News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | The U.S.-EU Privacy Debate: Conventional Wisdom Is Wrong Related reading: Biden signs bill to force TikTok sale, block sensitive data transfers to foreign adversaries

rss_feed

""

Everybody knows the conventional wisdom: United States privacy law is weak and fractured, with neither comprehensive data protection legislation nor a dedicated privacy enforcement authority. The European Union is the gold standard of global privacy regulation, with its omnibus Data Protection Directive and collective force of 28 national data protection authorities.

Alas, as is so often the case, conventional wisdom is wrong.

In fact, the prevailing wisdom reflects a superficial analysis of privacy regulation on the books, ignoring a rich, multi-faceted reality of privacy developments on the ground. In fact, far from its caricature as a beat up railcar breathlessly panting behind the EU privacy locomotive, it is the U.S. that drives privacy policymaking worldwide.

These are the conclusions from a series of trail blazing articles by University of California, Berkeley, Professors Ken Bamberger and Deirdre Mulligan (see part 1, part 2 and part 3). Soon to be published as a full-length book titled Privacy on the Ground: Governance Choices and Corporate Practice in the U.S. and Europe, Bamberger and Mulligan’s research, which is based on a series of in-depth interviews conducted over two years with dozens of leading privacy professionals, makes (at least) two important contributions to privacy discourse: First, it introduces the reality of privacy on the ground, which in the U.S. comprises an emergent privacy profession replete with a rapidly expanding body of knowledge, training, certification, conferences, publications, web-tools and professional development; self regulatory initiatives; civil society engagement; academic programs with rich, multidisciplinary research agendas; formidable privacy practices in leading law and accounting firms; privacy seals; peaking interest by the national press; robust enforcement by Federal and State regulators, and individual and class litigation. Second, it avoids the all-too-common tendency to gloss over the variance between European privacy regimes by fleshing out some stark differences between EU Member States, with Germany elevating privacy to a strategic, forward-looking issue while France and Spain confine it to a reactive, compliance matter.

Bamberger and Mulligan’s work finds that, in the U.S., privacy has become ingrained in organizational risk-management processes and driven by business considerations focusing on the preservation of consumer trust and corporate reputation.

This week’s IAPP Global Privacy Summit will provide ample opportunity to further explore privacy on the books and even more so, privacy on the ground, with Professors Bamberger and Mulligan arriving in Washington together with leading European and global regulators. On Thursday, Bamberger and Mulligan will debate their most recent paper, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, with Giovanni Buttarelli, the Assistant EDPS. Some of the cross-border issues will also be discussed on Friday, in a special keynote conversation with Isabelle Falque-Pierrotin, the President of the French CNIL and Chair of the Article 29 Working Party; Christopher Graham, the UK Information Commissioner; and Jacob Kohnstamm, the Dutch data protection commissioner (until recently, himself the Article 29 Working Party Chair). In addition, tomorrow, the Future of Privacy Forum will host its annual Privacy Papers for Policymakers event on Capitol Hill, featuring a presentation of Bamberger and Mulligan’s paper, to be followed by a discussion with the privacy commissioners of France, Mexico, the Netherlands, the United Kingdom and the Assistant EDPS. (Other papers selected for presentation include ones by Neil Richards and Adam Thierer).

Bamberger and Mulligan’s work finds that, in the U.S., privacy has become ingrained in organizational risk-management processes and driven by business considerations focusing on the preservation of consumer trust and corporate reputation. In contrast, in many European jurisdictions, privacy remains confined to legal compliance and focused on registration and reporting obligations targeted at regulatory agencies as opposed to the public at large. The development of privacy in the U.S. closely tracks the emergence of the privacy profession and its linchpin, the Chief Privacy Officer, which has become a senior executive role with strategic vision, access to the board and oversight over increasingly distributed teams of privacy experts, who are ingrained in every arm of a business, including product teams, designers and engineers.

The CPO is both internal and external facing, with internal responsibility for introducing privacy into larger risk management processes and the external engagement with policymakers, civil society, and – perhaps most important – similarly placed peers. Indeed, Bamberger and Mulligan quote one CPO who tells them “my team is not responsible for compliance, they’re responsible for enabling the compliance of the business.” This stands in contrast to the European Data Protection Officer, which – with certain exceptions in Germany – remains sidelined from business processes and relegated to legal compliance.

By incorporating multiple stakeholders, including not only companies and their regulators but also professional organizations, civil society, academics and the press, into privacy policymaking discourse, the U.S. has created an “environment for privacy,” which is far more dynamic and productive than one shaped by regulators alone. Indeed, one fascinating lesson from the Bamberger and Mulligan scholarship is that the development of privacy in the U.S. “has been positively shaped by the incomplete, and comparatively late, institutionalization of privacy governance, in that it has allowed dynamism and adaptability in the face of rapid changes in the use and treatment of personal data.”

Thus they suggest that “changes in the field have arisen because, rather than in spite, of regulatory ambiguity.” Specifically, the FTC’s reliance on a standard-based regulatory mandate, requiring an assessment of “unfairness,” “reasonableness,” “consumer expectations,” and “countervailing benefits,” allowed for the development of a dynamic, consumer-focused, risk-management privacy processes. Such innate flexibility is essential in an area like privacy, which features still-nascent social norms that are as brittle as they are contextual.

Here, too, this organic development contrasts with the top-down European approach, which features highly detailed, technical legal mandates imposed by a staid bureaucracy and implemented by DPOs, whose “independence” becomes a double-edged sword, protecting them from corporate retribution but at the same time removing them from core organizational processes. As any parent who tries to educate a young child knows, children are ill served by strict and arbitrary mandates, such as “do x and y but not z,” but rather benefit from an iterative process that clarifies why doing x and y is better than doing z. This means – and should be an alarming lesson to the emerging European General Data Protection Regulation – that highly prescriptive legislative mandates actually foment less, not more privacy. In this vein, one Spanish DPO interviewed by Bamberger and Mulligan “blamed the compliance mentality for steering his company toward an inefficient and less privacy protective—but easily understandable—solution.”

On the positive side, the expansive, organization-wide, risk-management approach to privacy is spilling over from U.S. organizations to the EU. This is happening through multinational businesses with robust global privacy programs; the activities of professional organizations such as the IAPP; and the evolution of certain EU DPAs to focus less on administrative reporting obligations and more on the creation of best practices and engagement of broader constituencies and the press. As Bamberger and Mulligan note, “blending privacy into business unit decision-making from the start also offers a means for transforming privacy from a cost or limit to a function that must be integrated, along with other core specifications, into each product or service.”

Surely this is what “Privacy by Design” means on the ground.

Photo: Jon McGovern via photopin cc

Author
Headshot Omer Tene IAPP Member Contributor
Tags
Enforcement
Privacy Operations Management
4 Comments

If you want to comment on this post, you need to login.

  • comment Jeff Chester • Mar 4, 2014 
    Unfortunately, Mr. Tene and others that claim the US has a better privacy regime than the EU, don't actually analyze what's going on the ground.  If they did, one could not defend the commercial surveillance system that has the US in its grip, and which is still challenged by the EU based approach.  The analysis of privacy practices that doesn't take into account what is actually happening in data collection today underscores why the EU must resist the self-serving lobbying of the data collection lobby.  And why we must press the U.S. to establish legal safeguard that gives citizens control over their data.
  • comment Mike O'Neill • Mar 4, 2014 
    Lobbyists have successfully obscured the issue in both jurisdictions, and their influence is far more important than the institutional and legal differences. It was this influence that led to the irrational removal of the "prior" adjective from the EPD and the adoption of the "implied consent" guidance and banners: "we use these complicated technical things called cookies but because you visited our website we already put them in your browser. Oh, and you don't get an option to refuse them anyway". The same is true of the ill defined "pseudonymous" category of PII that clouds any understanding of the GDPR.
The serious issue for both polities is how to ensure the global rights of their citizens against the concentrated influence of extremely well funded vested interests.
  • comment Dan P • Mar 5, 2014 
    As also said by conventional wisdom "there is truth everywhere" ... It is indeed a pity and a truth that the current narrow "regulatory - compliance" based approach within most EU companies is too common and doesn't help to implement effective Privacy protection. But on the other side the US fragmented, awkward and enforcement lacking framework doesn't provide real "data subject" privacy protection and by such let bad actors, or less "privacy mature & respectful" companies to do anything they like. Only the good ones in the US are doing it well... but it comes from their own "responsible and "accountable" vision and implementation... not necessarily from the US privacy regulatory framework by itself.

The path forward is to openly discuss both approaches and do our best (governments, business and civil society) to find common sense middle ground... in short trying to take the best of both worlds. I am personally convinced that it is progressively coming, we still need time and frankly it will help nobody to continue this attitude saying "We are right, they are wrong". US, EU and others are all coming from different background, history, business and legal context... but the global business doesn't allow anymore to have so many gaps and a so called "Manichean" attitude..
  • comment John Bryan • Mar 8, 2014 
    I do disparage the US's lack of cohesion in DP legislation. But considering the strong anti-federalism attitude that individual states appear to have, HIPAA has been an impressive success as far as I can tell (though I not really qualified to judge). It does seem to provide a potential beacon which might show state and federal legislators what can be done. And if it has created more accessible DP expertise is something that could benefit hugely in supporting data privacy outside of the health industry. Of course concentrating on a single industry, and one that is used to having rigurous procedures is an easier task than omnibus application.

And there are failings in the EU attempts. 

But I find it difficult to see how in terms of total DP application the US can be seen as a poorer achievement to that of europe.

I do agree that too often DP is seen as a matter of compliance rather of need. That it is applied by rote rather than by design. Also that there is not a proper support infrastructure for businesses. As far as I can see the majority of UK businesses are too small to have a dedicated data privacy officer and do not even understand what ensuring data privacy entails.
Related Stories
IAB Europe responds to EDPB opinion on pay or consent
IAB Europe published a response to the European Data Protection Board's opinion on the legality of pay-or-consent models for obtaining valid consent to process personal data. IAB Europe said the opinion creates "legal uncertainty for many businesses beyond large online platforms" and the EDPB made "...
Read More queue Save This
New CPPA Board member appointed
The California State Senate Committee on Rules appointed Drew Liebert, an attorney who most recently served as the Senate majority leader's chief of staff, to the California Privacy Protection Agency Board. Liebert replaces Lydia de la Torre, whose three-year term ended in March.Full story...
Read More queue Save This
Related Stories
Tags
Enforcement
Privacy Operations Management
Recent Comments