TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Differing Privacy Regimes: A Mini-Poll on Mutual EU-U.S. Distrust Related reading: UK Parliament committee to review EU-UK adequacy agreement

rss_feed

""

""

There are notable differences between EU and U.S. data protection law. There is also equally notable skepticism in the U.S. and EU about the other legal system’s approach

To help illustrate the nature of these doubts, I contacted a handful of leading U.S. privacy attorneys to gather their opinions of EU data protection law. Then, to round out this mini-poll, I asked privacy attorneys in Germany during a recent visit to Cologne and Frankfurt-am-Main about their views of the U.S. system of information privacy law. All were promised confidentiality; data protection is, after all, an important matter.

Here are the views of the U.S. attorneys regarding EU privacy law:

  • The EU approach to privacy is long on process and short on substance. Where it is substantive, it seems blind to the places where EU privacy directives and other EU regulatory measures are inconsistent with non-privacy EU directives.
  • The EU approach is not actually enforced. It is law on the books plus rhetoric by regulators that extends the law even further. But the law is only occasionally enforced. As a result, much activity exists in a gray zone of risk.
  • American legal culture is more literal and more compliance-minded than Europe’s. In the EU, there is an aspirational, hortatory, vague legal regime, which would literally make the entire Internet “illegal.” Americans simply cannot translate such aspirational principles into their own more literal and more litigious system.
  •  EU regulators often seem to believe that most data use is about marketing. But a wide range of data use is focused on adding value to society. Benefits to users or to society are often minimized as a basis for processing.
  • Some in the EU recoil at the mention of innovation made possible through the use of personal data, almost making mention of it off-limits.
  • Some in the EU still think that national security surveillance is a U.S. problem alone and that EU clouds will solve that problem.

As these points illustrate, the U.S. concerns about EU data protection are deep. They are matched, however, by the EU distrust of U.S. information privacy law.    

Here are the views of the German privacy experts:

  • U.S. law has a limited concept of privacy harms. Without a concept of “personality rights” to anchor information privacy law or some equally effective principle, many privacy harms to persons are not addressed by U.S. law.
  • There is no obligation of the state in the U.S. to take active measures to protect individual privacy. In German law, there is a strong such requirement—the notion is that of a protective duty (“Schutzpflicht”).
  • In the absence of an omnibus privacy law in the U.S., there is a confusing multiplicity of laws, federal and state. This multiplicity leads to a “fragmentation of the legal field” (“Zersplitterung des Rechtgebiets”).
  • The Snowden revelations and other information about the NSA’s activities reveal shameless behavior by the U.S. For example, Der Spiegel has revealed that the U.S. had monitoring equipment installed within its Berlin embassy.
  • The NSA is acting to make cybersecurity weaker. This behavior endangers a shared interest in strong security.
  • The NSA is carrying out industrial espionage on behalf of U.S. companies.
  • U.S. companies have strong market dominance in IT, and the result is arrogant behavior.
  • EU policy-makers feel overwhelmed by the sheer volume of the lobbying efforts by U.S. companies

Many of these comments from the German experts reflect fundamental differences in how the U.S. regulates privacy law, which leaves experts on the European side of the Atlantic feeling that the American system does not contain effective protections.

The comments also show a profound and continuing reaction to the Snowden revelations. One year after the “Summer of Snowden,” that is, the initial release of NSA documents by Edward Snowden, emotions are still running high in Germany about U.S. global surveillance activities. Indeed, outside the campus of the Goethe University Frankfurt, I passed pro-Snowden posters stuck on telephone poles. The posters featured a simple suggestion for Germany’s policy in this matter: “Asyl,” that is, an offer of asylum in Germany for Snowden.

Many of these comments from the German experts reflect fundamental differences in how the U.S. regulates privacy law, which leaves experts on the European side of the Atlantic feeling that the American system does not contain effective protections.

Moreover, Chancellor Angela Merkel herself was said to be upset by the report that the U.S. had spied on her cell phone. As one attorney told me in Cologne, “Allied nations should not behave this way with each other.” It should be noted that this anger continues—the latest flare-ups are due to recent German media revelations of an American spy within the Bundesnachrichtendienst, Germany’s foreign intelligence agency. In response, Germany has expelled the CIA’s top officer in Berlin.

The fallout from the Snowden leaks is also having significant business implications for U.S. technology firms. In June, the German government announced it would end a contract with Verizon Communications because of concerns about network security. It is shifting its business to Deutsche Telekom, a German company. Microsoft General Counsel Brad Smith also stated recently that the business issues relating to the Snowden links were “getting worse, not better.” Forrester Research has estimated that the NSA disclosures could reduce U.S. technology sales overseas by as much as $180 billion by 2016.

There are no easy solutions to differences in EU-U.S. data protection. Instead, there are only tough discussions ahead. There are, however, two lessons that can be drawn from my mini-survey.

First, the U.S. attempt to launch a discussion around the term “interoperability” is unlikely to be fruitful. In the White House’s 2012 “Report on Consumer Data Privacy in a Networked World,” the executive branch declared its “commitment to increase interoperability with the privacy frameworks of our international partners.” The plan was a good one. The U.S. privacy system is not like that of the EU, and its goal should not be to become the equivalent of it.

The overarching idea of “interoperability” is to allow different privacy systems to work together. It is hard to object to that idea in the abstract, and the OECD’s 2013 Privacy Guidelines call for greater efforts to address the global aspects of privacy through improved interoperability. Due to current high levels of suspicion on the EU side, however, the idea of “interoperability” now has the air of “Pax Americana,” or an agreement enforced on the world through American power. I have yet to meet a single privacy policy-maker in Europe who reacted favorably to this term. It is probably time to drop that “brand.” Nonetheless, the policy goals of the 2012 White House report regarding accountability and enforcement are highly valuable. A discussion around these concepts has the potential to discover new common ground.

Due to current high levels of suspicion on the EU side, however, the idea of “interoperability” now has the air of “Pax Americana,” or an agreement enforced on the world through American power. I have yet to meet a single privacy policy-maker in Europe who reacted favorably to this term.

Second, “harmonization networks” for information privacy are more important than ever before. “Harmonization networks” develop when regulators and other policy-makers in different countries work together to harmonize or otherwise adjust different kinds of domestic law to achieve outcomes favorable to all parties. This general phenomenon was first noted by the international law scholar Anne Marie-Slaughter. As Slaughter writes, “The more that international commitments require the harmonization or other adjustment of domestic law, the coordination of domestic policy or cooperation in domestic enforcement efforts, the more they will require government networks to make them work.”

An important way forward will be through further policy engagement and discussions among the informal networks of government officials and policy-makers concerned with international privacy law. One promising locus for these efforts is the Global Privacy Enforcement Network, of which the U.S. Federal Trade Commission is a founding member. Increased global collaboration in privacy investigations and enforcement actions worldwide will help develop shared goals of accountability and enforcement. It may also help defuse at least some of the current distrust and tensions between the EU and U.S. about information privacy law.

4 Comments

If you want to comment on this post, you need to login.

  • comment Monique • Jul 22, 2014
    Thank you Paul for this excellent analysis. As a binational and bicultural Belgian and U.S. attorney, having lived/worked nearly an equal amount of time in each country, I perfectly understand each side of the pond. Each has good points, and each has its shortcomings. I wish I could help buid bridges.
  • comment Monique • Jul 22, 2014
    build- (sorry, could not find an editing tool in the comments section).
  • comment Eduard • Jul 22, 2014
    This is a great (albeit admittedly unscientific) poll that really outline’s some key differences between the U.S. and German views of privacy. However, to assume that the German view of privacy is identical to that of the British, French, Spanish, Italian, Dutch, etc. view is not accurate and presumes some very serious generalizations. Not to mention that to assume the Germans speak for the rest of the E.U. (as much as they may want to) whether it comes to privacy or any other matter is a bit of stretch at best. While the Germans have a long history of privacy law as compared to the rest of Europe and the world, one cannot draw the same broad based comparison of U.S. law and policy (state and Federal) with an entire multinational treaty organization like the E.U. simply by polling German lawyers. Keep in mind that the creation of Directive 95/46 EC (The EU Data Directive) has been ‘marketed’ by the Europeans for almost 20 years as their uniform, continental prioritization of privacy as a fundamental European/U.N. human right. However, one of the real (forgotten and ignored) reasons behind Directive 95/46 EC was to avoid the creation of ‘data havens’ and data processing centers in southern countries like Portugal, Spain and Italy during the ‘90’s. The fear was that disharmony in data protection laws within the EC would mean a flow of capital and data processing operations to these southern E.U. nations away from more privacy conscious northern E.U. countries like Germany, the Netherlands, France, etc. By unifying these standards across the E.U. this issue was avoided. However, the fact that 95/46 EC was a Directive and NOT a regulation speaks to a continued lack of uniformity across E.U. countries as to how the directive has been implemented and enforced in each country over the last 20 years.
  • comment John • Jul 30, 2014
    There is much that could be changed about US privacy legislation for their own benefit. 
    But even ignoring much of the hype about distrust of the US, for many it may take a major upheveal of US anti-terrorism and intelligence agency powers before trust can even be considered.
    What matter US data privacy laws when private communications are openly tapped on entry to US shores, that any US company can be forced to hand-over private data without the right to even notify the data subject after the fact, and many other aspects of state treatment of data privacy make a mockery of any protections provided.
    Nearly every time I write on the subject I feel like a paranoid conspiracy nut, but it seems a subject where reality is stranger than fiction. For non-US businesses and organisations it is  'trust' on an almost emotional level that is likely to be the issue. And the legal obstacles to that trust are at a level where the laws that attorneys are involved with are irrelevant.