Data Protection and Privacy in the U.S. and EU: Same Goals, Different Methods

1. Data Protection and Privacyin the U.S. and EU:Same Goals, Different Methods

2. US and European Concepts of Privacy:Tensions Between US and EU Across Two Axes • Two different notions of privacy (dignity versus liberty) • Free flow of info vs. national sovereignty

3. First Axis: What is Privacy? • A “civil right” or a “civil liberty”? • An issue of “freedom” or of “honor” and/or “dignity”?

4. Dignity vs. Liberty (James Q. Whitman theory) • Dignity: “The core continental privacy rights are rights to one’s image, name, and reputation, and what Germans call the right to informational self-determination—the right to control thesorts of information disclosed about oneself.” • Liberty: “…[T]he American right to privacy still takes much the form that it took in the eighteenth century: It is the right to freedom from intrusions by the state, especially in one’s own home.”

5. First Amendment to the U.S. Constitution Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

6. Charter of Fundamental Human Rights of the European Union • Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. • Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

7. Second Axis: Free Flow vs. National Sovereignty “Foreign firms (primarily IBM) must not be allowed to be instruments of foreign (primarily United States) dominance….Mastery of component technology is as important as nuclear mastery for national independence.” Simon Nora & Alain Minc, L’Informatisation de la Societe, 1978 the “Nora-Minc Report”), quoted in Dorine R. Seidman, Transborder Data Flow: Regulation of International Information Flow and the Brazilian Example, 1 J.L. & Tech. 31, 47 (1986).

8. Free Flow of Data and Competitive Advantage • During the 1970s, the U.S. rose to become the number one exporter of services in the world by 1980. • Somewhat predictably, the U.S. also became the world’s leading proponent of free flow of information globally.

9. Adequacy Standard • 1995 Directive forbids transfers of personal data to countries not deemed “adequate” • The U.S. has not been found adequate • Safe Harbor Framework – provided adequacy for self-certifying companies to transfer personal data and still be compliant with Directive

10. Article 29 Working Party • Article 29 Working Party • Set up in 1995 for the protection of individuals with regard to the processing of personal data  and the free movement of such data • Developed Binding Corporate Rules  (BCR) to facilitate multi-national corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law • The BCRs are an alternative to the U.S. Department of Commerce EU Safe Harbor Safe Harbor

11. EU Draft Regulation • Jan 2012 the European Commission proposed draft legislation to strengthen data protection and provide a one-stop shop. • Concerns draft will impact data flows • Article 42 – no transfers pursuant to third country laws (i.e. will delay transfers to regulators and courts) • Explicit Consent • Right to be Forgotten

12. Current Political Environment • Sharp rise in political rhetoric about differences in EU and US privacy frameworks • High level calls for the termination of Safe Harbor and other data sharing agreements • Push for “localization” of cloud services • Trickle-down impact on the Transatlantic Trade and Investment Partnership (TTIP) • ICT Chapter • Regulatory Chapter

13. Global Privacy Policy Issues • The reality is that there is no global standard policy on data protection and privacy • Broadly recognized as a dominant concern for the development of novel interactive technologies; however, difficult to reason analytically about privacy in real settings • A lack of conceptual interpretive frameworks makes it difficult to unpack interrelated data privacy issues in settings where information technology is also

14. Commercial Importance of Interoperability • Trans-border – and especially transatlantic trade – relies on the continued open flow of data. • Legally preventing data controllers from providing personal data to U.S. authorities pursuant to legal and regulatory obligations undermines trade and the enforcement of consumer protection and financial market oversight.

15. Interoperability of Data Frameworks • Article 29 Working Party • Currently studying the overlap between the EU’s BCR and the APEC system • OECD • On September 9, the OECD released a revised, 2013 version of its Guidelines on Privacy and the Trans-border Protection of Personal Data • Interoperability of different privacy regimes figures prominently in the revised OECD Guidelines • Positive development especially in light of the current EU political climate

16. Advocacy • Highlight how the policy issues of cross-border data flow and data privacy frameworks are commercial and civil issues • Raise awareness concerning the U.S. efforts in protecting data. • Privacy Act of 1974 • Fair Credit Reporting Act • Right to Financial Privacy Act • Video Privacy Protection Act, • Federal Trade Commission Act

17. Questions?