US lobbying against draft Data Protection Regulation

By EDRi · December 22, 2011

Right at the end of the inter-service consultation process in the European Commission (the almost final step before a legislative proposal is launched), the United States Department of Commerce launched a significant lobbying campaign against the leaked draft proposal for a Data Protection Regulation. The campaign included high-level phone calls from senior figures in the US Department of Commerce to top level staff in the European Commission covering topics such as US business, multilateral and bilateral treaty organizations, PNR, national security, law enforcement, trade and innovation. A somewhat less critical, but nonetheless alarming, “informal note” was also circulated (pdf). Partly as a result, several Commission services, including OLAF (the internal anti-fraud unit whose data processing is not covered by proposals), issued negative internal opinions at the end of the inter-service process. These will now need to be taken into account by Commissioner Reding’s staff before the final proposal can be launched at the end of January.

In general, the US complained about the draft proposal arguing that it will break with international standards and might even end up being counterproductive for data protection. In particular, the note criticises the proposals on data breach notification, children’s privacy and the “right to be forgotten”. The US also argues that “global interoperability” of national and regional privacy regimes could be undermined by the proposal. Furthermore, they argue that the proposals would interfere/block investigations by public agencies in third countries on competition, consumer protection and even privacy and hinder information sharing between the EU and US, as well as “undercutting” enforcement cooperation between EU data protection authorities and the rest of the world. It goes on to try to make the point that a “balanced, proportional approach” would be of “greater value” to consumers.

In the following sections, we would like to highlight some of the most prominent exaggerations and misunderstandings in the US paper:

Section 1: Interoperability

The US praises its own global work on “interoperable” privacy standards and says that the EU’s draft proposal “widens, rather than narrows, the gap” between existing practices. The concept of “interoperability” has often meant in the past that data is simply being transferred to the US – without US laws that would protect the data non-US persons. After opposing innovation in the new framework, the note then says that substantial innovation is “of course” appropriate.

Data breach requirements

After acknowledging the positive impacts, the analysis of data breach notification requirements descends into logical truisms – “overly” strict standards would be overly strict and would “divert attention” away from improving corporate data security practices. It refers to the “broad” definition of personal data breach without further comment – as if a broad definition was, by definition, a flaw. The note explains in a lot of words that, in some exceptional circumstances, the 24-hour notification deadline may be disproportionate and would risk “over-notification” – although most US data breach notification statutes use very similar language. The note claims that this would put the focus on process rather than security.

Right to be forgotten

The note points out that requiring “any” link to personal data to be deleted is very expansive and may interfere with free speech rights. Ironically, a footnote, which runs exactly contrary to the current US proposals on copyright, explains that there is no point in using legal instruments to keep content off the Internet – quoting an academic who said “there is no (legal) remedy that is available that could prevent such a thing from happening – this is of course due to the decentralized, multijurisdictional character of the web”. They use an example where an injunction increased rather than decreased availability of the objected-to data.

Definition of “child”

The note points out that it may be problematic to treat teenagers in exactly the same way as small children. The note states that the Children’s Online Privacy Protection Act (COPPA) defines “child” as individuals under the age of 13 and that it could be difficult to always require parental permission, especially when teenagers are becoming more independent.

Adequacy

The note argues that the proposed draft regulation increases complexity by adopting a horizontal approach (which the Lisbon Treaty requires), adding another layer of problems to an already “burdensome, opaque and ‘indeterminate’ process. Interestingly, the note focuses on an ECJ decision in Akzo Nobel on attorney-client privilege in other countries implying that adequacy assessments in a data protection ‘regime’ would be even more difficult and impossible.

Alternative provisions for data transfer

The US authorities appear to have had difficulty in understanding the draft proposal and how it will deal with codes of conduct, privacy certification schemes, seals and trustmarks – the US worries in particular that these may not be considered “adequate” for transfers for to third countries.

Section 2: Regulatory enforcement and International Cooperation

The US authorities attack the restrictions in Article 42 on access to European data in the absence of an EU legal framework – with no empathy at all with the idea that the EU has an obligation to protect European fundamental rights and cannot deliberately leave a loophole open, where foreign governments can gain access to European data. The note also worries that the current draft does not clearly permit – and may restrict – transfers of data from regulatory enforcement agencies in the EU or its member states to third country agencies such as the FTC.

Finally, the US authorities complain that the Regulation “appears” to limit full cooperation on cross-border cooperation on privacy enforcement to countries which have an adequate data protection regime.

Most of the objections are rather specious, obviously weak or plain wrong and interest-driven, aiming to water down the standards in the leaked draft Regulation. This early-stage intervention obviously aims at reducing interference with access by the US to any data about European citizens in the course of their investigations, showing very little effort to understand the European concept of privacy.