I attended the Privacy Law Salon this week in Miami; it was a very worthwhile event with senior privacy officers and privacy lawyers in attendance. Canada’s very own Jennifer Stoddart, Privacy Commissioner, delivered a keynote on Thursday that was both frank and heart-felt, to our American colleagues, about the direction of privacy internationally. My congratulations to the organizing committee for a great event.
Chatham House rules rules apply to the Salon, so my comments are not about anything anyone has said specifically at the Salon; these are just thoughts that occurred to me while I was listening to this great group of privacy professionals talking.
First, I was struck by the lack of confidence by our American friends that there would be a way to address, or deal with, the new proposed EU Privacy Directive. They seemed to despair of reaching a middle ground with the EU, and feel that it is a choice of either simply living with the new EU directive, or turning aside (for instance, focus on other markets), or finally a quid pro quo response of more diligently enforcing US privacy laws against EU organizations. Second, when I pointed out that the US has strong privacy laws in various sectors, and enforcement that puts the rest of the world to shame, the response was that the Europeans should know these things, and therefore must simply not care that there was in fact a privacy regime in the US even in the absence of a broad private sector law. Thirdly, this contest of approaches between the US and the EU is characterized as a dichotomy between privacy and innovation, that enforcing privacy rights would undermine innovations springing from (largely) US-based companies.
My reaction and thoughts were along these lines:
Having spent a number of years being the ‘conciliator’ between US and EU colleagues (in different organizations), I was most distressed by this sense of despair. I have always found that by explaining what laws existed, and diligent enforcement by the FTC, state attorney generals, as well as through private rights of action, that the Europeans would ultimately agree that the perspective that Americans don’t care about privacy to be quite wrong. I think that a concerted effort needs to be made by the US (both at the governmental and business levels) to map to the proposed EU directive, the laws that do exist, and how the US has chosen to address the same issues that the Europeans are proposing to address through this new regulation. There are some issues on which there is no question, some divergence of opinion – but I still see tremendous importance in engaging with the EU to discuss how problems relating to cookies and the right to be forgotten, can be seen as issues that the US is also struggling with (do not track, and retention of PI, in my humble view), and is trying to address through different means.
The second response I would make to this pessimism is that it springs from a fundamental failure of communication which could be addressed by a four-prong approach. Mapping US to EU laws will help in educating the EU to understand the significant efforts that the US is making; but also to help in translating differences in legal concepts and approaches between the two. The US thinks of data protection as distinct from privacy, something I think that is not the case outside the US. Another step that would help in bridging this gap is actually asking Europeans (through focus groups, perhaps) how to best communicate the US approach to privacy. Furthermore, it is critical to explain the technology – do not make the assumption that all these innovative technologies are fully understood by the policy makers in the EU, or how they are used. Finally, America’s allies – Canada, as well as many European countries – can be bridges to help create understanding and common ground.
The third and perhaps most important thing to do is to decide what privacy should look like in the US, independent of what the EU is doing. The lack of a broad private sector law affects the perspective that the US doesn’t “care” about privacy – something I think would change even if all it did was codify and consolidate the many laws (one of our participants said there were over 200) that cover privacy. One lawyer said this notion of reform or codification was unlikely given the current politics and election year in the US – but what about a restatement of privacy laws? An informal codification of existing laws requires no legislative changes, but would present a formidable argument that there is already a significant correspondence to the EU privacy regulation. Even if it incorporated voluntary frameworks and best practices in FIPS, this would be a tool for organizations (used in conjunction with the next point, GAPP) to erode the notion that ‘America doesn’t care about privacy.
Fourthly, GAPP privacy controls (and in conjunction with ISO security standards) represent some significant thinking about actually implementing privacy, which is an area where I do believe many US organizations are ahead of their European counterparts. This is how companies can demonstrate (in an audit-able fashion) effective privacy management, which leads into the next point…
There is a lot of good things in the EU proposal. I am very excited about the efforts to clean up the bureaucratic issues with compliance, and the revamping of the Binding Corporate Rules (BCR) as a way to meet organizations’ compliance requirements in the EU. A concerted focus by the US on using BCR as a tool for US organizations to meet EU expectations, would I think be well received, and make compliance (even with the new expectations in the EU privacy regulation) easier.
I am also responsible to an American-based organization, despite being a Canadian, to promote its best interests. I feel that isolationism is more harmful than helpful; only full engagement, given the global nature of business today, can best promote the interests of business. The notion that there is a choice between innovation and privacy is a false dichotomy and at best a red herring: privacy by design, a concept being promoted by the EU regulation, is fully capable of meeting the goals of innovation while still being respectful of personal rights to privacy.
No one is saying that finding the middle ground will be easy: nothing worthwhile is.