Transatlantic data privacy in debate at Privacy Conference
This article is also available in:
Deutsch: Datenschutzkonferenz: Debatte über einen transatlantischen Datenschut...
The 2nd edition of the Annual European Data Protection and Privacy Conference took place on 6 December 2011, mostly featuring speakers pulled from its corporate sponsors, although it also included a few key European institutions' representatives and data protection officials. There was no place here for the civil society's voices apart from a representative from BEUC, the European Consumers' Organisation.
The most interesting part of the conference were Viviane Reding and Cameron Kerry's prepared speeches about the "Transatlantic solutions for data privacy", the Vice President and Commissioner for Justice, Fundamental Rights and Citizenship of the European Commission, and the General Counsel at the US Department of Commerce respectively. Ms. Reding announced that her office wants to "create a level playing field for companies", is "against inconsistent rules because they are against business". She also recommended the adoption and use of binding corporate rules in that regard; and explained that she is in favour of the rule of "main establishment" to decide when the EU data protection rules apply to companies. She announced the following four rules as being the most important ones of the upcoming European Commission's data protection regulatory framework: an easier access to one's own personal data, a right to data portability, the acknowledgement of the right to forget, and clearer rules for international data transfers. She also made the point that, although she favours cloud computing in Europe, strong data protection rules are good for business because they enhance consumers' confidence. Worth noting is the point she made about the US government agency's proposal for a Commercial Privacy Bill of Rights. Although in principle in its favour, she did not agree with the use of only voluntary codes of conduct.
Cameron Kerry announced that his department would soon release a White Paper
promoting consumer privacy that would provide a roadmap for the US
Government and consist of four pillars:
1) a consumer privacy Bill of Rights to provide protections for consumers and greater certainty for businesses, and provide a uniform set of standards that expands on the notice and choice principles;
2) it will convene multi-stakeholder processes including EU entities to develop legally enforceable codes of conduct that expand on the Bill of Rights, based on a voluntary participation by both consumers and businesses, and enforceable by the Federal Trade Commission (FTC) once participants would agree to abide by them;
3) "effective, fair and consistent" enforcement by the FTC;
4) a global interoperability in which "the Bill of Rights is a strong step towards an international consensus on international privacy principles".
Although his speech sounded more like the usual Department of Commerce's discourse considering privacy as an impediment to the benefits of free trade, and unrestricted flows of information as enabling economic growth, Mr. Kerry had a point when he alluded to the misconception some Europeans have when they consider Americans as careless about privacy, and pinpointed the deployment of data breach notification rules in the US as having had a powerful incentive on companies' compliance with privacy rules.
During the next session about "Ensuring co-ordinated and harmonised data protection laws across the EU", Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party, emphasized that enforcing the rule of establishment of the new data protection framework would only work if data protection authorities are given much stronger enforcement powers and their level of coordination is increased, without which "a level playing field in the EU is impossible". Industry representatives all concurred on the need to implement the "main establishment" rule, some saying that binding corporate rules would limit the risk of forum shopping. Stephen Deadman from Vodafone argued that the EU data protection regime is too legalistic ("we need less rules, not more") while it should focus more on operational privacy. John Vassallo of Microsoft, also in favour of the "main establishment" rule, insisted that in order to avoid forum shopping, the criterion should be the "primary physical infrastructure for processing data, the actual servers" and that a clearer and more harmonized legal framework must be promoted. Joan Antokol from Park Legal showed, through various examples based on her health privacy practitioner's experience, the ways some European rules are incoherent and should be harmonized across all EU Member States, while the focus should be to eliminate rules and expenses that do not bring added value to protect individuals' privacy.
In a second session entitled "What will the effect of the new privacy rules be on the online lives of EU citizens?", Marie-Helene Boulanger from the Data Protection Unit of the European Commission stated that a recent survey of European consumers shows that the expectation of individuals with regard to the protection of their personal data is decreasing, pointing to the fact that 70% of Europeans are concerned about the secondary use of their data without consent, and the increasing demand of individuals for the notification of data breaches by companies. Richard Allan of Facebook, asked how his company complied in practice with the subject access right of the Data Protection Directive and how it reacted to the string of complaints by an Austrian law student before the Irish Data Protection Commissioner, argued that his company had started discussions with the Irish authority to try to iron out the scope of subject access requests in practice, although he avoided to answer the more specific question as to whether that right to access also included the meta-data associated with each Facebook user's profile.
In the session about "Rebuilding consumer confidence in data protection laws", Kostas Rossoglou of BEUC argued about the need for stronger redress and compensation rules, including a right to collective redress; also that self-regulation is only a solution if it fully complies with the law, benefits consumers, and is effectively enforced, which has according to him, never been the case thus far. David Smith of the UK Data Protection Authority said that his office was interested in seeing trustmarks and seals developed in a simple and effective way; that fines drive compliance; and that individuals' access rights should be simple to use, whereas it is generally hard to exercise in practice.
On the last panel entitled "What shape for globalised data protection and privacy laws in the 21st century?", Peter Hustinx, the European Data Protection Supervisor, stated about the prospective European data protection legal framework that the criterion of application would be enhanced with a "targeting" rule: whether the data protection rules apply will depend on whether the data controllers are considered to target EU-based individuals when processing their personal data, or monitor them online. He also added that the meaning and scope of the concept of "adequate protection" would likely be clarified by the European Commission.
(Contribution by Cedric Laurant - EDRi observer)