By Sam Pfeifle
Publications Director

The keynote stage here at the IAPP Data Protection Congress in Brussels became a diplomatic back and forth this morning as Constantijn van Oranje-Nassau, the Head of Cabinet of Vice-President of the European Commission Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill.

Both emphasized the need to encourage innovation. Both emphasized the threats to privacy posed by new Big Data business models. Both expressed hopefulness and optimism that the U.S. and the EU would find a way to work together on data transfer regulations. Both addressed whistleblower Edward Snowden’s revelations about the activities of the U.S. National Security Agency and other intelligence agencies.

Reading between the lines, it was easy to see a desire from both parties to preserve data transfer mechanisms like Safe Harbor in order to set up a good old-fashioned battle between their respective industries looking to turn a profit in the online space. Perhaps the EU would like to put a thumb on the scale in favor its growing cloud computing industry, while the U.S. would like to preserve Silicon Valley’s current dominance.

Oranje-Nassau, speaking in place of Kroes, who was unavailable due to a medical issue, delivered Kroes’ address nonetheless and made it clear he was speaking on her behalf.

He first took pains to show the commission has “increasing recognition of the available data’s potential. It can make administrations more transparent and it can stimulate rich markets. The G8 recognized this with their Open Data Charter … and this is what the commission stands for. It’s what the Open Data package of 2011 is all about: new ways to open up public administrations and a new open EU data portal. And it’s not just the G8 and the commission but also the European Council that brings together our government leaders. Last October they realized the potential of Big Data and the need for a single market in cloud computing and Europe capitalizing on both.”

Oranje-Nassau noted the commission will announce in the spring a strategic agenda for research and data, with public-private partnerships likely to play a large role so as to “get the most bang for our research Euro.” He mentioned specifically support for secure Big Data, the training of skilled workers, modernizing copyright law and encouraging different actors in the Big Data ecosystem to work together.

“For some,” he continued, “the instinctive reaction is to be worried about these trends. They see the rise of Big Data and the cloud as a paradigm shift in privacy, with outcomes that may be intrusive, annoying or plainly wrong. And I agree we should not ignore these risks. We should understand and address them.

“We need to insure that new technologies address privacy, though, without the law being a straightjacket. ‘Fundamental rights’ doesn’t mean losing the opportunity of Big Data. Mastering Big Data means mastering privacy.”

In making it clear the commission does not want to stand in the way of economic growth, Oranje-Nassau said, “Tomorrow’s world will be digital, and Europe can either lead or follow. We can be at the table or on the menu. We must not be afraid to capture opportunities.”

However, the commission’s position is hardly to loosen privacy regulations.

While saying, “a single data protection law for Europe would be a big step forward,” he also said, “laws aren’t always enough. They need to be properly enforced.”

He said he strongly supports industry-initiated efforts in this realm, pointing toward the data protection code of conduct being developed by the cloud industry alongside the Article 29 Working Party.

“Data privacy cannot come at the expense of innovation,” he declared, but he also laid out four points where the commission would like to see movement.

“We would like to see technical solutions that can give users control over their desired level of privacy,” he said, “how their data is used, how to verify their online rights and how data is respected. How can we insure systems that are empowering and secure?”

U.S. FTC Commissioner Julie Brill and the European Commission's Constantijn van Oranje-Nassau engage in conversation following their IAPP Data Protection Congress program.

The ideas include, first, a standard commitment to Privacy by Design. “Business ideas have two purposes,” he said, “delivering a service and protecting privacy at the right level.”

Second, he said, any Big Data applications that might put fundamental rights at risk should have a privacy impact assessment required.

Third, he said that he felt “consent is a cornerstone of data protection and should stay that way,” but “users can’t be expected to know everything or consent to what they cannot realistically understand.” Nor, he said, should there be false dilemmas, where you either agree to forgo privacy or be shut out of the service.

Finally, there needs to be a commitment to de-identification. That could allow a company to process data on legitimate interest rather than consent. “That could make all the difference in the world to Big Data without endangering privacy,” Oranje- Nassau said. “However, they must show they comply with the guiding principles of data protection law. If something goes wrong, they will be accountable.”

None of this seemed to be out of line with Brill’s address.

“We find ourselves at a crossroads, contemplating the direction in which we will move. The path we choose next will have significant consequences,” she said, on the future of the U.S.-EU transatlantic relationship.  “As we contemplate the course,” she said, echoing the commission’s language, “we have to decide whether we, regulators and industry, will be able to work together to both protect consumer privacy and spur innovation. At this fork in the road, I believe the answer to this question is ‘yes,’ and although there will be obstacles along the way to obtaining the twin goals, we should be mindful of the words of one of my heroes, Eleanor Roosevelt: ‘A stumbling block to the pessimist is a stepping stone to the optimist.’ I am an inveterate optimist.”

Thus, she addressed Safe Harbor straight on. Noting that Safe Harbor has come under fire often lately—including another story yesterday featuring MEPs questioning Safe Harbor—she said, “Safe Harbor may be an easy target, but I do not believe that it’s the right target.”

“Listening to Neelie’s speech, and mine,” Brill said, “you can hear how we share similar views on many important issues. That’s because the challenges we face and our yearning to address them are largely the same. Of course, the mechanisms we develop may differ.

“We both believe consent is important, but we have different approaches as to when and how that consent should be obtained,” she continued. “In light of the differences between our frameworks, I believe interoperability is critical. We have to develop and preserve mechanisms to facilitate the flow of information across borders and protect privacy.”

Brill called Safe Harbor a “very effective tool for protecting the privacy of EU consumers” and emphasized that “the FTC has vigorously enforced the Safe Harbor,” noting 10 separate enforcement actions “although we receive very few referrals from member state authorities.”

She added, We’ve taken the initiative to look for Safe Harbor violations in every single privacy and data security investigation we conduct. That’s how we discovered the Safe Harbor violations of Facebook, Google and Myspace.”

Then, addressing what she called the “elephant in the room,” she acknowledged that Safe Harbor has “received its share of criticism in large part due to revelations about government surveillance. There’s no doubt that has created tensions in the transatlantic partnership.”

However, while she said she personally welcomes the global debate about government surveillance and the online marketplace, “it’s important that we recognize that privacy in the commercial sphere and surveillance to protect national security are two separate things.

“Indeed,” she continued, “the 1995 data protection directive and approved transfer mechanisms have national security exceptions. Simply put, none of the transfer mechanisms was designed to address national security issues.”

Which is not to say Brill thinks Safe Harbor-based data transfer is perfect. While she does not believe that it “should be suspended or renegotiated,” there are steps that could be taken to improve its usefulness.

First, she believes that there needs to be more affordable alternative dispute resolution. It should be inexpensive or free, she said: “Consumers should not have to pay fees to have their complaints heard.”

Second, transparency should be added to the program, such as all Safe Harbor firms adding a link to the Safe Harbor website and alternative dispute resolution providers. Both sides of the Atlantic, too, should engage in Safe Harbor education.

And, third, we need to “consider ways to increase the accountability of companies engaged in cross-border data transfer.”

Finally, she also declared support for baseline privacy law in the U.S., and, barring that, at least privacy law that specifically addresses data brokers. “I’m particularly concerned about the invisible collection of data across all platforms,” she said, and “the use of Big Data analytics that creates profiles that are not anonymized and are in fact targeted, where consumers have no visibility into this practice whatsoever.”

With all of that done, Brill sounded confident that common ground could be found and Safe Harbor, and data transfer in general, could continue.

“Rather than building barriers,” she said, “I, for one, am still a believer in building bridges. I call on all stakeholders in joining me in this endeavor.”

How about the European Commission?

While Oranje-Nassau didn’t as explicitly hold out an olive branch, he did downplay somewhat the impact of the NSA revelations. “Spying has been going on for some time,” he said, using Kroes’ speech. “It is perhaps one of the oldest professions in the world, and it uses whatever tools are at hand. Today, it’s the digital ones. So, we shouldn’t be naïve on this. However well-drafted and carefully negotiated (a law is), the risk of breaking the law won’t deter the average hacker or spy.”

Thus, there was good indication that the EU would focus more on cybersecurity, locking down data from prying eyes, and perhaps preserve the data-transfer agreements like Safe Harbor that encourage commerce.

“When your house is broken down,” he said, “you don’t need a lawyer, you need a lock.”

With the right locks in place, he said, “we can make the continent the world’s natural home for secure online services, and ensure that Europe can capture the rewarding benefits of the online age.”

Surely, those benefits would include transferring data to the United States.

Read More By Sam Pfeifle:
Top Six Inadequacies Found During Privacy Audits
Big Data Jobs Board Sees Privacy Jobs Growing Fastest
EuroPriSe Seal To Change Hands January 1
Where IBM Thinks BYOD Technology Is Headed


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»