US continue pushing on EU Commission against Data Protection proposals

By EDRi · January 18, 2012

This article is also available in:
Deutsch: [USA macht weiter Druck auf EU-Kommission und gegen die geplante Datenschutzverordnung |]

The US Department of Commerce has circulated a second informal note with
comments on the proposals for a data protection regulation and a directive
on data protection in the field of law enforcement. This time, its criticism
focuses on the following concerns: the regulation could hinder commercial
interoperability and be even counter-productive for consumer privacy
protection, it could have negative impact on the freedom of speech and other
human rights, on law enforcement cooperation, on cooperation between
regulatory authorities and on civil litigation.

The high-level interference with the internal processes of the European
Commission by the United States is quite extraordinary. Undoubtedly, a
degree of concern can legitimately be expressed as the final decisions are
being made on a piece of legislation which has international significance.
However, this amount of interference, before either the European Parliament
or Council (the Member States) have been able to have their say, implies a
significant level of disrespect for the institutions of the Union and their
ability to resolve any issues with what is, after all, the first draft in a
legislative process which will last two to three years.

According to the DoC’s informal note, the Safe Harbor Agreement enabled
transfer of personal data and is a “vital component of transatlantic trade”.
The DoC thereby completely ignores the findings of several external
evaluations on the EU-US Safe Harbor Privacy Principles which attacked the
agreement in terms of compliance and enforcement and is today widely
considered to be entirely without credibility.

The note praises Article 40 and its provisions regarding Binding Corporate
Rules (BCR) as a legal basis for transfers of personal data to third
countries but asks for more detail regarding the type of verification data
protection authorities will consider sufficient. The document also states
that codes of conduct (of the kind that have failed to develop in the
existing Directive, but are nonetheless envisaged in the USA) can lead to an
increase in interoperability and enhanced consumer protection and suggests
that the EU looks into mechanisms to convert codes of conduct into BCRs.

However, the provision for explicit consent with a single standard is
heavily criticized since, it is argued, if it is not simplified and
meaningful, it could easily overburden individuals. The DoC states that
asingle standard is ill-suited for institutions and types of commerce that
offer financial products and services.

The DoC then criticises the Regulation’s specifications regarding “privacy
by design” and the broad authority given to the EU Commission to set out the
technical standards – without presenting any valid arguments against the
proposed principle of privacy by design itself.

The informal note also qualifies some provisions as being infeasible, since
they would impose burdens on businesses without enhancing consumer
protection, such as data breach notification and the right to be forgotten.

In contrast to its first note from December 2011 the DoC now admits that
the US itself has several federal laws regarding breach notification but
repeats its criticism of the first informal note regarding the obligation
to notify data subjects within 24 hours arguing that the period is “simply
too short”, that it could lead to “massive fines” for companies and to
confusing “false alarms” for consumers.

The draft Regulation is also considered to be inconsistent with the global
nature of the Internet since it would assert jurisdiction over persons
operating websites without a legal nexus with Europe (i.e. exactly what the
US is proposing in its current draft proposals on intellectual property).
According to the DoC, the term “directed to” is neither sufficiently defined
in paragraph 15 nor does the limiting principle go far enough. Oddly enough,
the “directed to residents of the US” provision of the planned Protect IP
Act (PIPA) raises no similar concerns in the US.

As mention above, the note qualifies the “right to be forgotten” as
undermining freedom of expression, as technically impracticable and as
ignoring the open and decentralised nature of the Internet. The DoC
expresses concern that exceptions in article 80 are narrower than the
freedom of expression, that the “right” to be forgotten is not an
internationally recognised right and protected expression will be deleted.
However, the DoC seems to ignore that this article is based on an already
existing right as set out by the EU (1995/46/EC, article 12 b) and that
these concerns can easily be addressed by clarification of the wording of
the current draft of the Regulation.

Of course, the DoC is also very concerned about the draft Police and
Criminal Justice Data Protection Directive saying that it would limit
information and evidence sharing to “the minimum necessary” – which is a
useful, albeit unintentional, confirmation that the proposal is legal under
the Charter of Fundamental Rights. They are also unhappy about the fact that
other legal information-sharing instruments with EU Member States would
probably not suffice under the proposed Directive since existing instruments
must meet specific and “problematic” privacy protection requirements.
Moreover, the DoC fears that the “strong system of privacy protection”
existing in the United States (which, incidentally, does not cover EU
citizens) would disappear since it would be forced to adopt the European
style of data protection.

The DoC criticises the data transfer provisions of the draft Regulation
(art. 37-41) arguing that they would undermine cooperation and data sharing
processes among regulatory authorities in the US, the EU and the EU’s Member
States based on cooperative arrangements.

The document then specifically targets article 42 stating that its
restrictions could block or delay access to information held by US firms and
have an impact on investigations of EU firms and citizens. Bizarrely, the US
DoC is worried about regulating a currently unregulated situation which
would permit data exchange in the absence of a legal framework and legal
safeguards. According to the note, article 42 might even affect the
US-registered companies located in the EU and their ability to conduct
business in the US. It is noteworthy that the US currently uses instruments
such as the Foreign Intelligence Surveillance Act to retrieve data on
foreign individuals’ political activities, who may have no contact
whatsoever with the USA, via companies with US offices. This legal vacuum
would be addressed by article 42.

An unusually high number of Commission services issued negative internal
opinions to the draft legislation, thus delaying the inter-service process
(see 2 opinions below). This was partly as a result of this significant
lobbying campaign (including high-level phone calls to top level staff in
the European Commission) against the leaked draft proposal for a Regulation
by the United States Department of Commerce and the Federal Trade
Commission, the official draft proposal of which is now expected to be published on the 25 January.

First informal note circulated by the US (21.12.2011)

Second informal note by the US (16.01.2012)

Opinion DG Trade (21.12.2011)

Opinion DG Infso (21.12.2011)

Chris Connolly (Galexia), US Safe Harbor – Fact or Fiction?, Privacy Laws
and Business International, issue 96, December 2008

The implementation of Commission Decision 520/2000/EC on the adequate
protection of personal data provided by the Safe Harbour privacy Principles
and related Frequently Asked Questions issued by the US Department of
Commerce SEC(2004)1323

(Contribution by Kirsten Fiedler – EDRi)