US makes first public comment over draft EU data privacy law
A senior US official has met with European Commission staff in Brussels to share views on the overhaul of EU data protection rules and to assuage fears in Europe about a lack of robustness in the US privacy enforcement regime.
Julie Brill, who sits on the Federal Trade Commission (FTC), was the first to come to Brussels directly to address the EU's pending proposal for a data protection regulation.
The issue has sparked keen interest and concern amongst US business groups (see background) and Brill’s meeting on 18 April represented the first formal US government consultation with the EU executive on the issue.
Brill was appointed to the FTC – a key US data privacy regulator and policymaker – by President Barrack Obama in 2010, and told EurActiv that she had an effective international liaison role with the FTC and therefore would be a point of contact for the US on the new rules.
She told journalists after the meeting that one of the reasons for her visit was to counter the impression of a “lack of understanding about how robust the US [privacy] regime actually is, and how much enforcement work we do, and how strong the laws are that we do have, and how active our agency is in enforcement.”
We are tough on data protection, says FTC
Describing privacy as “mission critical” for the FTC, Brill cited the agency’s implementation of the Children’s Online Privacy Protection Act, and issuance of 20-year ‘consent orders’ against internet giants such as Facebook, Google, MySpace and Twitter as evidence of ‘aggressive’ enforcement.
The consent orders require the internet companies to be audited every second year to ensure they are in line with privacy rules.
“We at the FTC share many of the same goals that are embedded in the proposed [EU] regulation,” Brill said.
Many of the concepts within it – including privacy by design, greater transparency, data security, accountability and codes of conduct – are also reflected in current US thinking about privacy, the commissioner said.
“I wanted to make sure that the language will allow us to continue to co-operate robustly through the ‘safe harbour’, we want to make sure that we have the means to co-operate on international privacy enforcement, and to do it robustly,” said Brill.
The ‘safe harbour’ framework enables European firms prohibited from transferring personal data to overseas jurisdictions with different privacy laws, to do so where the receiving companies agree to abide by so-called 'safe harbour' principles.
“We wanted to assure them that there are appropriate systems in place, that the 'safe harbour' can be enforced,” Brill said.
Saying the the EU and US had "compared notes on what works and what doesn’t work with enforcement," Brill also alluded to some differences of opinion.
“Our role is a consultative role and in that context on data breach notification, requiring a company to give a breach notification to the regulator within a very short time frame can be problematic,” she said, referring to the draft proposals.
Brill explained that where criminal investigations are pending, it may be necessary to take police action, or sometimes to allow the offence to continue as a way of trapping fraudsters, before regulators are notified.
Another concern she highlighted related to enforceable codes of conduct. Brill said that the FTC had a lot of experience with the operation of such codes, and believed that voluntary schemes supervised by delegated authorities could be more effective than a more prescriptive legal approach.
Asked to what extent data protection issues might play a part in the current negotiations surrounding negotiation of a US-EU trade agreement, Brill said that she was not in a position to say, since such negotiations were a matter for the US government.
The European Commission published in January 2012 a broad legislative package aimed at safeguarding personal data across the EU.
The reform is of particular interest to countries like the United States, whose companies may have to abide by stricter provisions to do business in Europe. But intense lobbying from the United States in part watered down the draft legislation.
The overhaul of data protection rules proposed by Viviane Reding, the European Commission vice president in charge of fundamental rights, was substantially modified before it was published, following a heated debate within the EU executive.
Many lobbies tried to soften the rules concerning the newly introduced 'right to be forgotten,' enabling users to delete personal information that they no longer want to share with banks, online booking websites or social media.
- 2013: Updated data protection rules continue to be negotiated by European Parliament and European Council