As MEPs get closer to finalising draft reports on reforming EU data protection legislation, America's top diplomat told an experts’ conference that Europe should overcome its misconceptions and stereotypes to find regulatory convergence with the US to pave the way for an interoperable transatlantic data-privacy system.
“The transatlantic privacy discussion is too often sidetracked by misconceptions about the US legal system – myths that obscure our fundamental commitment to privacy and the extensive legal protections we provide to data,” said US Ambassador William Kennard, speaking at a data protection conference in Brussels.
“Some people just don’t want to look beyond stereotypes,” he said, lamenting the pretentious attitude that the European Union does a better job at protecting data than the United States.
Obstructionism is often led by those who seek to establish Europe as the global standard, or by those who for political reasons find it useful to have a demon, said Kennard.
The EU and the US share similarities in their approaches to personal data protection, but there are also differences that have made negotiating agreements on data transfers particularly difficult – like SWIFT (on personal and commercial financial transactions) and passenger name recognition (PNR).
As the EU is working to modernise its system, it must not sideline the interoperability of its system, US experts warn, arguing that data must continue to flow freely to allow businesses to operate the transatlantic market without unnecessary red tape.
The economic stake of a transatlantic digital market is huge. Only for Europe, McKinsey predicted last year a potential economic surplus of €120 billion by 2020. This year, the Boston Consulting group has shown that a fully functioning single market could bring €1 trillion of added GDP in 2020.
“The regulation is designed to be simple and practical for businesses. It allows firms to have just one supervisory authority,” said European Commission Vice President Viviane Reding, who is in charge of the dossier.
Along with simplicity, the Commission has also made sure that the regulation includes legal certainty, via the ‘consistency mechanism’ , which will prompt supervisory authorities to collectively agree positions that would apply across the 27-nation bloc.
Although the envisioned legal framework will make it easier within Europe, the system must continue to be compatible with systems being built in other parts of the worlds.
The United State, like the EU, is in the process of reforming parts of its data privacy framework. In February 2012, President Barack Obama released his Privacy Blueprint. But there is a risk that reforms on both sides of the Atlantic settle on some rules that will hamper interoperability.
‘Adequacy’ criteria on the spot
The issue of the so-called ‘adequacy decision’ is one of the most controversial areas. According to the Commission proposal, the transfer of personal data to a third country is done only if the country ensures and adequate level of protection.
As it is drafted in the Commission proposal, ‘an adequacy’ criteria is determined making comparisons to a European-style system of data protection.
“The provisions do not recognise the existence of privacy protection systems that are structured differently, but ensure an equally high level of protection and enforcement, like those in the United States,” Kennard said.
Another potentially contentious rule is the one according to which binding corporate rules (BCRs) for holding multinational companies accountable for their global practices are to be approved by EU supervisory authorities.
The United States, which relies on a system of enforceable codes of conduct, complains that there is no mention in the possibility to use codes of conduct and certification schemes as a basis for cross-border transfers.
Britain's information commissioner, Christopher Graham, told the conference that the draft regulation is “over-prescribed and over-detailed but it's a modern text of best practice.”
Commission’s open-minded approach?
Reding said the Commission is considering codes of conduct and other business-led initiatives to give more flexibility to the so-called delegated acts, included in the draft proposal to respect sectoral concerns.
“We have to be careful. The alternative [to the delegated acts] should not make the text more prescriptive. The [data protection reform] package should remain technologically neutral and future proof,” she said, adding she is prepared to make changes that maintain flexibility and certainty in every case.
Removing protection gaps and discrepancies between the EU-US legal systems and thereby improving legal certainty must be at the core of the transatlantic dialogue on the issue.
“Creating poorly-connected regulatory environments for data exchange will slow down transatlantic and global trade, instead of providing the right conditions for businesses to innovate and thrive in a global marketplace and to generate the jobs and growth we much need these days,” Kennard said.
The EU and the US are aiming to start negotiations on a comprehensive free-trade agreement. The high-level working group on growth and jobs, set up at last year’s EU-US summit, is expected to deliver its report by the end of 2012.
Existing European Union rules on data protection were adopted in 1995, when the Internet was still in its infancy.
Nowadays, information on web surfing habits allows service providers to tailor products to customers needs, placing for example ads which are relevant for people doing frequent searches for the best flight deals.
But some private information can be very sensitive, such as credit card numbers or bank accountdeposit details. Other type of sensitive information may relate to people's health condition or sexual or political orientation. Location data or online identifiers, such as cookies, are also widely considered as personal data.
Meanwhile, EU citizens are becoming increasingly aware of the possibilities for misusing their personal information. According to a recent Eurobarometer poll, 70% of those surveyed were concerned that personal data is used by companies for purposes other than for what it was collected for, while 64% feel that information on how their data is processed is unsatisfactory.
To address these concerns, the European Commission published in January a broad legislative package aimed at safeguarding personal data across the EU.
- January 2012: European Parliament Civil Liberties, Justice and home affaris committee to adopt report on data protection regulation
- January-June 2012: Irish presidency, which has made data protection legislation a priority and will try to have the regulation adopted by the end of its mandate
EU official documents
- EUR-Lex:Existing Data Protection Directive (24 Oct. 1995) [FR]
- European Commission:Proposed regulation revising data protection rules(25 Jan. 2012) [FR]
- European Commission:Proposed Directive on use of data by security institutions (25 Jan. 2012) [FR]
- US mission to the EU: Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States (4 December 2012)
- US Department of Commerce:Informal paper on EU data protection overhaul (16 Jan. 2012)