Transatlantic data privacy in debate at Privacy Conference

By EDRi · December 14, 2011

This article is also available in:
Deutsch: [Datenschutzkonferenz: Debatte über einen transatlantischen Datenschutz | https://www.unwatched.org/EDRigram_9.24_Datenschutzkonferenz_Debatte_ueber_den_transatlantischen_Datenschutz?pk_campaign=edri&pk_kwd=20111218]

The 2nd edition of the Annual European Data Protection and Privacy
Conference took place on 6 December 2011, mostly featuring speakers pulled
from its corporate sponsors, although it also included a few key European
institutions’ representatives and data protection officials. There was no
place here for the civil society’s voices apart from a representative from
BEUC, the European Consumers’ Organisation.

The most interesting part of the conference were Viviane Reding and Cameron
Kerry’s prepared speeches about the “Transatlantic solutions for data
privacy”, the Vice President and Commissioner for Justice, Fundamental
Rights and Citizenship of the European Commission, and the General Counsel
at the US Department of Commerce respectively. Ms. Reding announced that her
office wants to “create a level playing field for companies”, is “against
inconsistent rules because they are against business”. She also recommended
the adoption and use of binding corporate rules in that regard; and
explained that she is in favour of the rule of “main establishment” to
decide when the EU data protection rules apply to companies. She announced
the following four rules as being the most important ones of the upcoming
European Commission’s data protection regulatory framework: an easier access
to one’s own personal data, a right to data portability, the acknowledgement
of the right to forget, and clearer rules for international data transfers.
She also made the point that, although she favours cloud computing in
Europe, strong data protection rules are good for business because they
enhance consumers’ confidence. Worth noting is the point she made about the
US government agency’s proposal for a Commercial Privacy Bill of Rights.
Although in principle in its favour, she did not agree with the use of only
voluntary codes of conduct.

Cameron Kerry announced that his department would soon release a White Paper
promoting consumer privacy that would provide a roadmap for the US
Government and consist of four pillars:
1) a consumer privacy Bill of Rights
to provide protections for consumers and greater certainty for businesses,
and provide a uniform set of standards that expands on the notice and choice
principles; 2) it will convene multi-stakeholder processes including EU
entities to develop legally enforceable codes of conduct that expand on the
Bill of Rights, based on a voluntary participation by both consumers and
businesses, and enforceable by the Federal Trade Commission (FTC) once
participants would agree to abide by them; 3) “effective, fair and
consistent” enforcement by the FTC; 4) a global interoperability in which
“the Bill of Rights is a strong step towards an international consensus on
international privacy principles”.
Although his speech sounded more like the
usual Department of Commerce’s discourse considering privacy as an
impediment to the benefits of free trade, and unrestricted flows of
information as enabling economic growth, Mr. Kerry had a point when he
alluded to the misconception some Europeans have when they consider
Americans as careless about privacy, and pinpointed the deployment of data
breach notification rules in the US as having had a powerful incentive on
companies’ compliance with privacy rules.

During the next session about “Ensuring co-ordinated and harmonised data
protection laws across the EU”, Jacob Kohnstamm, Chairman of the Article 29
Data Protection Working Party, emphasized that enforcing the rule of
establishment of the new data protection framework would only work if data
protection authorities are given much stronger enforcement powers and their
level of coordination is increased, without which “a level playing field in
the EU is impossible”. Industry representatives all concurred on the need to
implement the “main establishment” rule, some saying that binding corporate
rules would limit the risk of forum shopping. Stephen Deadman from Vodafone
argued that the EU data protection regime is too legalistic (“we need less
rules, not more”) while it should focus more on operational privacy. John
Vassallo of Microsoft, also in favour of the “main establishment” rule,
insisted that in order to avoid forum shopping, the criterion should be the
“primary physical infrastructure for processing data, the actual servers”
and that a clearer and more harmonized legal framework must be promoted.
Joan Antokol from Park Legal showed, through various examples based on her
health privacy practitioner’s experience, the ways some European rules are
incoherent and should be harmonized across all EU Member States, while the
focus should be to eliminate rules and expenses that do not bring added value to
protect individuals’ privacy.

In a second session entitled “What will the effect of the new privacy rules
be on the online lives of EU citizens?”, Marie-Helene Boulanger from the
Data Protection Unit of the European Commission stated that a recent survey
of European consumers shows that the expectation of individuals with regard
to the protection of their personal data is decreasing, pointing to the fact
that 70% of Europeans are concerned about the secondary use of their data
without consent, and the increasing demand of individuals for the
notification of data breaches by companies. Richard Allan of Facebook, asked
how his company complied in practice with the subject access right of the
Data Protection Directive and how it reacted to the string of complaints by
an Austrian law student before the Irish Data Protection Commissioner,
argued that his company had started discussions with the Irish authority to
try to iron out the scope of subject access requests in practice, although
he avoided to answer the more specific question as to whether that right to
access also included the meta-data associated with each Facebook user’s
profile.

In the session about “Rebuilding consumer confidence in data protection
laws”, Kostas Rossoglou of BEUC argued about the need for stronger redress
and compensation rules, including a right to collective redress; also that
self-regulation is only a solution if it fully complies with the law,
benefits consumers, and is effectively enforced, which has according to him,
never been the case thus far. David Smith of the UK Data Protection
Authority said that his office was interested in seeing trustmarks and seals
developed in a simple and effective way; that fines drive compliance; and
that individuals’ access rights should be simple to use, whereas it is
generally hard to exercise in practice.

On the last panel entitled “What shape for globalised data protection and
privacy laws in the 21st century?”, Peter Hustinx, the European Data
Protection Supervisor, stated about the prospective European data protection
legal framework that the criterion of application would be enhanced with a
“targeting” rule: whether the data protection rules apply will depend on
whether the data controllers are considered to target EU-based individuals
when processing their personal data, or monitor them online. He also added
that the meaning and scope of the concept of “adequate protection” would
likely be clarified by the European Commission.

Event webpage
http://www.eu-ems.com/summary.asp?event_id=97&page_id=681

(Contribution by Cedric Laurant – EDRi observer)