It is “privacy week” here in Amsterdam, with the academically focused Amsterdam Privacy Conference (APC) butted up against the DPA-organized International Privacy Conference. Not surprisingly, the Schrems decision dominates conversation—with a little left over for the pending General Data Protection Regulation.
In her keynote address launching the APC event on Friday, U.S. Federal Trade Commissioner Julie Brill waded into the transatlantic debate over the adequacy of the U.S.’s privacy regime and the consequences of Safe Harbor’s invalidation.
The European Court of Justice’s (ECJ’s) decision “has placed us at a critical juncture,” she said, “where we need to reflect on the deep values that we share, be honest about the nature of our similarities and differences and assess the steps we need to take in order to develop a truly trusted framework for the transatlantic flow of information.”
One step that’s not needed? A comprehensive privacy law in the U.S. “Although I support additional consumer privacy legislation in the U.S.,” she said, “I do not believe such legislation is prerequisite for a post-Schrems data transfer mechanism.” The regime the U.S. has in place, with strong safeguards for children’s data, financial data, health data and with Federal Trade Commission (FTC) oversight, creates a U.S. system of enforcement that is “strong and comprehensive,” she said. “But it is also maddeningly difficult to explain to my European colleagues.”
Unfortunately, she said, this robustness is hampered by the ECJ decision. Safe Harbor at least offered transparency and a way for the FTC to monitor for bad actors. Model contracts and Binding Corporate Rules are much less transparent, she argued, and offer fewer ways for consumers to bring grievances. No one knew better than Brill that Safe Harbor needed improvements, and she cited the work that has already been done to improve the transparency and oversight of the program in addressing the European Commission’s 13 necessary changes as proposed in 2013.
However, it was better than the nothing we are left with now.
So, how do we go forward?
“I believe the ECJ’s decision in Schrems adds to the growing body of evidence that there is a need for a shift in the way that we—on both sides of the Atlantic—have framed privacy,” Brill said. “In the U.S., we have largely separated the discussions about data practices of commercial firms from the data practices of the government.”
That is changing, however, through debates like that over backdoor access to company encryption methods. “This debate has started to chip away at the silos around consumer interests in commercial privacy and citizens’ interest in protection from unwarranted intrusion by government,” she said. The U.S. is having now the fundamental debate over how and when government should be able to access consumer data.
“I believe Europeans should engage in this discussion as well,” Brill said, “and examine their member states’ own law enforcement and intelligence data collection practices with the same openness and recognition of the potential impact the practices may have on consumers’ and citizens’ privacy. The ECJ’s decision suggests that the United States and Europe should have an honest dialogue about the ‘essential equivalence’ of all of these data practices within companies, as well as within our law enforcement and national security agencies.”
This kind of introspection on both sides of the Atlantic, coupled with collaboration between legislators and regulators, is the only path forward, Brill said.
“If we start engaging in an honest dialogue,” she said in closing, “I believe we can, over the long term, forge a path toward building truly robust and durable bridges that will allow us to face our common challenges together, so we can more effectively protect the data and privacy of our citizens.”