Privacy Advisor

EU, U.S. Officials Indicate Potential Privacy Agreement at Data Protection Congress

December 11, 2013

By Sam Pfeifle
Publications Director

The keynote stage here at the IAPP Data Protection Congress in Brussels became a diplomatic back and forth this morning as Constantijn van Oranje-Nassau, the Head of Cabinet of Vice-President of the European Commission Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill.

Both emphasized the need to encourage innovation. Both emphasized the threats to privacy posed by new Big Data business models. Both expressed hopefulness and optimism that the U.S. and the EU would find a way to work together on data transfer regulations. Both addressed whistleblower Edward Snowden’s revelations about the activities of the U.S. National Security Agency and other intelligence agencies.

Reading between the lines, it was easy to see a desire from both parties to preserve data transfer mechanisms like Safe Harbor in order to set up a good old-fashioned battle between their respective industries looking to turn a profit in the online space. Perhaps the EU would like to put a thumb on the scale in favor its growing cloud computing industry, while the U.S. would like to preserve Silicon Valley’s current dominance.

Oranje-Nassau, speaking in place of Kroes, who was unavailable due to a medical issue, delivered Kroes’ address nonetheless and made it clear he was speaking on her behalf.

He first took pains to show the commission has “increasing recognition of the available data’s potential. It can make administrations more transparent and it can stimulate rich markets. The G8 recognized this with their Open Data Charter … and this is what the commission stands for. It’s what the Open Data package of 2011 is all about: new ways to open up public administrations and a new open EU data portal. And it’s not just the G8 and the commission but also the European Council that brings together our government leaders. Last October they realized the potential of Big Data and the need for a single market in cloud computing and Europe capitalizing on both.”

Oranje-Nassau noted the commission will announce in the spring a strategic agenda for research and data, with public-private partnerships likely to play a large role so as to “get the most bang for our research Euro.” He mentioned specifically support for secure Big Data, the training of skilled workers, modernizing copyright law and encouraging different actors in the Big Data ecosystem to work together.

“For some,” he continued, “the instinctive reaction is to be worried about these trends. They see the rise of Big Data and the cloud as a paradigm shift in privacy, with outcomes that may be intrusive, annoying or plainly wrong. And I agree we should not ignore these risks. We should understand and address them.

“We need to insure that new technologies address privacy, though, without the law being a straightjacket. ‘Fundamental rights’ doesn’t mean losing the opportunity of Big Data. Mastering Big Data means mastering privacy.”

In making it clear the commission does not want to stand in the way of economic growth, Oranje-Nassau said, “Tomorrow’s world will be digital, and Europe can either lead or follow. We can be at the table or on the menu. We must not be afraid to capture opportunities.”

However, the commission’s position is hardly to loosen privacy regulations.

While saying, “a single data protection law for Europe would be a big step forward,” he also said, “laws aren’t always enough. They need to be properly enforced.”

He said he strongly supports industry-initiated efforts in this realm, pointing toward the data protection code of conduct being developed by the cloud industry alongside the Article 29 Working Party.

“Data privacy cannot come at the expense of innovation,” he declared, but he also laid out four points where the commission would like to see movement.

“We would like to see technical solutions that can give users control over their desired level of privacy,” he said, “how their data is used, how to verify their online rights and how data is respected. How can we insure systems that are empowering and secure?”

U.S. FTC Commissioner Julie Brill and the European Commission's Constantijn van Oranje-Nassau engage in conversation following their IAPP Data Protection Congress program.

The ideas include, first, a standard commitment to Privacy by Design. “Business ideas have two purposes,” he said, “delivering a service and protecting privacy at the right level.”

Second, he said, any Big Data applications that might put fundamental rights at risk should have a privacy impact assessment required.

Third, he said that he felt “consent is a cornerstone of data protection and should stay that way,” but “users can’t be expected to know everything or consent to what they cannot realistically understand.” Nor, he said, should there be false dilemmas, where you either agree to forgo privacy or be shut out of the service.

Finally, there needs to be a commitment to de-identification. That could allow a company to process data on legitimate interest rather than consent. “That could make all the difference in the world to Big Data without endangering privacy,” Oranje- Nassau said. “However, they must show they comply with the guiding principles of data protection law. If something goes wrong, they will be accountable.”

None of this seemed to be out of line with Brill’s address.

“We find ourselves at a crossroads, contemplating the direction in which we will move. The path we choose next will have significant consequences,” she said, on the future of the U.S.-EU transatlantic relationship.  “As we contemplate the course,” she said, echoing the commission’s language, “we have to decide whether we, regulators and industry, will be able to work together to both protect consumer privacy and spur innovation. At this fork in the road, I believe the answer to this question is ‘yes,’ and although there will be obstacles along the way to obtaining the twin goals, we should be mindful of the words of one of my heroes, Eleanor Roosevelt: ‘A stumbling block to the pessimist is a stepping stone to the optimist.’ I am an inveterate optimist.”

Thus, she addressed Safe Harbor straight on. Noting that Safe Harbor has come under fire often lately—including another story yesterday featuring MEPs questioning Safe Harbor—she said, “Safe Harbor may be an easy target, but I do not believe that it’s the right target.”

“Listening to Neelie’s speech, and mine,” Brill said, “you can hear how we share similar views on many important issues. That’s because the challenges we face and our yearning to address them are largely the same. Of course, the mechanisms we develop may differ.

“We both believe consent is important, but we have different approaches as to when and how that consent should be obtained,” she continued. “In light of the differences between our frameworks, I believe interoperability is critical. We have to develop and preserve mechanisms to facilitate the flow of information across borders and protect privacy.”

Brill called Safe Harbor a “very effective tool for protecting the privacy of EU consumers” and emphasized that “the FTC has vigorously enforced the Safe Harbor,” noting 10 separate enforcement actions “although we receive very few referrals from member state authorities.”

She added, We’ve taken the initiative to look for Safe Harbor violations in every single privacy and data security investigation we conduct. That’s how we discovered the Safe Harbor violations of Facebook, Google and Myspace.”

Then, addressing what she called the “elephant in the room,” she acknowledged that Safe Harbor has “received its share of criticism in large part due to revelations about government surveillance. There’s no doubt that has created tensions in the transatlantic partnership.”

However, while she said she personally welcomes the global debate about government surveillance and the online marketplace, “it’s important that we recognize that privacy in the commercial sphere and surveillance to protect national security are two separate things.

“Indeed,” she continued, “the 1995 data protection directive and approved transfer mechanisms have national security exceptions. Simply put, none of the transfer mechanisms was designed to address national security issues.”

Which is not to say Brill thinks Safe Harbor-based data transfer is perfect. While she does not believe that it “should be suspended or renegotiated,” there are steps that could be taken to improve its usefulness.

First, she believes that there needs to be more affordable alternative dispute resolution. It should be inexpensive or free, she said: “Consumers should not have to pay fees to have their complaints heard.”

Second, transparency should be added to the program, such as all Safe Harbor firms adding a link to the Safe Harbor website and alternative dispute resolution providers. Both sides of the Atlantic, too, should engage in Safe Harbor education.

And, third, we need to “consider ways to increase the accountability of companies engaged in cross-border data transfer.”

Finally, she also declared support for baseline privacy law in the U.S., and, barring that, at least privacy law that specifically addresses data brokers. “I’m particularly concerned about the invisible collection of data across all platforms,” she said, and “the use of Big Data analytics that creates profiles that are not anonymized and are in fact targeted, where consumers have no visibility into this practice whatsoever.”

With all of that done, Brill sounded confident that common ground could be found and Safe Harbor, and data transfer in general, could continue.

“Rather than building barriers,” she said, “I, for one, am still a believer in building bridges. I call on all stakeholders in joining me in this endeavor.”

How about the European Commission?

While Oranje-Nassau didn’t as explicitly hold out an olive branch, he did downplay somewhat the impact of the NSA revelations. “Spying has been going on for some time,” he said, using Kroes’ speech. “It is perhaps one of the oldest professions in the world, and it uses whatever tools are at hand. Today, it’s the digital ones. So, we shouldn’t be naïve on this. However well-drafted and carefully negotiated (a law is), the risk of breaking the law won’t deter the average hacker or spy.”

Thus, there was good indication that the EU would focus more on cybersecurity, locking down data from prying eyes, and perhaps preserve the data-transfer agreements like Safe Harbor that encourage commerce.

“When your house is broken down,” he said, “you don’t need a lawyer, you need a lock.”

With the right locks in place, he said, “we can make the continent the world’s natural home for secure online services, and ensure that Europe can capture the rewarding benefits of the online age.”

Surely, those benefits would include transferring data to the United States.

Read More By Sam Pfeifle:
Top Six Inadequacies Found During Privacy Audits
Big Data Jobs Board Sees Privacy Jobs Growing Fastest
EuroPriSe Seal To Change Hands January 1
Where IBM Thinks BYOD Technology Is Headed