The two women on stage in Brussels this morning at the IAPP Data Protection Congress seemed to agree more than disagree about what’s essential to both the U.S. and EU. The U.S. Federal Trade Commission’s (FTC's) Julie Brill and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin, who also chairs France’s data protection authority, the CNIL, politely agreed they’re both concerned about the potential risks involved in big data, that the Internet of Things could mean individuals lose rights to their own data and that the right to be forgotten, while great in concept, has some kinks to work out.

But the relatively benign chat took a bit of a left turn in the end when the elephant in the room finally stomped its feet: What about Safe Harbor?

The keynote chat, moderated by Henriette Tielemans of Covington & Burling, looked at the similarities and differences between the EU and U.S. on all things data protection and privacy to determine where things stand now. After all, it wasn’t that long ago that the Snowden revelations hit—inciting widespread mistrust among Europeans on where the U.S. stood on privacy. Additionally, Europeans haven’t been shy about their mistrust of the Safe Harbor framework, despite American regulators’ claims it remains a robust and viable data transfer mechanism.

But Brill was optimistic about the whole thing. “I think our commonalities are much much greater than our differences,” she said.

Take big data, for example.

Brill_Falque-Pierrotin_IAPP_19Nov_083_web.jpg
Julie Brill, commissioner of the U.S. Federal Trade Commission, and Isabelle Falque-Pierrotin, chairwoman of the CNIL and the Article 29 Working Party, in discussion at the IAPP Data Protection Congress in Brussels.

Brill said she recognizes the benefits of big data, but there are also potential pitfalls. She pointed to the big data report released earlier this year by the White House’s John Podesta, which identified some of those risks. If we want the benefits to come to fruition, consumers have to trust the system, and that’s going to happen through transparency.

“The analogy I like to use is an automobile. We need to give users tools on the dashboard when appropriate, but also, companies need to be looking under the hood,” Brill said, emphasizing that companies should implement Privacy by Design into their products. Additionally, companies should rely less on a notice-and-choice model when seeking consent, which, as is often discussed in privacy circles, increasingly places too much of the burden on the consumer to make informed decisions about what’s done with their data. Instead, a risk-based approach makes more sense.

That said, she continued, the public must have a say in what the appropriate use of data looks like, and big data’s success depends on that.

Falque-Pierrotin agreed with Brill on the potential benefits.

“We share the idea in Europe that big data is just not only a new way to process data, it’s a real historical breakthrough,” she said. But she also agrees with Brill that there’s a real risk to individuals given the amount of devices streaming data at all times, be they telephones, body sensors, CCTV or others.

“We share conviction with the Podesta report that we’re facing something really different here," she said. “Generally speaking, what we fear about big data is the individual won’t be in control, and the individual has to stay in control to make informative choices about big data applications.”

She rejected the notion, however, that the EU should revisit its rules and principles on data collection and use so that they apply to big data.

“We don’t have proof or evidence that our principles are no longer valid,” she said. “On the contrary, in each of our countries we are already working on big data applications using our principles. So they are definitely efficient."

An area Falque-Pierrotin would like to see the EU catch up to the U.S. on is breach notification laws, she said. Brill noted 47 U.S. states currently have a breach notification law. While France introduced a law in 2011, Falque-Pierrotin said the legislation isn’t well-understood by European data controllers.

The difference in France’s law on notification and the laws stateside are mainly that U.S. state laws aim to tie a company’s reputation to its data security practices, Brill said. Falque-Pierrotin said the law in France doesn’t aim to point fingers at the data controller that made mistakes resulting in breaches but more to structure the information flows and the security culture among data controllers.

And then, the question the room had been waiting for, it seemed. With just a few minutes left in the session, Tielemans asked Brill: What to do about Safe Harbor?

Brill maintained, as she has all along, that Safe Harbor is a “deeply important tool” for consumer privacy protection and said as a law enforcement agent, she doesn’t want to see it go.

“I have said, ‘Please don’t take it away from me.’ It’s the hook we have to offer greater protection,” she said, adding that like anything with some age on it, the 15-year-old tool can certainly be reexamined and improved, a task the U.S. Department of Commerce and FTC have taken seriously since the European Commission issued its list of 13 ways the U.S. can save Safe Harbor just shy of a year ago now.

The places it certainly needs improvement? The fees associated with alternative dispute resolution and increased accountability on the part of those who are charged with ensuring compliance with Safe Harbor principles.

Brill mentioned the FTC’s recent settlement with TRUSTe as an indication the commission can be trusted as the cop on the beat.

“I really hope everyone here and in Europe will take away the message not that Safe Harbor is broken so we had to bring the TRUSTe case but that Safe Harbor works and backstop enforcement by the FTC works,” she said.

Attendees had all but zipped their laptop bags to exit when Falque-Pierrotin decided the chat wasn’t over. She had a point to make.

“We want clear answers on what has been brought about by the Snowden revelations,” she said. "DPAs are expecting real answers. We will be very vigilant,” she said of watching to see that the U.S. makes good on its commitment to work on the 13 recommendations.

Brill countered, however, that only 11 of the recommendations are under her purview, and the other two are outside of her remit, outside of the Article 29 Working Party’s remit and outside of the European Commission’s remit.

“But I understand there’s deep concern about these issues,” adding, "I think there has been a tremendous effort on the part of national security folks in the U.S. on how to appropriately respond,” through the “breathing of great life into the Privacy and Civil Liberties Oversight Board, through the chief privacy officers we have through the national security systems” and various other mechanisms.