Narrow Agreement on Privacy Principles Possible, but Time Is Short
The private sector and sympathetic regulators should hammer out global privacy principles before lawmakers and data protection authorities develop rules that can’t be reconciled, the International Association of Privacy Professionals’ Privacy Summit was told Friday. Different regimes worldwide -- especially the comprehensive EU approach contrasted with the sectoral U.S. approach -- not only frustrate multinational businesses, but also paralyze smaller economies, speakers said. Those fearful of the EU imposing its regime on the world have an ally in U.K. Information Commissioner Richard Thomas, who said it may be time to “modernize” the EU Data Privacy Directive.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Among roughly 200 different privacy regimes worldwide, some are very “ideological,” said Peter Fleischer, Google global privacy counsel. The EU directive “theoretically” bars data transfers to nations with insufficient protection practices, but that means little in practice to Google, whose massive Web index and YouTube video collection are accessible anywhere, he said. “We're not waiting for this consensus to emerge,” but rather making sure Google’s own privacy practices are consistent worldwide, Fleischer said. Eduardo Ustaran, a lawyer who advises businesses and governments on EU data privacy, warned of a “widening gap” between laws that are “virtually static” and technology and business practices that are changing.
A major goal should be to “break down false perceptions” between the EU and U.S. -- that the U.S. is the “Wild West,” with no privacy protections, and that the EU is full of “granite-faced state bodies hostile to any enterprise,” said U.K. Commissioner Thomas, saying he’s been addressed as “commissar” in the U.S. “We have a lot more in common than we really think” when considering practical achievements instead of “minutiae of legal requirements,” he said. The minutiae frustrate Martin Abrams, executive director of the Center for Information Policy Leadership at law firm Hunton and Williams. The EU mandate that data can be transferred only to countries with independent privacy authorities is “just a nonstarter” for China, he said, calling the EU directive an “ad hoc approach” to privacy. Businesses and governments should focus on harmonizing in narrow areas like consumer protection and data security, seeking “one approach around things that are approachable,” Abrams said.
The rise of a “voyeuristic” culture, full of reality TV, blogs and paparazzi, is creating a “breakdown in the privacy culture,” said Alan Westin, emeritus professor at Columbia University and longtime privacy researcher. At the same time, consumers are wary of behavioral targeting, he said, citing his survey that found about 6 in 10 aren’t comfortable with online targeting. A slight majority, though, is okay with targeting if privacy protections are strengthened, Westin said.
Judging harm in the 21st century privacy context is a challenge, panelists said. “Risks appear much more quickly today” than in the past, when consumers had relative control over their “file” of personal information, Abrams said. The argument in the EU has been how much control to give people over their stored information, Ustaran said, but the fact is that people already have “a degree of control that they do not exercise” and may not fully understand: The EU is “too reliant on consent.” Abrams said making sure that information is used appropriately and protected, not consumer control, should be the primary aim.
Google’s Fleischer played the spoiler, arguing that talk of organizations’ “accountability” ignores the market. His company has hundreds of millions of users, he said: “We are accountable to them, and they are not shy” about complaining to Google about how it uses their data. Abrams said organizations should improve privacy practices “in a more rigorous fashion” because otherwise a “black and white backlash” by regulators could obliterate the U.S. sectoral approach. Westin had called that approach appropriate in emerging areas like electronic health records and online patient histories, such as those offered in Google’s new health project (WID March 27 p2). Thomas told Fleischer the private sector isn’t alone: The public sector accounts for 45 percent of U.K. GDP, and it has no market to keep it in check.
A main roadblock to better privacy regimes is that “governments are hungrier for intelligence,” Abrams said. A prime example is U.S. network operators’ failure to “confront” the government about seeking phone and Internet records without a warrant, Westin said. The only alternative to stopping such unauthorized snooping is to ensure that data are discarded quickly so the government can’t access them, he said. But Thomas said national security considerations could be separated from health care and other sectors when drawing up privacy rules.
Thomas proposed “halfway houses” between heavy privacy regulation in Europe and the sectoral U.S. regime, to prevent the EU from forcing its supposedly “perfect” regime on the world. That could mean use of third parties to verify privacy practices or internal accreditation, he said. Whatever goes on, major economic powers shouldn’t forget small jurisdictions like Bermuda, said that country’s e-commerce director, Nancy Volesky: “We really need to have a voice in this discussion” to ensure that such places have flexibility. “One-stop shopping would be ideal,” she said, but that’s admittedly unlikely.