US, EU to take different approaches on privacy

WASHINGTON  — The development of online privacy protections is at a critical moment as policy makers in both the U.S. and European Union push for changes to their privacy rules, but co-ordination of enforcement across the Atlantic Ocean may be tricky, several privacy experts said Monday.

The U.S. and the E.U. have very different approaches to privacy enforcement, with the U.S. focused on enforcing privacy promises that companies make and the E.U. enforcing privacy rights even when companies make no promises, said Paul Nemitz, director of fundamental rights and citizenship at the European Commission. The E.U. sees privacy as a basic right, and “our citizens expect that these rights are enforced,” he said at an E.U. conference on privacy and data protection at the U.S. Institute for Peace in Washington, D.C.

At a panel discussion about privacy enforcement, Nemitz and U.S. officials seemed to disagree whether the E.U. or U.S. takes a stronger role in privacy enforcement. Nemitz questioned an assertion by Cameron Kerry, general counsel at the U.S. Department of Commerce, that sister agency the U.S. Federal Trade Commission was a global leader in enforcing privacy protections.

The FTC is a global leader, “perhaps in PR,” Nemitz said.

Privacy experts complain about Ottawa’s ISP bill

Several European privacy agencies have been at least as active as the FTC, but their efforts aren’t as publicized because they don’t release information in English, Nemitz said. In addition, with 27 separate privacy protection agencies in the E.U., sometimes actions by individual countries don’t get much attention, added Jacob Kohnstamm, chairman of the E.U.’s Article 29 Working Party and the Dutch Data Protection Authority.

The FTC takes Nemitz’s comment about public relations as a “compliment,” said Maneesha Mithal, associate director at the FTC’s Division of Privacy and Identity Protection. The agency makes an effort to publicize its enforcement efforts as a deterrence to other companies, she said.

Some participants in the conference questioned whether E.U. privacy agencies are now effective against big companies such as Facebook and Google. In some cases, U.S. Internet companies appear to be breaking E.U. data protection rules with no consequences, said Austrian law student Max Schrems, a frequent critic of Facebook.

It shouldn’t be up to students to highlight bad privacy practices, Schrems said. “What does [the law] actually need to make at least the big shots compliant with the most basic principles we have in the law right now?” he said.

The E.U.’s proposed data protection rules, announced in January, should elevate the profile of E.U.’s data protection and privacy efforts and make company boards pay attention to privacy rules, Kohnstamm said. The proposed rules include fines of up to 2 percent of a company’s global revenue.

As the E.U. pushes for a single privacy law, U.S. President Barack Obama’s administration has called for privacy codes of conduct to be developed at the Department of Commerce with input from companies, privacy advocates and other groups.

Privacy protection is at a “pivotal moment” as both processes move forward and as the FTC continues to look at privacy protections, said Julie Brill, a commissioner at the FTC. While the details may differ in the U.S. and E.U. approaches, both governments are working toward a baseline set of privacy goals, including more transparency for consumers about how their data is used and more access to their data held by companies, she said.

Privacy enforcement agencies from the U.S., the E.U. and other countries are needed to provide adequate protections for consumers, Brill added.

Nemitz, and privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, both questioned the Obama administration’s so-called multistakeholder approach of allowing companies to help write privacy codes of conduct. Even with privacy advocates in the room, Internet companies could get their way because of vastly superior resources, Chester said.

A multistakeholder approach does not “carry the legitimacy” of privacy rules made by elected legislators, Nemitz added.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now