This article is also available in:
Deutsch: EU – USA: Bekenntnis zu Privatsphäre und Datenschutz
At the 28 November 2011 EU-US Summit, President Obama and Presidents Van Rompuy and Barroso announced that the US and the EU are determined to finalise negotiations on a comprehensive EU-US data privacy and protection agreement. On 19 March 2012, a High Level Conference on Privacy and Protection of Personal Data took place to discuss commercial data privacy questions, held simultaneously in Washington and Brussels. The conference was extremely well attended by high-level EU regulators and provided valuable insights into the respective priorities. Before the Conference, European Commission (EC) Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson released an EU-US joint statement on data protection in which they stated that this was a defining moment for global personal data protection and privacy policy and for achieving further interoperability of our systems on a high level of protection.
The conference wad organised in the context of the EC's legislative proposals to reform and strengthen the fundamental right to data protection and unify the EU's data protection laws and enforcement rules and President Obama's privacy blueprint, including the Consumer Privacy Bill of Rights. Stakeholders in the US are very interested in the ongoing data protection reform in the European Union - notably in the proposal for a "one-stop-shop" and a consistent regulatory level playing field across all EU Member States.
Viviane Reding, started by saying that today, in a digital economy, the scare of sharing personal information has increased being a crucial factor of economic growth, therefore the protection of citizens' right is inevitable: trust in digital economy is possible only when a solid protection is settled. That's why data protection is a strong policy priority for the European Commission and the European Parliament, as well as for all the 27 Member States. Notably she underlined three prominent elements:
1. The principles of data protection are as valid today as in 1995 and EU has to reaffirm the importance of this fundamental right
2. Technology innovations have made our DP rules a key factor for our digital single market because, in order to flourish, our economy needs trust: lack of trust indeed discourages citizens from buying online and giving their personal information on line.
3. European and American companies expect that the new European data law will provide a legal playing field, regardless of where the company operates in the 27 members: the goal is to create only one rule for Europe - making sure that the one stop shop for data protection regulation is for all EU Member States; this is the only way EU will be a more attractive place to do business.
US authorities have developed efforts to comply with safe harbours - but more efforts are needed: a dialogue is needed to improve the safe harbour agreement and to go even further; stronger interoperability standards are needed as well to complete the puzzle to provide legal certainty to businesses and citizens.
John Bryson, US Secretary of Commerce, who came in with a video message, reported that President Obama had asked the Congress to enact legislation but also to move ahead on a voluntary basis through codes of conduct, underlying the importance of a collaborative approach. The other speakers in the first panel also all broadly welcomed both the EU proposals and the Obama White Paper.
However, Douwe Korff, representing EDRi, said that these exchanges of mutual compliments were excessive: there were still major issues to be resolved. In particular, in Europe, data protection is a fundamental right, accorded to "everyone" (Charter of Fundamental Rights). The European civil society in principle welcomed the proposed EU Regulation insofar as it sought to achieve data protection at a high level, although quite a few issues still needed improving or clarifying. By contrast, in the US privacy much less protection is given under the Constitution: although the recent Jones decision by the Supreme Court has shown progress, there were still important limitation on the US Fourth Amendment guarantees; the "third party" doctrine undermined principles that are seen as crucial in Europe, notably purpose-limitation; and in important areas privacy protection was denied to non-US citizens altogether.
Although the conference as such was limited to privacy in the commercial context, the debate should also note the major issue of private-sector data being used for law enforcement and national security purposes without appropriate safeguards: that was the elephant in the room that no-one mentioned. From a European perspective, it was essential that privacy in the USA should be placed on a comprehensive statutory basis that met the international standards, as enshrined in the only binding global data protection instrument, Council of Europe Convention No. 108 (currently being updated). The President's proposals for a Consumer Privacy Bill of Rights would only result in an acceptable situation if that Bill would become a binding law, meeting the new Convention standards.
In the second panel, Representative Ed Markey (D-MA)'s speech was revealing: he presented a good update on the status of the COPPA (Children's Online Privacy Protection Act) revisions and, as the long-standing co-chair of the Congressional Privacy Caucus, provided a fascinating historical summary of the various federal privacy initiatives of recent decades. He highlighted that in the US people shared the same concerns and values as within EU, in particular the fundamental principles of knowledge, notice and right to say "No" to the use of their private info, but something gets lost in translation from principle to practice. In his opinion, the DP Regulation can assure a high level of protection and, therefore, is a good example to follow: US Congress needs to act to protect privacy as a right. Notably, he insisted on the need to protect 15 years old and younger from behavioural targeting ads and to create, for this purpose, a safe harbour for children. He commended Viviane Reding for the strong response to Google new privacy policy and asked for investigation in the US of Google new privacy policy.
In the third panel, Peter Hustinx, the European Data Protection Supervisor, had a slightly optimistic message for the US. In outlining his understanding of the interoperability requirements highlighted in the Joint Statement, he suggested that an adequacy finding could result from the implementation of the White Paper, even if it did not result in a comprehensive law, as adamantly requested by Francoise Le Bail, Director-General for Justice at the European Commission. Mr. Hustinx emphasized the need for sufficiently common principles and their binding implementation as far more important than the specifics of the regulatory regime.
The fourth panel focussed on the enforcement of privacy (and other matters) by the US Federal Trade Commission, and was thus linked to the fifth panel which specifically discussed the Safe Harbor. FTC representatives strongly emphasised their commitment to strong enforcement, and pointed to two recent agreements with Google and Yahoo. However, David Smith, the UK Deputy Information Commissioner with primary responsibility for data protection, said that when he looked at the websites of a small random sample of companies that said they complied with the Safe Harbor, he found that about 1/3 of them did not even appear to have a privacy statement, another 1/3 had one but it did not meet the Safe Harbor standards, and the final 1/3 seemed to have a privacy statement that more or less reflected the Safe Harbor requirements. Douwe Korff intervened to say that was what he found too, and said that in spite of the two recent cases (the effects of which still needed to be seen), the Safe Harbor appeared to be largely a fig leaf behind which US companies in practice continued to operate contrary to basic privacy principles. Another intervener, Edward Hasbrouck, pointed out that the FTC's remit was limited in some important respects, and for instance did not cover transportation and, thus, airline passenger data.
EU Conference: Privacy and Protection of Personal Data (19.03.2012)
http://ec.europa.eu/justice/events/eu-us-data/index.html
Recorded webcast of the Conference (19.03.2012)
http://scic.ec.europa.eu/str/indexh264.php?sessionno=0cdf61037d7053ca5...
Viviane Reading's speech: Towards a New "Gold Standard" in Data
Protection?(19.03.2012)
http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/20120319s...
EU-U.S. joint statement on data protection by European Commission
Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson
(19.03.2012)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/12/192
(Thanks to Douwe Korff - EDRi-member FIPR- UK)