privacy matters, the Safe Harbor Arrangement was developed by the US Department of Commerce which tried to simplify relations between them and the European Business Community at large. However, the US Supreme Court at last granted the right of privacy to individuals in Griswold v. Connecticut but barring California, very few US states recognize or encourage an individual’s right to privacy. An unassailable right to privacy is enmeshed in the California Constitution’s Article 1, Sec.1 while the California legislature has taken several legal measures to protect the right. The California Online Privacy Protection Act of 2003 mandates all commercial websites or online services that collect personal information on California residents through web to post a privacy policy on the site as also to comply with its policy. However, with the enactment of further laws and regulation protecting the privacy of all American citizens, data privacy and security is now seeing better days in the US.

Compared to the fate of US citizens in matters relating to the right of data privacy, the average Canadian seems to fare well. The Personal Information Protection & Electronic Documents Act in Canada went into effect (in relation to federally regulated organizations) on January 1, 2001 while it became fully effective in relation to all other organizations on January 1, 2004. Such regulation has also brought Canada into compliance with the requirements of the European Commission’s directive on the subject.

The data privacy and security system in Europe, however, is far more advanced than what it is in North America. The right to data privacy is rigidly regulated in most of Europe. Right to respect for one’s ‘private and family life, his home and his correspondence’ subject to few restrictions is amply provided in Article 8 of the European Convention on Human Rights (ECHR). The European Court of Human Rights interprets the Article 8 in the light of unlawful gathering of personal information that often extends to collection of medical data or particulars of personal expenditure. Sate interference with a person’s privacy is only allowed by the Court if three conditions are fulfilled – (1) the interference is in according with local law; (2) pursues a legitimate goal and (3) it is needed in a democratic country.

Apart from legislative interference, private enterprises often posed threat to data privacy in some European nation states while automated processing of data became pervasive. In order to put a rein on such electronic crimes, the Convention for the protection of Individuals with regard to Automatic Processing of Personal Data within the Council of Europe in 1981 and accordingly:-

• The old Data Protection Act 1984 was repealed and replaced by Data Protection Act 1988 in the United Kingdom. The new law is far more stringent about maintaining and protecting the secrecy of private data.
• In Germany, both the Federal Government and the state bodies had enacted data protection legislations for the benefit of common man
• France adopted its present legal structure for providing protection of personal data that is almost foolproof.

However, experience have shown that mere enactment of law can hardly address the menace in which hackers are disrupting the functioning of significant research activities, indulging in unauthorized withdrawal of large amount of money from banks by duplicating the encryption in Debit Cards and are also selling personal information to whosoever is willing to buy.