Posted in EU Data Protection
I recall that in the 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously. The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.
The situation is now reversed, and there has been intense interest in the European Commission’s proposal for a General Data Protection Regulation published in January 2012, and in related developments such as calls for reform of the EU-U.S. Safe Harbor. U.S.-based lobbyists have descended in hordes on the EU institutions; U.S. government representatives travel to Brussels to lobby the EU, and U.S. authors publish articles and papers on complex issues of EU law. Brussels has become the center of the global privacy world.
This causes us in Europe to wonder: Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?
The stance adopted by the European Commission in the report on the functioning of Safe Harbor published today was probably one of the worst kept secrets of the privacy world. It was patently obvious to anyone close enough to the controversy around the ability of Safe Harbor to live up to the expectations of EU policy makers and regulators that the Commission would be critical about it but would stop short of delivering a fatal blow to the scheme.
Imagine the NSA, European Parliament, Tor and Vodafone having a civilized conversation about privacy. Considering that the ricochets from the Snowden affair are still reverberating on both sides of the Atlantic, this may seem implausible. But you better believe it: the IAPP Europe Data Protection Congress 2013 is featuring a panel discussion among representatives of all of the above, which I look forward to moderating.
EU Data Protection
After nearly two years of deliberations, the European Parliament has come out of the legislative closet with its proposed view for a new EU data privacy framework. In many respects, the Parliament has surprised many of its critics by delivering a draft proposal which is more measured than the European Commission’s original text. On the whole, however, the Parliament’s draft represents a powerful statement in favour of people’s ability to control their own data.
The committee of the European Parliament charged with shepherding the proposed EU Data Protection Regulation—the LIBE Committee—finally has reported out an amended version of the Regulation. And despite the fact that a Commission-initiated review of the EU-U.S. Safe Harbor is pending, it appears the LIBE Committee effectively has called for the end of the Safe Harbor.
Like the Catholic Church’s Congregation of the Index of 1616, which outlawed the movement of the Earth around the sun, so too will the European Parliament restrict transborder data flows by legislative fiat this week.
Of course, the flow of data across borders will not cease or even diminish. Individuals will continue to carry iPhones on cross-Atlantic flights, “transferring data” (whatever that means) about their employers’ customers to “non-adequate” countries; and European individuals and businesses will access non-EU based websites and services, including banking, telecom, retail and cloud. Lawyers will be paid to produce paperwork, which bureaucrats will read; businesses continue to operate as before.
As Galileo said, “And yet it moves”.
Next month, FTC Commissioner Julie Brill and Danny Sepulveda, Deputy Assistant Secretary of State, will travel to Brussels to discuss privacy with EU officials. Later in the month, Poland will host the 35th Conference of Data Protection of Data Protection and Privacy Commissioners, a meeting that will be attended by privacy officials and stakeholders from around the world. Both gatherings provide an opportunity to declare a cease fire in the war of words—a war in which most of the “incoming” has originated on the European side of the Atlantic in the wake of the Snowden NSA revelations, and a war that threatens progress in international cooperation on privacy.