After roughly a year and a half, the first report out of the Privacy Bridges project, announced at the IAPP’s Data Protection Intensive in London in May of 2014, has been released, just in time for next weeks’ International Privacy Conference in Amsterdam.
As the world’s data protection authorities gather for the 37th time, they will have plenty of grist for the discussion mill. The Privacy Bridges architects, headed up by MIT CSAIL’s Danny Weitzner, formerly of the White House, and the University of Amsterdam Institute for Information Law’s Nico van Eijk, have delivered what they’re billing as 10 privacy bridges “that will foster stronger transatlantic collaboration and advance privacy protection for individuals.”
You can find the full report here.
With the European Court of Justice’s invalidation of the U.S.-EU Safe Harbor agreement still fresh on the tongues of privacy professionals everywhere, these suggestions for a betterment of U.S.-EU privacy and data protection relations between the two world powers are certainly topical. The 19 members of the project—drawn from the likes of former EDPS Peter Hustinx, former U.S. Department of Homeland Security CPO Mary Ellen Callahan and a host of academics and data protection lawyers—were tasked with cutting through political grandstanding and dialing in to practical solutions that would create common ground.
“Too often,” they write in the report’s executive summary, “the resulting tensions have been as much about scoring political points as about substantive issues. We believe it is crucial to emphasize instead what the two sides have in common by identifying practical measures to increase privacy protection that could be used both in the transatlantic setting and potentially in other regions around the world.”
These 10 “bridges,” therefore, are aimed to capitalize on the current environment, without need for further legislation or substantive legal hurdle-jumping by either side of the Atlantic.
“For many years attempts have been made by both the EU and the US to convince the other side that the only right way of doing things is theirs,” said Jacob Kohnstamm, who heads the Dutch DPA, which hosts the Amsterdam conference next week. “Furthermore, both sides are re-inventing the wheel themselves. Due to this behavior, seemingly simple solutions to increase the protection of personal data worldwide have not been thought of or launched. Members of the project have put aside the differences in legislation. This has led the group to come up with realistic first steps to build practical bridges that make the lives of people, companies, governments and supervisory authorities a little easier and that will raise the level of data protection.”
Weitzner agreed: “With Internet services that operate across the US-EU border in real time, we believe that increased practical engagement between civil society, industry, academia and governments is vital to develop shared privacy practices. Respecting existing law, these shared practices can advance the practical privacy rights of Internet users whether they are in Europe, the United States or elsewhere.”
So, what are we talking about here?
Some of the 10 are relatively obvious and would seem possible in the short term to implement. The first bridge, for example, suggests a memorandum of understanding between the U.S. Federal Trade Commission and the EU Article 29 Working Party, so as to establish a formal working arrangement and regular meetings.
Of course, the General Data Protection Regulation would eliminated the A29 Working Party, but a similar arrangement could be reached with the EU Data Protection Board in two years.
Similarly, Bridge 10 suggests collaboration on privacy and data protection research between those working on both sides of the Atlantic. While funding barriers exist, it would seem that money could be set aside by both governmental entities, or by partnering universities, for the purposes of trans-Atlantic efforts.
Bridge 5 makes straightforward suggestions, too, for the ways that companies could make a “bottom-up” effort toward addressing government access to private data. Creating consistent ways of handling government requests and reporting those request activities on an annual basis is something an industry coalition might be able to tackle in relatively short order.
Perhaps even Bridge 7, which suggests a standardization of breach notification laws, could be accomplished relatively quickly with a federal breach notification bill in the United States being brought into harmony with the breach notification language now under negotiation in the trilogue process for the General Data Protection Regulation.
Others of the Bridges would seem thornier. Bridge 6, for example, suggests a standardization process for de-identification definition and techniques, through a body like the W3C. If that process is anything like the one for the definition of Do Not Track, it may take some time to come to fruition.
Further, Bridge 2, which calls for “usable technology, developed in an open standards setting process, combined with clear regulatory guidance from both EU and U.S. regulators resulting in enhanced user control over how data about them is collected and used,” sounds like a daunting task, indeed, given the ever-evolving nature of the ways that users access the Internet and interact with technology. Conformity of user control in the era of the Internet of Things is generally regarded as one of the stickier issues in privacy and data protection.
All of the bridges, of course, require substantial effort and commitment, both for governmental organizations and for companies that would like to walk over them. "The Bridges stress the importance of accountability," noted IAPP President and CEO Trevor Hughes, "including organizational data governance programs, oversight by top management, the activity of privacy professionals to assure proper implementation and training and awareness for employees on program requirements and related policies and procedures." There are no switches that can be easily flipped to create a solution that will make everyone on both sides of the Atlantic happy.
That work starts next week in Amsterdam. "I took note of the end result of the Privacy Bridges project with great enthusiasm,” said Kohnstamm. “I look forward to the discussions about the proposed bridges with the 700 conference participants next week.” Look for continuing reports on the discussions from the IAPP in this space.
If you want to comment on this post, you need to login.