Earlier this month, at the IAPP Europe Data Protection Intensive in London, UK, Jacob Kohnstamm, chairman of the Dutch Data Protection Authority and former chairman of the Article 29 Working Party, announced a promising new transatlantic privacy initiative. Known as the Privacy Bridge Project, it will be co-led by Danny Weitzner of the Massachusetts Institute of Technology and Nico van Eijk of the University of Amsterdam and composed of some 20 privacy experts from the EU and U.S. The initiative seeks to develop practical solutions to bridge the gap between European and U.S. privacy regimes.
The Privacy Bridge Project is an especially welcome development in the wake of last summer’s transatlantic fallout from the Snowden controversy.
This note is intended to offer encouragement to the group and some thoughts for the group’s consideration.
- Build From the Existing Body of Tranatlatlantic Data Privacy Practice. There are several dozen existing agreements on the sharing of personal information between the EU, its member states and the U.S. These include Safe Harbor, Passenger Name Records, Terrorist Tracking and Finance Program, visa and passport records, Mutual Legal Assistance Treaties, 17 Totalization Agreements and cooperative agreements on exchanges of information in the areas of securities and commodities. Each of these agreements has provisions that establish areas of agreed-upon practice and understanding. The Privacy Bridge Group could use this framework as a starting point to show where both sides have agreed.
- Look to Successful Examples of Mutual Recognition. This is not the first time the EU and U.S. have looked to build bridges over a single subject matter. There are other areas such as customs, visas, transportation, taxation and securities where the parties have different frameworks but have been able to find transatlantic and even global solutions based on mutual recognition. The Privacy Bridge Group could look to other examples of mutual recognition in these areas, what those experts did to achieve a common framework and how that might work in the privacy context.
- Bring Non-Privacy Experts Into the Room. As good as these experts are, it would be useful to infuse the transatlantic privacy dialogue with practitioners, lawyers and policy thought-leaders from other international fields. This could infuse new concepts that could allow the Privacy Bridge Group to devise fresh and innovative solutions.
- Watch Your Language. Even as a topic, EU and U.S. terminology diverges. The U.S. says privacy; the EU says data protection. The differences in terminology multiply as one looks into principles and practices. In some cases, terms like proportionality or data minimization may be unique to one side. To minimize the misunderstandings, it could be useful for the Privacy Bridge Group to develop neutral terms that bridge a concept or outline comparative definitions around a single concept.
- Remember: You’re Not That Far Apart. The EU and U.S. are liberal democracies that follow the rule of law. On data privacy, they share many of the same fundamental principles. The U.S. and 18 EU member states have signed onto the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the 2013 update.For those differences that are truly fundamental; e.g., common law vs. civil law, each side should embrace the process differences and accept that others may do things differently to implement the same principle.
The rewards for the EU and U.S. are immense. The EU and U.S. have a chance to arrive at a common privacy framework that can set the standard the rest of the world can follow. Here’s to the success of the Privacy Bridge Group.
If you want to comment on this post, you need to login.