U.S., Europe Privacy Practices

By John Wagley

01 January 2012

Print Issue: January 2012

FOR COMPANIES doing business in the European Union, the EU’s strong customer data privacy protections, enacted in its 1995 Data Protection Directive and other laws, have long presented challenges. Numerous major U.S. organizations have faced fines and other actions for noncompliance despite a safe harbor provision. Now other countries appear to be moving toward the EU’s more protective model.

“When you think about it, the U.S. appears to be more and more alone in this area,” says Justin Brookman, director of the Center for Democracy and Technology.

That can make doing business globally even more difficult for U.S. firms. Some experts also say a perceived lack of U.S. privacy protections may hold additional risks for U.S. businesses. The United States could be especially at risk of losing competitiveness in areas such as the Internet, cloud computing, and other technological developments, for example.

“A ‘we don’t care about privacy’ attitude from the United States creates major risks for U.S. jobs, exports, and businesses,” said Peter Swire, a professor of law at Ohio State University, at a recent House Energy and Commerce Committee hearing. “The lack of U.S. privacy rules can become a powerful excuse for protectionism, risking U.S. jobs and the sales of U.S.-based businesses,” he noted.

But major pro-consumer revisions to existing U.S. data protection and privacy laws are highly unlikely in the current political and business environment. Far more likely to be successful is some type of new collaborative approach to working with trading partners that combines industry support and reasonable enforcement mechanisms.

That type of collaborative—rather than coercive—approach is included in the proposals in a working draft paper (called the green paper). Originally put out for discussion in December 2010 by the U.S. Commerce Department, the paper proposed new types of structures for working with EU member states and other nations to smooth over trade-related frictions, possibly creating new government-industry groups backed by stronger regulatory enforcement. The proposals were among the issues discussed at the recent congressional hearing.

“Specifically, we are considering the establishment of a multi-stakeholder process,” Nicole Lamb, assistant secretary of the International Trade Administration, told the congressional panel. The parties would produce agreed-upon codes of conduct and enforcement mechanisms, she said.

Such a structure could possibly provide consumers and businesses with a better way to redress privacy violations than is currently available under U.S. law, says Christopher Wolf, director of the Privacy and Information Management practice at the law firm Hogan Lovells.

The Commerce Department proposal represents a more collaborative approach to working with EU trading partners, said Swire at the hearing. Swire said collaboration and improved dialogue had already led to some convergence of U.S. and EU privacy practices in key areas.

One example he cited was the position of corporate privacy officer (CPO). European companies were the first to hire CPOs, but large U.S. corporations also now have CPOs.

Swire noted that the U.S. Federal Trade Commission, which has played a stronger role in data privacy-related enforcement efforts in recent years, has already strengthened its dialogue with EU agencies and regulators. Swire and other experts have also noted convergence in additional areas, including data breach notification, data minimization, and limitations on data retention.

The EU, for its part, is currently making major changes to its data protection and privacy laws. Last year, member states were required to finalize national laws to comply with revisions to the Privacy and Electronic Communications Directive (PECD). Changes to the PECD, which was written to compliment the EU’s broader Privacy Directive, aim to strengthen consumers’ control over their online privacy. Among other new requirements imposed by the changes, Web sites will need to let users “opt in,” as opposed to the currently more common option of “opting out,” when it comes to having information-tracking electronic “cookies” placed on their computers or devices.

To date, relatively few EU nations have actually created their own laws. Some lawmakers, business executives, and others have called the revisions confusing and challenging to effectively implement. The European Commission, however, is likely to bring legal action against nations that fail to comply. Many say U.S. companies will also have to comply, at least in part, with the revisions when working with their EU customers.

The EU is also considering major changes to its broader Privacy Directive. Goals include enhancing legal harmonization and strengthening enforcement of data collection and cross-border transfer rules both within the EU and with non-EU nations.