A Privacy Gap as Wide as the Atlantic Ocean

Back in December, U.S. Department of Commerce General Counsel Cameron Kerry gave a speech in which he said that his agency would be "watching closely" how the European Commission approached data privacy protection in its then-unreleased data protection regulations. At the time, neither the European Commission nor the Department of Commerce had released their data privacy protection proposals.

The European Commission's proposal for a data protection regulation is out now. Commerce's proposal is expected to be released any day.

There seems little doubt that, when the two documents are laid side-by-side, they will reveal a difference in approach to privacy as wide as the Atlantic itself.

In the European Union, where privacy is considered a fundamental human right, the policy leader is Viviane Reding, vice-president of European Commission and leader of its Justice, Fundamental Rights and Citizenship directorate. Here in the United States, where the privacy is viewed as an interest to be balanced against other interests, the lead agency for privacy policy development is the Department of Commerce, an agency whose mission is to promote the domestic economy. Privacy rights are not part of Commerce's mission nor, for that matter, is consumer protection.

In his speech, Kerry promised that his agency's forthcoming "white paper" proposal would call for a "comprehensive Bill of Rights as a baseline for consumer data privacy." Because data privacy protection is a significant financial burden on business, particularly on the dynamic (and notoriously insecure) internet, the privacy rights that Commerce eventually proposes will necessarily be tempered by the needs of businesses to maximize the return on their activities and to eliminate barriers to future innovation. A true privacy right emanating from the Department of Commerce would be an odd duck indeed. Perhaps the thought here is that online businesses should be given same sort of friendly regulation that domestic agriculture receives from the Department of Agriculture.

Over on the other side of the Atlantic, the European Commission's privacy proposal describes the following as fundamental human rights:

  • a right that personal data not be collected or processed without prior, explicitly given consent;
  • a right to have personal data processed for explicitly specified purposes and not for further, incompatible purposes;
  • a right to have only as much data collected as necessary for the specified purposes;
  • a right that data be accurate and up-to-date;
  • a right that data be maintained in a personally identifiable format no longer than necessary;
  • a right to data portability between service providers;
  • a right to be informed about data that has been collected;
  • a right of access to data that has been collected and a right to correction;
  • a right to be forgotten (i.e., a right to request deletion of data);
  • a right to notification of a data breach without unreasonable delay and, in any event, to have local data protection authorities notified within 24 hours of discovery of the breach;

The EC also proposed additional rights for individuals in cases of sensitive data, data-mining, and profiling. All of the rights proposed by the EC would be enforced by data protection authorities in each EU member state, who have authority to impose rather large fines, and by private lawsuits in local courts.

There isn't much doubt that, when the white paper is released, American-style privacy is going to fall far short of the European Commission's conception. Judging from its December 2010 "green paper"proposal, the Department of Commerce's view emphasizes flexibility, innovation, and generally creating the least possible burden on businesses. The green paper called for industry-created codes of conduct that conformed to an as-yet unspecified "Bill of Rights" to be legislated by Congress, all  backed up by Federal Trade Commission enforcement. The green paper also recommended that federal privacy policy be directed through a new privacy policy office within the Commerce Department.

The green paper reflects the reality that there is very little sentiment among federal government officials to write into law strong data privacy rules along the lines of those proposed by the European Commission. The United States and Europe are fundamentally at odds over the nature of privacy rights. We don't agree with Europe on the nature of privacy or on how privacy rights/interests/expectations should be enforced. This state of affairs is not going to change soon, unless a movement in favor of individual privacy rights materializes soon. Though something along the lines of the recent SOPA/PIPA uprising might do it.

It will be interesting to see if the Department of Commerce will use the upcoming white paper to respond to the European Commission's views on privacy. They might offer a defense of U.S. privacy policy. They might explain how our system of industry codes and FTC oversight is all that Americans want and businesses can reasonably be expected to provide. Commerce officials might also give increased attention to helping businesses in the United States cope with, and thrive under, the imminent European privacy regulations. These objectives seem more in line with Commerce's statutory mission than the task of defining privacy rights in the first place.

By Thomas O'Toole

Follow this blogger on Twitter at @bnatechlaw.