Privacy Advisor

IN FOCUS: The Directive

May 1, 2013


By Angelique Carson, CIPP/US

Editor’s Note: Beginning with this edition of The Privacy Advisor, the IAPP will ask one expert to zoom in on a topic of interest. If you have a subject you’d like to discuss in-depth for a future edition, contact us.

In this Q&A, Timothy Toohey, CIPP/US, CIPP/E, of Snell & Wilmer, discusses the tensions and controversies within the proposed EU data protection regulation.

Toohey says historical differences between the EU and U.S. on privacy as a right have led to varied reactions to the plan, with some member states praising the proposed regulation—and the Albrecht report that followed—and others expressing concerns. Particularly controversial are the creation of a “one-stop-shop” for companies doing business in Europe and the concern expressed by U.S. industry and others regarding the effect of the proposed regulation on innovation.

The Privacy Advisor: If the regulation is enacted as proposed, could a trade war ensue?

Toohey: There are many points in common between the U.S. and EU in regard to general views regarding privacy, including consumers’ expectations. However, use of same words may conceal differences in their meaning between the two entities, and divergences within the EU itself may be as significant as the differences between the U.S. and the EU. For example, there is a wide gap between the UK ICO’s views and those of data protection authorities in other EU member states. Even within certain countries, like Germany, which has strong traditions of data protection within individual German states, there are significant differences in attitude towards the proposed regulation. The debate is also being shaped by globalization and the rapid expansion of the transfer and storage of data, as exhibited in cloud computing and Big Data. Companies need interoperability to compete or even exist and are leery of turf wars and extraterritorial laws.

Obviously, the Albrecht report struck a really strong chord in the business community, including U.S. companies, and even led one embassy official in Germany to speak of a possible trade war. We have seen really intense lobbying efforts in recent months about the regulation. We haven’t seen the end of these yet, nor have we seen the final version of the regulation. I would tend to doubt that a trade war will result, but much will depend on the activities on the next few months.

The Privacy Advisor: What about the right to be forgotten? Will it stay?

Toohey: It’s been put out in a way that it may be one of the only things that some people can remember about the EU proposal—or at least it will be the first thing that many will remember when it is mentioned. To me, it has a catchy name; it’s an intriguing concept, and it’s a concept that goes to the heart of what makes a lot of consumers uncomfortable about the Internet. Not just Europeans but many in the U.S. are concerned about the collection of perpetual private data on individuals. I think that it is unlikely that it will be abandoned. One reason I think it will stay is that if you look at surveys on both sides of the Atlantic, some people have strong views regarding collection of personal information and compiling of data on them as individuals. The devil will be in the details, particularly about how the right to be forgotten will be implemented in practice—if it is possible to implement it technically. I find it interesting that there are doubts even within bodies of the EU that it can be technically implemented. And certainly the companies that are gathering information are probably thinking, “How are we going to comply with this?” There can be copies of digital data out there in many places. In the end, I think it will remain in some form or another, but that may be more pressure to modify some of the consent and transfer provisions, as we can see in the controversy over the Albrecht proposal.

The Privacy Advisor: Why such divergent views within Europe itself?

Toohey: Historical territorial differences and antagonism to the heavy hand of Brussels in some member states, such as the UK, play a hand. Attitudes even within member states also differ, depending upon the countries’ agendas to promote technological growth. Technology is clearly an important part of the European economy and is a bright spot in an economy that has very well publicized weaknesses. It is one thing to appear to be attacking tech enterprises outside of Europe but quite another to be creating problems for domestic industry with a new regulation at a sensitive economic time. I think what we’re seeing playing out in Europe is similar to what we see when new laws affecting technology are introduced here in the U.S. You typically hear very strong voices being raised about innovation and growth, citations to the effect of bureaucracy on technology and concerns about overly proscriptive rules. Because this is an EU-wide regulation, which will not allow for some of the flexibility that comes with the current directive, certain voices have been raised. The debate is also played out in different terms in the EU because of the strong culture of privacy—not to mention its constitutional dimension that is lacking here. I do have a certain skepticism about motives of opposition to some aspects of the proposed regulation in some cases, but the existence of strong divergent views within Europe indicates that those who believe in the open Internet and the free flow of data have a strong point of view, just as they do here.

The Privacy Advisor: Are companies being proactive when it comes to compliance?

Toohey: The regulation is really something of a moving target, so it is rather difficult for companies to know precisely how they will comply, given it is not in final form. We have the proposed regulation from 2012; we have the Albrecht proposal from this year. This is really a lot of reading for anyone to absorb. I am not sure how many companies really want to try to tackle this in every respect when it isn’t entirely clear what is going to emerge. It is still certainly advisable for companies to be aware of what is coming and to take the debate very seriously. The crystal ball, at this point, is somewhat clouded, and the best approach is caution. In the meantime, my colleagues on both sides of the Atlantic will be awaiting the next round of voluminous reports.