Privacy Advisor

Elections could impact U.S. and European privacy rights

November 1, 2012

Schwartz_MathewBy Mathew J. Schwartz

What happens to consumer privacy protections when there's a new administration in town? That's one question on the minds of privacy advocates as three upcoming events have the potential to reshape privacy rights around the world.

Those events include this year’s U.S. presidential election, which will either see Republican Mitt Romney become president or Democratic incumbent President Barack Obama remain in power. Then, on January 1, Ireland is set to assume the presidency of the EU for six months while the United Kingdom will assume the presidency of the Group of Eight (G8).

What privacy changes can we expect as a result of these transitions?

U.S. privacy: Innovation versus protection

In the U.S., the answer to that question of course depends on the presidential election outcome.

"It is probable that a Romney presidency would skew its policies towards facilitating commerce, whereas an Obama second term would tend to err on the side of consumer protection," said Brian Karp, an attorney at Baker & Hostetler in New York whose specialties include IT law and privacy.

But any new U.S. privacy laws would most likely have to balance both, since "generally speaking...the rights of individual consumers to control and keep confidential their personal information will slow down or prohibit innovation," he said.

Here's where U.S. privacy efforts currently stand: The Department of Commerce and Federal Trade Commission are "moving to creating the structure for addressing gaps in privacy protection," using the privacy guidelines released earlier this year by the White House, said Lillie Coney, associate director of the Electronic Privacy Information Center (EPIC). But those guidelines, which include the Consumer Privacy Bill of Rights, notably lack the force of law because Congress hasn't passed any related consumer privacy protection legislation.

Might that change? "Congress is likely to continue to raise information security and privacy as critical issues, and to that end, a nuanced and involved approach—balancing the economic need to share information with consumer protection—will evolve over time, regardless of the outcome of the election," said Karp.

On the other hand, Romney said that if elected, he would work with Congress to repeal two pieces of legislation with privacy implications, the Sarbanes-Oxley Act (SOX), which imposed tough new accounting standards on businesses—including the need to ensure the privacy and security of regulated data—as well as the Dodd-Frank financial regulation law, which Obama supported and which created the Consumer Financial Protection Bureau, which is a government-run watchdog for financial services and products.

"These legislative monsters that have been created kill jobs,” said Romney at a March 2012 campaign stop in Ohio, reported The Wall Street Journal.

But even if the recent Dodd-Frank consumer protections were to be scuttled, "the privacy protection work is still managed by the FTC," said Coney.

Another potential privacy-related change, meanwhile, could be the introduction of a national identity card. While the Obama administration has proposed an Internet identity ecosystem, "Romney has previously shown support for a national biometric identification card," Karp said. "Such a national ID card is likely to be initially applied to employment status verification but over time could reach a level of identity ubiquity akin to Social Security numbers."

From a privacy standpoint, however, who would be allowed to access collected data and could it be securely stored?

Will UK use G8 as privacy platform?

At the beginning of 2013, the UK is set to assume the presidency of the G8, which counts the U.S., Japan, Germany, France, United Kingdom, Italy, Canada and Russia as members.

While privacy rights might not seem to be a natural fit for government meetings involving the world's leading industrialized nations, last year Nicolas Sarkozy, then the president of France, broke the mold by holding an e-G8 forum in Paris that focused on the Internet and innovation, economic issues, intellectual property, governance and privacy.

Sarkozy used the forum to promote his vision of an Internet that is more controlled by governments, although interestingly, the forum was sponsored by such companies as eBay, Google, HP, Microsoft and Orange. But the e-G8 discussions stopped short of debating such issues as the right to be forgotten, which has been proposed by the European Commission.

Might the UK use the G8 as a platform for pursuing changes in privacy law or Internet governance? A spokeswoman for the British Foreign and Commonwealth Office, reached by phone, said that it was too soon for such questions to be answered in detail.

Ireland Assumes EU Presidency

Also come January 1, Ireland will assume the presidency of the EU for a six-month term. Already, "the European Union is in the process of updating its privacy laws," said EPIC's Coney, referring to the European Commission's proposal, made in January 2012, to create a comprehensive reform of the 1995 data protection rules.

The moves to put a new framework in place are hardly the efforts of a fringe EU element. This month, for example, multiple EU data regulators criticized Google for providing "incomplete information and uncontrolled combination of data across services" after the search giant attempted to consolidate 60 different privacy policies into a single privacy policy covering all of its services, including search, YouTube and the Google+ social network. After reviewing Google's privacy policy changes, regulators have demanded that Google make its privacy policy clearer and better inform consumers about how they can opt out of having their data collected by—or shared between—any given Google service.

With those types of privacy efforts already underway, how will Ireland approach the draft data protection framework revisions? A spokesman for the Irish Department of Justice and Equality said that the government will detail its EU agenda this December but noted that "Ireland is committed to progressing the proposal for a General Data Protection Regulation, which was tabled by the European Commission in January 2012."

Ireland is no stranger to data protection. Notably, the Irish government forced Facebook, which has its European headquarters in Dublin, to increase privacy protections for all users outside of the U.S. and Canada as well as to allow Facebook users to retrieve a complete copy of all information that the social network has collected about them. Interestingly, that capability was extended by Facebook to all its users.

Seeking global privacy harmonization

As that suggests, privacy protections introduced in one country may benefit people around the world. Accordingly, why not just try and get all countries on the same page, to make it equally clear to consumers as well as businesses exactly how personal information should be protected?

In fact, related efforts are already underway, via conferences such as the EPIC-coordinated Public Voice, held this month in Uruguay—in conjunction with the 34th International Conference of Data Protection and Privacy Commissioners. EPIC's Coney said the Public Voice conference is part of "a serious effort to harmonize privacy regimes globally because of the borderless nature of the Internet."

When it comes to protecting consumers' privacy, her organization is "focused on maintaining the standards established in the EU and Canada that provide strong privacy protection—with enforceable standards—through data protection authorities (DPAs)." Furthermore, the group is working to extend those protections beyond the EU and Canada. Could the U.S. be next in line, with legally binding consumer privacy protections and European-style DPAs? Stay tuned.

Mathew Schwartz reports on information security and privacy issues for InformationWeek, The Privacy Advisor and Inside 1 to 1: Privacy.

Read more by Mathew Schwartz:
Consumer privacy education: Who’s in charge?
Privacy worries surround UN Internet regulations
Online piracy eradication efforts spark privacy concerns