It is common ground that there is relatively little common ground between the US and the EU in their approach to data protection and privacy legislation. While the EU operates perhaps the most stringent and comprehensive system of data protection in the world, the US has opted for a more piecemeal approach with a focus on industry self-regulation over a centralised system of legislation. This divergent approach has resulted in some transatlantic turbulence over the years, with the Safe Harbour Agreement which requires US corporations seeking to trade with EU member states to guarantee that they will comply with the stricter EU rules on data protection.
In January, the EU will announce even tougher internet privacy restrictions which will have global reach. Amidst growing concerns particularly amongst US-based internet companies that the EU is monopolizing too much of the data discussion, is the US finally taking a more comprehensive approach to privacy?
Regulate: The EU
The European approach to privacy starts from the position that there is a fundamental right to privacy. The EU has accordingly adopted a system of heavy regulation, extending to all aspects of an individual’s life. This right extends beyond European borders. The Data Protection Directive restricts the transfer of personal data outside of the EU unless the third country ensures an “adequate level of [data] protection”. This approach effectively means that the EU may extend its own standards of data protection to any country wishing to trade with it. More specifically, it requires other countries to look at their own data protection laws and, if they are not “adequate” for the purposes of the EU, either amend their regulation or guarantee that in dealing with data from the EU, they will apply more stringent standards.
Delegate: The US
It is trite that the US recognises the right to privacy. It has been held to have roots in various parts of the Federal Constitution. In contrast to the European approach, which looks at a more positive obligation to protect privacy, the US approach is more of a “right to be let alone”. This brings us the key difference between the US and European approach: the focus of the regulation. In the US, an individual’s federal constitutional right to privacy generally extends only to protection against the federal government’s intrusion into their private affairs. Of course, the 14th Amendment and the ensuing rights to privacy cover State authorities as well and most State constitutions recognise a right to privacy independently of that. Nonetheless, there is no single legislative or regulatory framework but a multitude of different laws for different areas. Private corporations, with the exception of some medical and financial personal data, are not subject to any comprehensive privacy or data protection regime, although as noted below, one such proposal is currently pending before Congress. Generally speaking, the US approach steers clear of the heavy government oversight and enforcement role of the EU.
The US Federal Trade Commission has developed the “safe harbour” provision to certify that a particular organization provides an adequate level of protection for personal data. Placing too much weight on this as a safeguard is unhelpful; the agreement lacks the means to determine whether corporations are in fact complying with EU rules and is increasingly perceived as more of a voluntary compliance agreement.
Let’s call the whole thing off?
The disjointed and disparate nature of US privacy law is perhaps one of the main reasons for Europe’s scepticism surrounding the degree of protection afforded to personal data by American corporations. With no real government regulation and no independent data protection body, Europe’s approach towards its American counterparts has been particularly inflexible. This is especially true in relation to internet companies such as Twitter, Google, and Facebook. Despite all being signatories to the Safe Harbour Agreement, there are increasing concerns over the degree of protection afforded to individuals’ data on these websites, the retention of personal information, cookies, and targeted advertising all sparking a sense of unease in Europe. For example, there were recent calls by the German the Minister for Food, Agriculture and Consumer Protection for German federal agencies to no longer use Facebook to promote government policies. There has also been individual litigation reflecting the emergent “right to be forgotten” which has challenged the retention of personal data by Facebook once a profile is deleted. Europe is coming down hard on transatlantic web-privacy. In January there are plans to revise the Data Protection Directive to require non-EU companies to comply with Europe’s stricter data protection rules or risk fines or even prosecution.
Data malaise is not limited to this side of the Atlantic. The US Department of Commerce in a discussion paper released in 2010 called for tighter regulation based on Fair Information Practice Principles (FIPPS). It recognised a growing concern amongst individuals in the US that their data is not adequately protected online. The paper was informed by comments from Google, Microsoft and other business, all of which not unsurprisingly expressed concern that the stark divergence in standards was a non-tariff barrier to trade. It also highlighted concern amongst individuals that private corporations were not adequately safeguarding their personal data. Since then, there has been a rush of legislative activity and a new, comprehensive privacy bill is being debated in Congress. Moreover, the Federal Trade Commission is adopting a tougher stance, recently prompting Facebook to conduct an overhaul of its privacy rules. This follows a review of the FTC’s own privacy regulations, especially with regard to the protection of children online. However, as yet all this seems to show is that the US wants to do something but doesn’t quite know what.
These are nonetheless important steps. The US will not – and should not – adopt an identical regulatory framework to the EU; attitudes towards privacy differ on both sides of the Atlantic and attempts to force one model into an existing one will be counterproductive in the long run. Indeed, one can see problems with Europe’s latest proposals for greater regulation and enforcement of privacy on the web. Jurisdiction is an old but persistent problem with internet regulation and one might reasonably be sceptical of the effectiveness of enforcement mechanisms against companies headquartered in the US, where the breach is alleged to have occurred elsewhere. Greater controls over internet privacy are needed but may be better achieved domestically or regionally. For example, in May 2011 the Do Not Track Online Act of 2011 was put before the US Senate which would allow individuals to choose not to have their data stored on any website, rather than having to make separate requests of each one.
On the other hand, the US needs to be wary of assuming that it does not need to engage in the global privacy debate because its model is ultimately the best one. Indeed, regional privacy frameworks are no longer limited to Europe. The APEC privacy framework aimed at promoting trade and information sharing along the Asia-Pacific rim is gaining momentum, as are data protection laws in Latin America and Canada. More recently, there have been discussions surrounding a regional framework for the Organization of American States and a set of draft principles are being drawn up for consideration.
These developments only increase the need for the US to seriously engage with the debate domestically. By moving towards a more comprehensive, independently regulated privacy framework that protects individuals and preserves economic interests, the US can play a role in shaping the future of privacy law and rebut the European presumption that whatever protection the US offers will always fall short of the mark.
Kirsten Sjovoll is a trainee barrister at Matrix Chambers