EU-US joint commitments on privacy and protection of personal data

By EDRi · March 28, 2012

This article is also available in:
Deutsch: [EU – USA: Bekenntnis zu Privatsphäre und Datenschutz | https://www.unwatched.org/EDRigram_10.6_EU_USA_Bekenntnis_zu_Privatsphaere_und_Datenschutz?pk_campaign=edri&pk_kwd=20120328]

At the 28 November 2011 EU-US Summit, President Obama and Presidents Van
Rompuy and Barroso announced that the US and the EU are determined to
finalise negotiations on a comprehensive EU-US data privacy and protection
agreement. On 19 March 2012, a High Level Conference on Privacy and
Protection of Personal Data took place to discuss commercial data privacy
questions, held simultaneously in Washington and Brussels. The conference
was extremely well attended by high-level EU regulators and provided
valuable insights into the respective priorities. Before the Conference,
European Commission (EC) Vice-President Viviane Reding and U.S. Secretary of
Commerce John Bryson released an EU-US joint statement on data protection in
which they stated that this was a defining moment for global personal data
protection and privacy policy and for achieving further interoperability of
our systems on a high level of protection.

The conference wad organised in the context of the EC’s legislative
proposals to reform and strengthen the fundamental right to data protection
and unify the EU’s data protection laws and enforcement rules and President
Obama’s privacy blueprint, including the Consumer Privacy Bill of Rights.
Stakeholders in the US are very interested in the ongoing data protection
reform in the European Union – notably in the proposal for a “one-stop-shop”
and a consistent regulatory level playing field across all EU Member States.

Viviane Reding, started by saying that today, in a digital economy, the
scare of sharing personal information has increased being a crucial factor
of economic growth, therefore the protection of citizens’ right is
inevitable: trust in digital economy is possible only when a solid
protection is settled. That’s why data protection is a strong policy
priority for the European Commission and the European Parliament, as well as
for all the 27 Member States. Notably she underlined three prominent
elements:

1. The principles of data protection are as valid today as in 1995 and EU
has to reaffirm the importance of this fundamental right

2. Technology innovations have made our DP rules a key factor for our
digital single market because, in order to flourish, our economy needs
trust: lack of trust indeed discourages citizens from buying online and
giving their personal information on line.

3. European and American companies expect that the new European data law
will provide a legal playing field, regardless of where the company operates
in the 27 members: the goal is to create only one rule for Europe – making
sure that the one stop shop for data protection regulation is for all EU
Member States; this is the only way EU will be a more attractive place to do
business.

US authorities have developed efforts to comply with safe harbours – but
more efforts are needed: a dialogue is needed to improve the safe harbour
agreement and to go even further; stronger interoperability standards are
needed as well to complete the puzzle to provide legal certainty to
businesses and citizens.

John Bryson, US Secretary of Commerce, who came in with a video message,
reported that President Obama had asked the Congress to enact legislation
but also to move ahead on a voluntary basis through codes of conduct,
underlying the importance of a collaborative approach. The other speakers in
the first panel also all broadly welcomed both the EU proposals and the
Obama White Paper.

However, Douwe Korff, representing EDRi, said that these exchanges of mutual
compliments were excessive: there were still major issues to be resolved. In
particular, in Europe, data protection is a fundamental right, accorded to
“everyone” (Charter of Fundamental Rights). The European civil society in
principle welcomed the proposed EU Regulation insofar as it sought to
achieve data protection at a high level, although quite a few issues still
needed improving or clarifying. By contrast, in the US privacy much less
protection is given under the Constitution: although the recent Jones
decision by the Supreme Court has shown progress, there were still important
limitation on the US Fourth Amendment guarantees; the “third party” doctrine
undermined principles that are seen as crucial in Europe, notably
purpose-limitation; and in important areas privacy protection was denied to
non-US citizens altogether.

Although the conference as such was limited to privacy in the commercial
context, the debate should also note the major issue of private-sector data
being used for law enforcement and national security purposes without
appropriate safeguards: that was the elephant in the room that no-one
mentioned. From a European perspective, it was essential that privacy in the
USA should be placed on a comprehensive statutory basis that met the
international standards, as enshrined in the only binding global data
protection instrument, Council of Europe Convention No. 108 (currently being
updated). The President’s proposals for a Consumer Privacy Bill of Rights
would only result in an acceptable situation if that Bill would become a
binding law, meeting the new Convention standards.

In the second panel, Representative Ed Markey (D-MA)’s speech was revealing:
he presented a good update on the status of the COPPA (Children’s Online
Privacy Protection Act) revisions and, as the long-standing co-chair of the
Congressional Privacy Caucus, provided a fascinating historical summary of
the various federal privacy initiatives of recent decades. He highlighted
that in the US people shared the same concerns and values as within EU,
in particular the fundamental principles of knowledge, notice and right to
say “No” to the use of their private info, but something gets lost in
translation from principle to practice. In his opinion, the DP Regulation
can assure a high level of protection and, therefore, is a good example to
follow: US Congress needs to act to protect privacy as a right. Notably, he
insisted on the need to protect 15 years old and younger from behavioural
targeting ads and to create, for this purpose, a safe harbour for children.
He commended Viviane Reding for the strong response to Google new privacy
policy and asked for investigation in the US of Google new privacy policy.

In the third panel, Peter Hustinx, the European Data Protection Supervisor,
had a slightly optimistic message for the US. In outlining his understanding
of the interoperability requirements highlighted in the Joint Statement, he
suggested that an adequacy finding could result from the implementation of
the White Paper, even if it did not result in a comprehensive law, as
adamantly requested by Francoise Le Bail, Director-General for Justice at
the European Commission. Mr. Hustinx emphasized the need for sufficiently
common principles and their binding implementation as far more important
than the specifics of the regulatory regime.

The fourth panel focussed on the enforcement of privacy (and other matters)
by the US Federal Trade Commission, and was thus linked to the fifth panel
which specifically discussed the Safe Harbor. FTC representatives strongly
emphasised their commitment to strong enforcement, and pointed to two recent
agreements with Google and Yahoo. However, David Smith, the UK Deputy
Information Commissioner with primary responsibility for data protection,
said that when he looked at the websites of a small random sample of
companies that said they complied with the Safe Harbor, he found that about
1/3 of them did not even appear to have a privacy statement, another 1/3 had
one but it did not meet the Safe Harbor standards, and the final 1/3 seemed
to have a privacy statement that more or less reflected the Safe Harbor
requirements. Douwe Korff intervened to say that was what he found too, and
said that in spite of the two recent cases (the effects of which still
needed to be seen), the Safe Harbor appeared to be largely a fig leaf behind
which US companies in practice continued to operate contrary to basic
privacy principles. Another intervener, Edward Hasbrouck, pointed out that
the FTC’s remit was limited in some important respects, and for instance did
not cover transportation and, thus, airline passenger data.

EU Conference: Privacy and Protection of Personal Data (19.03.2012)
http://ec.europa.eu/justice/events/eu-us-data/index.html

Recorded webcast of the Conference (19.03.2012)
http://scic.ec.europa.eu/str/indexh264.php?sessionno=0cdf61037d7053ca59347ab230818335

Viviane Reading’s speech: Towards a New “Gold Standard” in Data
Protection?(19.03.2012)
http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/20120319speech-data-gold-standard_en.pdf

EU-U.S. joint statement on data protection by European Commission
Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson
(19.03.2012)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/12/192

(Thanks to Douwe Korff – EDRi-member FIPR- UK)