The European Parliament is drafting a data breach law it hopes will better focus on data transfers both within the EU and between the EU and the United States. The drafters are facing numerous challenges, however, which parliamentary members discussed with academics and privacy law specialists at the Georgetown University Law Center.

Top among them were resolving national differences in privacy perceptions, and whittling down the bulk of what falls under the umbrella of "data privacy" into more manageable sections.

There is no federal regulation of data privacy in the United States, but at least 33 states have implemented their own regulations. Not all regulations are for the same thing, however: some are bent towards consumers, and some to industry, and still others to security.

One way to do that is to follow the example of the ChoicePoint settlement and take data privacy sector by sector.

ChoicePoint, Inc. in January 2006 settled FTC charges that it violated the Fair Credit Reporting Act and the deceptive and unfair practice prongs of Section 5 of the Federal Trade Commission Act by agreeing to pay a $10 million fine—the largest civil penalty in FTC history. The company later settled with 44 states for $500,000 and a promise to implement changes.

ChoicePoint approached data privacy from a strictly financial perspective, but that narrowness was effective, and acted as "federal law through the back door."