2013 02 03 NYT Consumer Data Protection Laws, an Ocean Apart – NYTimes.com
Data Protection Laws, an Ocean Apart
OVER the years, the United States and Europe have taken different approaches toward protecting people’s personal information. Now the two sides are struggling to bridge that divide.
On this side of the Atlantic, Congress has enacted a patchwork quilt of privacy laws that separately limit the use of Americans’ medical records, credit reports, video rental records and so on. On the other side, the European Union has instituted more of a blanket regulatory system; it has a common directive that gives its citizens certain fundamental rights — like the right to obtain copies of records held about them by companies and institutions — that Americans now lack.
Even so, United States officials maintain that the divergent approaches are equal. “The sum of the parts of U.S. privacy protection is equal to or greater than the single whole of Europe,” says Cameron F. Kerry, general counsel of the Commerce Department. He is overseeing an agency effort to help develop voluntary, enforceable codes of conduct for industry groups, like app developers, whose collection and use of consumer data are now unregulated.
Europe begs to differ.
“Yes, we share the basic idea of privacy,” says Peter Hustinx, Europe’s data protection supervisor. “But there is a huge deficit on the U.S. side.”
Alas, the data-control divide appears to be widening.
A year ago, the European Commission proposed comprehensive reforms to strengthen online privacy rights — changes that could have big repercussions for American technology companies and marketers that operate in the European Union. American officials, trade groups and tech executives have responded by taking frequent treks to Brussels and other cities, where they have urged regulators and legislators to reconsider the one-regulation-fits-all-data approach. What’s at stake, American industry representatives say, is nothing less than a free and commerce-friendly Internet.
“The ecosystem of the Internet is very delicate,” says Kevin Richards, senior vice president of federal government affairs at TechAmerica, a trade group that represents companies like Google and Microsoft. “It’s not wise to have an overly broad, prescriptive, one-size-fits-all approach that would hinder or undermine the ability of companies to innovate in a global economy.”
European Union members already have data protection laws in place, based on a directive from 1995 that laid out principles for the collection of personal information. The proposed new rules would strengthen some existing provisions. They would standardize data protections across the 27 member states. They would also provide some new rights, such as “data portability” — the right of consumers to easily transfer their text files, photographs and videos from one social network, or e-mail or cloud storage service, to another. And they would subject companies that violate the rules to penalties of up to 2 percent of their annual global revenue.
Asked for comment, Viviane Reding, the vice president of the European Commission and the architect of the proposed regulation, said in a statement: “The main problem is that our rules predate the digital age and it became increasingly clear in recent years that they needed an update.” She continued: “That is why I have proposed a root-and-branch reform of the E.U.’s data protection rules — currently under discussion in the European Parliament and the Council of the E.U. — that will both protect citizens’ rights and facilitate business in the digital age.”
BUT some provisions seem too rigid to United States officials and trade groups. They argue that the American approach — sector-specific privacy laws, in addition to industry self-regulation and enforcement by the Federal Trade Commission — is more nimble.
“We hope that Europe will move in the direction of those multistakeholder standards, and not standards which are not flexible and don’t move at Internet speed,” says Mr. Kerry, who has taken at least four trips to European cities in the last year to discuss these issues.
From the perspective of some European legislators, however, United States representatives seem more interested in protecting commerce than consumers. The full-court American effort may have backfired, they say, pushing some European officials toward even broader measures. Last month, Jan Philipp Albrecht, a representative of the European Parliament who reviewed the draft regulation, proposed additional rights for citizens — like the right not to be subject to consumer profiling.
“My impression is that the U.S. Chamber of Commerce and the Commerce Department are mostly just following the interests of Silicon Valley,” he says. “This leads to heavy pressure on the European regulator, I can say.”
But Mr. Kerry says the United States must make its views known if the systems are to work in concert.
“I know that some people have raised eyebrows at our involvement; I make no apologies,” Mr. Kerry says. “We in the United States and countries and businesses around the world are stakeholders in this process. This has an important impact on the global economy.”
The solution to this trans-Atlantic clash may simply be American ingenuity.
Last year, President Barack Obama proposed a “Consumer Privacy Bill of Rights” that would give Americans many of the same baseline protections that the draft European rule proposes to reinforce. These include the right of access to records that companies hold about them, the right to correct those records and the right to have limits on the personal data that companies collect and keep. Administration officials said they would work with Congress on legislation based on those rights and to extend oversight to industries not currently covered by federal privacy laws.
A coalition of more than a dozen American advocacy groups said it would send a letter on Monday to senior Obama administration officials, seeking a meeting to ensure that American policy makers’ efforts in Europe “are not averse to the views expressed by the president.” The coalition includes the Electronic Privacy Information Center and the Center for Digital Democracy.
“Does the Obama administration really want to be on the opposite side of the European effort to upgrade and modernize its privacy law which is at its core about the protection of a fundamental freedom?” asks Marc Rotenberg, executive director of the Electronic Privacy Information Center.
European officials hold out hope that Congress will enact baseline consumer privacy protections for Americans.
“This development — which is much welcomed in Europe — shows that we have much in common,” Ms. Reding of the European Commission said in her statement, speaking of the privacy bill of rights. “Convergence is springing up and synergies are possible.”