William E. Kennard is the United States’ Ambassador to the European Union. He contributed this commentary piece in exclusivity for EurActiv.com.
"The United States government is engaged with the EU on a wide range of data privacy issues. During President Obama’s first term in office, we’ve held intensive discussions with the EU on issues ranging from information-sharing agreements for countering terrorism, such as the Terrorist Finance Tracking Program (TFTP) and Passenger Name Record (PNR) agreements, to the overarching data privacy agreement we’re currently negotiating with the EU. We are also providing input on the ambitious legislative process underway in Brussels to reform the EU’s 1995 privacy directive.
This is an especially important time for our engagement with the EU on data privacy issues. President Obama is also committed to updating U.S. privacy laws to take into account new technologies and the ways that people use online data.
As we work on fundamental reform of our respective privacy policies, we should create policies that are interoperable so that data can move freely throughout the transatlantic marketplace. Consumers sharing personal data with companies doing business in both Europe and the U.S. should have confidence that their data is provided consistent, high standards of protection. And businesses should be able to use data without encountering disparate regulation or regulation that constrains innovation.
We need to get this right – together. In the transatlantic debate over privacy, there is sometimes a tendency to elevate form over substance and process over results. We sometimes underestimate the power of equivalent outcomes. In the U.S., we treasure our privacy. It’s enshrined in our Constitution, and we believe that our system provides outcomes that are just as good as those in Europe.
However, we have to recognize that our systems are structurally different. The United States has a well-developed privacy system, but it is rooted in many statutory authorities and is therefore more sector-specific, covering, for example, healthcare, financial services, or telecoms. Similarly, we have a multi-layered system of enforcement that includes judicial authorities, chief privacy officers in many regulatory agencies, and oversight by inspectors general who audit government compliance with privacy rules. By contrast, the EU’s legal tradition favors a single statutory framework, with centralized enforcement by national and EU-level data privacy authorities. These are different systems, but one is not better than the other. Both provide a high level of consumer protection.
We should recognize that there is a huge upside – for both of our economies and for our citizens – if we can achieve interoperable systems of data privacy protection. Certain areas hold great promise for us to find convergence. A core concept of the proposed EU legislation is the requirement that EU authorities deem privacy regimes of third countries as “adequate" as a precondition to sharing data from the EU. More than anything else, an EU finding that the U.S. system is adequate would help the free flow of information between the United States and the EU.
A core concept in President Obama’s privacy blueprint is the notion of enforceable codes of conduct governing how businesses handle personal data. The EU separately is considering improvements to the use of binding corporate rules (BCRs). There is potential to synchronize these two approaches.
The requirement in the proposed EU legislation that consumers always give explicit consent before information is shared differs from our approach. We believe that this requirement would both constrain the flow of information and frustrate consumers. The right to be forgotten also is a laudable goal, but we have concerns about how it would be implemented in practice, especially when it comes to understanding how data controllers would be assigned liability for data that they no longer control.
In the area of cooperation among regulators and law enforcement authorities, we are concerned that decades of transatlantic cooperation might be put at risk unless the continuing validity of existing agreements is recognized, particularly since this has not been an area of concern or abuse.
Myths about U.S. privacy protections are particularly prevalent in the law enforcement area. In virtually all cases, our law enforcement officials must obtain judicial approval before accessing private data in the course of criminal investigations. We’re proud of this high standard, which we believe to be the highest in the world. A particularly pernicious myth is that the U.S. Patriot Act somehow undermines this requirement for judicial approval.
In the end, we should draw confidence from the knowledge that we have successfully overcome similar differences in the past. Back at the dawn of the Internet Age, there was concern that U.S. companies might have trouble complying with EU data privacy rules. The U.S. and EU worked together to develop a workable solution through the Safe Harbor agreement. More recently, during the Obama Administration, we reached agreement on the TFTP and PNR agreements by working together to find ways to ensure that our information sharing would comply with both U.S. and EU policies on data protection. Working through these issues is not always easy, but time and again, we have done so. Where there is a will, there is a way.
In our parallel efforts to update our privacy laws, the United States and the EU have the chance to build the foundation for a transatlantic digital single market We should not let this historic opportunity pass."