Canada has the right idea:
The Canadian government plans to criminalize identity theft to give police the ability to stop such activity before any fraud has actually been carried out, Justice Minister Rob Nicholson said Tuesday. He said he would introduce legislation targeting the actual gathering and trafficking in credit card, banking and other personal data for the purposes of using it deceptively.
Identity fraud is already a crime in Canada, but gathering and trafficking in identity information generally is not.
Personal data is just that: personal data.
Canada and every other legal jurisdiction needs to go a few steps further and recognize that personal data belongs to you and that no one can have legitimate access to this data for any purpose without your express permission.
The related definition of personal data needs to be very broad and even in situations where one has given their permission for use the boundaries around this use must be very tight. Examples:
- using a credit card to make a transaction should trigger the legitmate use of a bank using that information to bill you but nothing more.
- Placing a cell phone call should trigger the legitimate use of the carrier using that information to bill you but nothing more. Any other records of where you have been that a cell company may be able to collect should be unusable by anyone for any purpose without your consent.
None of this has to be complex. A simple statement that it is a Class x felony to gather, possess or use someone else’s personal data without their consent should do.
The onus must be on the users of personal data to prove they have a legitimate use.