I was privileged to travel to South America and to participate when privacy authorities and privacy professionals came together in Punta Del Este, Uruguay, for the 34th International Conference of Data Protection and Privacy Commissioners and the preceding civil society event called “The Public Voice.”
It is fair to report that participants were closer together than they probably anticipated.
First, a cyclone kept everyone in the hotel for the first days of the meeting, causing a great deal of forced togetherness. (It was good practice for those of us on the East Coast of the U.S. subsequently rendered housebound by Hurricane Sandy.) In addition to weather-based togetherness, there was substantive togetherness too. The theme of the main DPA conference was “Technology and Privacy in Balance.” And, indeed, the conference was more balanced than some of its predecessor conferences, reflecting at least a partial global coming together on the role of privacy.
The fact that a general counsel of a large U.S. tech company was invited to be the keynoter was one indication. Brad Smith, general counsel of Microsoft, expressed his company’s genuine desire to advance consumer privacy and touted the Do-Not-Track functionality of its new Internet browser. Other tech company representatives also highlighted their commitment to advancing privacy, to accountability and to interoperability.
It was sometimes hard to tell who was the greater cheerleader for privacy—businesses or the DPAs—prompting one senior DPA to ask me in the hallway, “Why do you think that is the case?” My response: “Because we have reached a point where privacy is good business and not just a regulatory problem for companies to work around.”
At the plenary sessions, there was less overt corporate bashing by the presenting DPAs; previous gatherings saw ominous videos singling out well-known online companies. Indeed, the Uruguayans—whose privacy law recently was deemed “adequate” by the EU—struck a moderate tone throughout the conference. Among the technology advances the Uruguayans highlighted was Project Ceibal, under which each school child gets a laptop computer. The balance between the advantages of every kid with a computer and the privacy issues of every kid online was a focus of the discussion.
The conference started on a somewhat down-note when Article 29 Working Party Chair Jacob Kohnstamm told the gathering that henceforth, the DPAs would only meet privately at their annual conferences, and if there is to be a public session for the privacy community, that would be up to the host DPA. At this year’s public session, there were panels and discussion on a range of urgent privacy issues including Impact on Privacy of Emerging Trends in the Information Society; Data Protection and E-Government—moderated by IAPP Executive Director Trevor Hughes, CIPP; Open Government; Public and Private Geolocation; E-Health; Forensic Tools and Privacy; Online Behavioral Advertising; Smart Data; Privacy and Piracy; The Present Situation with the EU Regulation, and Data Protection in Latin America.
And, of course, there were the informal interactions in the hallways and at meals among the public and official participants that facilitated important discussions. Next year’s host country reportedly is Poland, and hopefully its DPA can find a way to include the very useful public sessions.
The public participation is added to by the traditional side event called “The Public Voice,” a meeting of “civil society” organized by the Electronic Privacy Information Center (EPIC) and attended by many of the DPAs and FTC officials in town for the main conference. I moderated the closing panel on self-regulation with Federal Commissioner for Data Protection and Freedom of Information Peter Schaar (Germany); Department of Commerce Policy Analyst Office of Technology and Electronic Commerce Joshua Harris (U.S.); Jörg Polakiewicz, Council of Europe; FTC Commissioner Julie Brill (U.S.); Federal Institute for Access to Public Information Commissioner Sigrid Arzt (Mexico), and Felipe Rotondo Tornaría, Control de Tratamiento de Datos Personales (Uruguay).
Predictably, Commissioner Schaar was opposed to virtually any kind of self-regulation, even criticizing the self-regulatory regime for the use of RFID technology (involving privacy impact assessments) that was approved by the Article 29 Working Party of which he is a member. During Q&A of another panel, Schaar asked WP 29 Chair Kohnstamm whether the EU-US Safe Harbor should be renegotiated in view of the upcoming EU Data Protection Regulation. Schaar is a frequent critic of the EU-US Safe Harbor self-regulatory regime, notwithstanding the enforcement mechanisms. Kohnstamm diplomatically demurred, observing that if negotiations are reopened with the U.S., no agreement may result, which would be a step backwards. An FTC representative in attendance said that is consistent with what the U.S. has been telling the Europeans.
Josh Harris from the Department of Commerce explained how the U.S. recently received approval as the first formal participant in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System (CBPR). APEC’s CBPR is a self-regulatory code of conduct designed to create more consistent privacy protections when personal data moves between countries with different privacy regimes in the APEC region.
The CBPR is a voluntary code of conduct. Businesses that participate are to have compliance enforced by an “Accountability Agent.”
Under the CBPR, participating businesses must develop their own internal business rules on cross-border privacy procedures. These rules will then be reviewed, approved and certified by the Accountability Agent. The review process determines whether the company’s privacy practices are in comport with the nine “Privacy Principles” set out in APEC’s Privacy Framework. The U.S. is the only participating country as of now.
FTC Commissioner Brill emphasized the important role self-regulation plays even with legal and regulatory rules, noting that the law and regulators cannot anticipate all of the technological developments and nuances faced by many different businesses.
I asked the panelists to react to these observations about Self-Regulatory Organizations (SROs):
• Opponents of self-regulation may incorrectly assume that self-regulation is necessarily “weaker” than state regulation either because it has less stringent rules or because it ineffectively enforces its rules.
• First, SROs can be effective self-policing organizations, particularly when the institutions are designed to eliminate conflicts of interest.
• Many SROs begin enforcement actions in response to complaints. Businesses provide a high degree of oversight since they regularly monitor the activities of their competitors and have an incentive to report violations.
• Second, SROs can be more effective than government agencies at rulemaking. When businesses come together to develop rules, those involved are likely to have a higher degree of technical and industry expertise than an outside government regulator.
The representative from the Council of Europe especially endorsed the concepts embodied in this passage and mentioned that the Council of Europe Convention 108 for the Protection of Personal Data embraces self-regulation. He was joined by the Uruguayan, Mexican and U.S. representatives.
As with previous DPA meetings, there was a polite but palpable disdain by the Europeans, and those following the EU paradigm, of the U.S. approach to privacy. And with respect to the proposed EU regulation, most of the EU officials spoke very favorably of it, suggesting that only minor adjustments were needed. EU Data Protection Supervisor Peter Hustinx did acknowledge that the “one-stop shop,” whereby companies would have one lead regulator, “needs work” because of the difficulties in avoiding “forum shopping.” Commitment to explicit affirmative consent where there is no other legal basis for processing and to the rights to be forgotten and data portability were endorsed by Europeans. Several Europeans lamented the fact that law enforcement access to data under the proposed EU framework will be governed by a directive rather than the regulation controlling nongovernmental access to data. Kohnstamm announced that the Working Party will issue an advisory opinion on “purpose limitation” next year.
In the discussion of the proposed EU Regulation, Brill politely but effectively pointed out practical and law enforcement-related issues with the presumptive 24-hour period for breach notification contained in the proposed EU regulation and also spoke of the effectiveness of FTC enforcement in promoting better privacy. On the issue of U.S. reliance on enforceable self-regulation, FTC Commissioner Edith Ramirez expressed her hope that the W3C will reach consensus on an industry standard for Do Not Track but said that it if did not, legislation may be required.
Throughout the DPA meeting, there was significant discussion of cross-border enforcement and assistance with investigations. One high-ranking EU privacy official told me that the Global Privacy Enforcement Network (GPEN) is not likely to be a useful mechanism because of its size and inclusion of members “like the Ukraine,” suggesting that sharing of investigatory information was unlikely due to the fear of leakage. He suggested that more bilateral undertakings like the recent agreement between Germany and Canada are likely ways investigations will be coordinated and materials shared. One senior corporate privacy official spoke of a concern that the FTC was being used as a source of information for EU officials applying stricter standards than those in the U.S.
The DPAs met privately on Thursday and Friday, and the specific topic was “profiling.” Interestingly, they brought in Jim Dempsey from the Center for Democracy and Technology for a briefing, suggesting that at least part of their focus was on government profiling.
I will conclude my report by quoting at some length an on-the-record source—me. Here is an excerpt from my remarks at the opening plenary of the DPA conference in Uruguay:
In considering the issue of progress in privacy and data protection, I am reminded of the observations by the author Doug Adams who wrote the book entitled The Hitchhiker's Guide to the Galaxy.
Adams made these three observations about our reactions to new technology.
• The things that exist in the world when you’re born are normal and acceptable;
• Anything invented between when you are born and before you turn 30 is incredibly exciting and creative;
• Anything invented after you turn 30 is against the natural order of things and the beginning of the end of civilization as we know it—that is, until it’s been around for about 10 years when those inventions gradually turn out to be alright really.
And likewise, progress in data protection is a matter of perspective. Ten years ago, I never would have imagined the scope of the privacy profession. The International Association of Privacy Professionals, started just over a decade ago with a handful of members, now has membership in the tens of thousands. Those numbers reflect the range of privacy issues being addressed by businesses that recognize a responsibility due to laws, regulations—but also out of a sense of responsibility and data stewardship and the commitment to maintain consumer trust.
Earlier this year, I testified before the United States Senate Judiciary Committee Subcommittee on Privacy concerning a law passed in 1988 called the Video Privacy Protection Act, or VPPA. That law obviously was passed to react to the practices of videocassette rental stores, well before the Internet era; before Netflix, and before Facebook. Yet, the VPPA is being applied to the technologies of the Internet era even though Congress never contemplated such a world.
My experience with the video privacy law is part of what gives me concern that data protection that is put in place to react to new technologies may in time not be viewed as progress at all but rather as a barrier to progress.
I know that some DPAs react viscerally when objections to certain regulations are made because of the risk to innovation. But it is axiomatic that overregulation thwarts innovation.
What is needed is smart, forward-looking regulation, and it can come from many sources—from law and yes from enforceable self-regulation created by those who are closest to the workings of changing technologies. Perhaps a better label for what I am describing is co-regulation.
The theme of this conference, “Privacy and Technology in Balance” captures perfectly the tension between privacy rules and advances in the information society.
And the conference comes at a time when the privacy frameworks in the U.S. and the EU are under reexamination.
There are common aspects to the EU and U.S. proposals. Both fundamentally are premised on Fair Information Practice Principles. Both call for implementation of the “Privacy by Design” concept intended to build privacy sensitivity and consideration into every stage of the development of products and services. Both recognize the importance of accountability by those who collect and use personal data. Both reflect the principle that people should not be surprised by the use of their personal data collected for one purpose but used for another purpose.
There is no disagreement about the need for informed consent about the collection and use of personal information—although the kind of consent envisioned in each jurisdiction differs as to various categories of data. Finally, the U.S. view of what constitutes "personal data" seems to be moving toward the EU's: The FTC refers to data that can be "reasonably linked to a specific consumer, computer or other device," a standard very close to—and arguably even broader than—the EU definition of personal data.
Big differences in approach emerge from the fact that the U.S., while proposing a first-ever federal privacy law with a “Privacy Bill of Rights,” still intends to rely on a variety of self- or co-regulation. And the U.S.-proposed rules do not contemplate a “right to be forgotten.”
Similarly, there is no right to “data portability” in the U.S. proposals as there is in the EU plan.
And even though the EU has borrowed the data breach notification idea from the U.S., it proposes a presumptive obligation to provide notice within 24 hours of a breach, a timeframe widely regarded as wholly unworkable by those who have worked under the U.S. data breach laws. Finally, the EU proposes a schedule of monetary fines of up to two percent of an entity’s global worldwide turnover for violations of the proposed regulation—an amount that many stakeholders view as unreasonable due to the apparently wide discretion given to enforcers in assessing such a fine.
The period ahead will be one of adjustments to the proposed EU regulation to make it acceptable to the European Parliament and to the Council of the European Union, the bodies responsible for the co-decisioning process required to adopt the regulation. Likewise, in the U.S., the exact shape of the new privacy framework is still to be determined, on Capitol Hill and through the work of the executive branch, and the results of the election in a few weeks will be important.
As things now stand, there is a big gap to bridge between the two trans-Atlantic approaches, in many ways, so close. Yet, they are very far apart in fundamental respects.
Privacy will most effectively evolve in the information society when the privacy frameworks are interoperable. My hope is that the fundamental differences in approach give way to that fundamental understanding.
And therefore, to close, I commend to you the recent remarks of Cameron Kerry, the general counsel at the U.S. Department of Commerce, before the European Parliament, who quite wisely observed that for the information society to thrive, “the global marketplace will require mutual recognition and innovative solutions that permit businesses to streamline their operations across countries with differing legal regimes.”
This conference is a perfect opportunity to explore such innovative solutions towards mutual recognition and cooperation and towards a robust and growing information society.
If you want to comment on this post, you need to login.