EU Data Regulation Should Aim for Interoperability, NSA Revelations May Affect Talks, FTC Commissioner Says
ASPEN, Colo. -- The EU and U.S. differ in data protection implementation, not principles, and interoperability should be the focus of the ongoing work on the EU data protection regulation, FTC Commissioner Julie Brill said Tuesday during a panel at the Technology Policy Institute’s Aspen Forum. The EU is aware of concerns that American companies have, including that the regulation may be too proscriptive and “may lack effective enforcement, particularly when it comes to the multiplicity of regimes,” Brill said, citing frequent communication with her EU counterparts.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
European users need “one set of rules” determining their privacy when they're online, and European companies “need a level playing field,” said Luigi Gambardella, chairman of the European Telecommunications Network Operators’ Association executive board. When a European user is online, “he is not aware whether the server of the service he is using is in Europe,” he said. “We want to be sure that he has the same level of protection, independent of where the server is.” Differences in privacy law “have created a disparity with European companies and have put the European companies at a disadvantage,” he said.
Interoperability, not policy convergence, should be the goal of the EU data regulation, Brill said. Policymakers should be focused on “respecting the differences” between the two sets of policies, “recognizing the similarities and talking about how can we be interoperable,” she said. Regulatory convergence “is not going to happen,” said Erika Mann, Facebook managing director-public policy. “We have different regulatory history, different philosophies” that make regulatory convergence an impossibility. If regulation is done correctly, “the differences can actually be sorted out, because the interest of companies is so broad … that we have enough sufficient common ground,” she said. “And the same is true of the users."
The recent reports on National Security Agency surveillance may change discussions on the developing EU data security and privacy regulation, including the current safe harbor for American companies, Brill said. “Things have changed, and I don’t know what I'll receive in terms of a reception” when delivering messages “that I've previously been very successful” with. It’s “incredibly important” to have a conversation about government collection and use of data, but “we need to talk about commercial collection and use of data separate from government collection and use of data,” she said. The issues of government surveillance and commercial online privacy should not be conflated, Mann said. “Hopefully there will be understanding in the upcoming months that they are two different stories."
The leaks about NSA programs do provide an opportunity for commercial entities that collect and use consumer data to reexamine the steps they're taking to protect user data, Brill said. “There is more that they can do to protect privacy,” she said, citing proposals from herself, the agency and privacy advocates. “I think the time is now,” she said.
Privacy discussions and Transatlantic Trade and Investment Partnership negotiations should be held on their own schedules, Mann said. “To align the two timetables, I think, is not very helpful.” The substance of the talks “will be very different,” and making each dependent on the other could “burden both discussions,” she said.
It’s not true that privacy is more of an inalienable fundamental right in Europe than in the U.S., said Alan Raul, privacy lawyer at Sidley Austin and former chairman of the Privacy & Civil Liberties Oversight Board. The EU has many fundamental rights, and they're subject to one another, he said. EU Justice Commissioner Viviane Reding has said the right to privacy “must be balanced with these other rights,” including the right to run a business, Raul said. “The balance is recognized on both sides of the Atlantic in setting policy.” Basing the cross-Atlantic privacy talks on the assumption that privacy is a more fundamental and inalienable right in the EU than in the U.S. is harmful to the process, he said.