The EU Conference on Privacy and the Protection of Personal Data held March 19 in Washington, D.C., was a great illustration of the importance of the topic within the European Union. The conference was extremely well attended by high-level EU regulators and provided valuable insights into the respective priorities. Tangible results, however, were scarce and consisted largely of a joint statement on privacy by EU Commission Vice-President Viviane Reding and US Commerce Secretary John Bryson. The Joint Statement recognized the need for multinational cooperation to create mutual recognition frameworks that protect privacy in order to facilitate the free flow of information across borders. Both sides reaffirmed their commitment to the US-EU Safe Harbor Framework as a means to transfer data from the EU to the US.
A joint conference, especially when organized by the European Commission, but held in Washington, D.C., instead of its headquarters in Brussels, naturally brings forth many polite statements of mutual admiration for one another’s efforts in the area of data privacy. Undoubtedly, the highlights of the conference occurred whenever the gloves came off and issues and expectations were voiced clearly.
One of my personal highlights was seeing my fellow German countrymen and -women live up to our reputation of being blunt, punctual and lacking any sense of humor. Paul Nemitz, Director of Fundamental Rights and Citizenship at the European Commission, set the tone by dashing the hopes of Cameron Kerry, General Counsel for the US Department of Commerce, that the White Paper published by the White House as a blueprint for a Consumer Privacy Bill of Rights has brought the United States any closer to an adequacy finding by the European Union. Mr. Nemitz also questioned the effectiveness of FTC enforcement actions by calling it mainly “good PR.” The criticism was superbly countered by Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, who very gracefully accepted the statement as a compliment. In addition, she also provided useful substantive information of the FTC’s enforcement priorities and as a result, earned a spot in my personal list of highlights.
Other memorable moments included the passionate speech by Representative Ed Markey, D-MA, who presented a good update on the status of the COPPA revisions and, as the long-standing co-chair of the Congressional Privacy Caucus, provided a fascinating historical summary of the various federal privacy initiatives of recent decades.
Peter Hustinx, the European Data Protection Supervisor, was one of the few European representatives with a slightly optimistic message for the US. In outlining his understanding of the interoperability requirements highlighted in the Joint Statement, he suggested that an adequacy finding could result from the implementation of the White Paper, even if it did not result in a comprehensive law, as adamantly requested by Francoise Le Bail, Director-General for Justice at the European Commission. Mr. Hustinx emphasized the need for sufficiently common principles and their binding implementation as far more important than the specifics of the regulatory regime.
Take-aways for US privacy practitioners:
- The current FTC enforcement priorities are:
- Social media
- Online tracking
- Data security
- Mobile privacy
- FCRA and apps that allow for instant background checks, especially when utilized by employers or prospective employers
- Without a comprehensive law, the EU will likely not grant the US adequacy status. The concept of enforceable codes of conduct as introduced in the White Paper is viewed with skepticism among the EU regulators.
- Interoperability is the “hot” new term. While the technological implications are generally well understood, a definition from a legal perspective is still missing. Mr. Hustinx presented his understanding of interoperability requirements as:
- Sufficiently common principles (which, of course, must be binding)
- Common implementation of these principles
- Common enforcement
- Common mechanisms for individual redress
- Safe Harbor will continue despite European concerns over its effectiveness. Under the current budget situation, it is highly unlikely that the FTC will implement compliance audits, despite the adamant requests by various European NGOs.
- The EU Commission is convinced that European businesses will gladly accept stringent data protection rules as long as they are uniformly applied. The opinion was corroborated by the DPO of Deutsche Telekom who listed legal certainty as his top priority.
Great efforts are being made on both sides to understand, accept and ultimately overcome the differences in the respective approaches to the protection of privacy rights. Whether reliance upon dialogue alone will be enough to accomplish these goals remains to be seen. The conference seemed to indicate that mere education about the basic principles is insufficient, but that, instead, a certain level of personal experience is required to fully understand and accept the different political, social and historical contexts in which both regimes function.