U.S. Ambassador to the European Union William E. Kennard spoke yesterday at Forum Europe’s 3rd Annual European Data Protection and Privacy Conference and called for a finding by the EU that the privacy protections in the United States are “adequate,” thus allowing cross-border transfers of personal data without separate legal mechanisms. Canada, Uruguay and Israel are among the countries around the world deemed adequate by the EU, with the US decidedly on the “outs” because of the perception that privacy protections there are weak. Ambassador Kennard said that the current way the EU determines adequacy does not “recognize the existence of privacy protection systems that are structured differently, but ensure an equally high level of protection and enforcement, like those in the United States.” Ambassador Kennard also made reference to a US government publication “Five Myths About Government and Law Enforcement Access to Personal Data in the European Union and the United States” The entire text of the Ambassador’s remarks follow.
I would like to thank Forum Europe for inviting me to its 3rd Annual European Data Protection and Privacy Conference. As you know, the United States has great interest in the effort underway to update and reform the EU’s data protection rules. The outcome of this process can have profound implications for consumer confidence and economic growth in the transatlantic market, as well as on international regulatory and law enforcement cooperation.
We’re here to discuss some very complicated and technical issues. With all of these technocrats and diplomats together in one room — sometimes I can’t decide which group I belong to —discussing many technical issues, it’s important that we not lose sight of our ultimate objective.
Our objective is twofold. First, we must recognize that privacy regimes in the United States and the EU are mature and effective. They are different in process and structure. But they both are designed to protect personal privacy while at the same time facilitating the free flow of data for the welfare of our citizens and the good of our economies.
Second, based on those shared values and outcomes, we must find a way to ensure that as we update our respective regimes, we do so in a way that enables them to interoperate so that commerce is enhanced and consumers are protected throughout the transatlantic marketplace.
We should approach this task with confidence borne of our experience working together. Today’s debate about online privacy echoes the one that occurred at the dawn of the Internet Age, in the late 1990s. Many of you may recall, as I do, that there was concern then about whether the nascent e-commerce industry in the U.S. would be able to do business in Europe consistent with the European Commission’s 1995 privacy directive. Both Europe and the United States recognized that transatlantic e-commerce was in our mutual interest, and so we came up with an innovative and successful framework featuring the U.S.-EU Safe Harbor program. Today, over 1,000 U.S. companies subscribe to standards acceptable to the EU and enforced by the U.S. Federal Trade Commission. We found a way to reconcile our approaches to privacy and, by doing so, we unleashed massive flows of data and commerce in the transatlantic marketplace.
Today’s privacy challenge is not fundamentally different. Advances in technology and new business models present new and different challenges. But with the Safe Harbor agreement in 2000, we showed that even though our regulatory systems will never be carbon copies of one another, they don’t need to be. Our shared values and our need to work together were the keys to an agreement then. They’re the keys to reaching positive outcomes today.
Dealing with Misconceptions
The transatlantic privacy discussion is too often sidetracked by misconceptions about the U.S. legal system—myths that obscure our fundamental commitment to privacy and the extensive legal protections we provide to data. As an example, contrary to concerns raised by some, electronic data stored in the United States—including the data of foreign nationals—receives protections from access by criminal investigators equal to or greater than the protections provided within the European Union.
The United States was founded on—and its modern-day laws, regulations and practices reflect this—a core belief in the importance of protecting citizens from government intrusion.
For law enforcement acquisition of electronic communications, the stringent U.S. statutes protecting the privacy of email and voice communications, among the highest standards in the world, apply equally to foreign nationals and U.S. citizens. The United States does not discriminate with regard to judicial redress to obtain access to personal data collected for criminal investigations and provides opportunities for any person, regardless of citizenship, to correct such data if it is believed to be inaccurate.
The Patriot Act continues to be the subject of serious misinterpretation and mischaracterization. While portions of the Act updated existing investigative tools, it did not eliminate the pre-existing, highly-protective restrictions on U.S. law enforcement access to electronic communications information in criminal investigations—restrictions that are no less stringent than those found within the EU.
The United States is hardly exceptional with respect to establishing special procedures to govern national security investigations: the laws of most, if not all, countries in Europe provide similar mechanisms to facilitate rapid access to information by government authorities under such circumstances.
Even before the “cloud” became a popular concept, data was stored remotely and U.S. laws anticipated the need to protect such data. As a result, U.S. law has carefully regulated law enforcement requests for remotely-stored data and other records since long before even the Internet or the “cloud” existed.
The U.S. approach is consistent with internationally-agreed upon rules. In 2001, the Council of Europe Cybercrime Convention, which the United States, Japan, and 34 European states have ratified, set out a legal framework for law enforcement and judicial access to computer data. Moreover, a recent comparative survey of global practices determined that law enforcement authorities in all ten of the countries studied—including Denmark, France, Germany, Spain, and the United Kingdom, as well as the United States—have comparable legal authorities to obtain data from cloud servers located within their territories.
The Privacy Blueprint
And it is not only our existing laws and practices that reflect our shared values and commitments relating to privacy and data protection. The United States, like the EU, is currently in the process of reforming parts of its data privacy framework. In February 2012, President Obama released his Privacy Blueprint, reaffirming our nation’s commitment to protecting privacy.
The privacy blueprint maps out four key pathways towards reform of the U.S. privacy protection framework:
1. A Consumer Privacy Bill of Rights, laying the foundation for consumer privacy in areas not currently covered by specific federal data privacy laws.
2. A multistakeholder process to develop sector-specific codes of conduct for privacy protection and transparency that are enforceable by the Federal Trade Commission.
3. Baseline legislation enabling strong and effective enforcement of the Bill of Rights by the FTC and State Attorneys-General.
4. A commitment to increase interoperability between the United States’ privacy framework and those of our international partners.
This last point – international interoperability – is key. Data services form an essential element of the transatlantic economy and a growth sector that European and American jobs depend on.
Differences between the EU data protection legislation and the U.S. privacy protection regime should not be allowed to hurt EU-U.S. trade and should not prevent businesses from developing their activities on both sides of the Atlantic. And this isn’t just about big multinational companies – we should be very careful not to limit the tremendous opportunities the on-line economy has to offer for small and medium-sized companies. These SMEs form the backbone of our economies and a source of jobs and income that communities in Europe and the United States rely upon.
It is important to note that the United States and the EU already enjoy considerable cooperation on this issue. The U.S. – EU Safe Harbor Framework facilitates interoperability between the current U.S. and European data privacy systems. The value of this mechanism cannot be overstated. Since 2000, Safe Harbor has allowed thousands of American companies of all sizes to do business in Europe while committing to comply with the 1995 EU Data Privacy Directive. Such commitments are actively enforced by our Federal Trade Commission, which has been critical to the success of the program. Recent settlements reached with Google, Facebook and Myspace have shown that there is a cost to non-compliance.
We, and other interested parties, want to work with the EU to ensure that the current proposed regulation and directive work as a part of the global economy. Let me mention a few areas of the proposed regulation we are focusing on:
Both the proposed regulation and the proposed directive address the transfer of personal data to third countries and international organizations, providing that an “adequacy” determination by the Commission would be the primary means of efficiently and effectively exchanging data and information. As currently drafted, the criteria to be considered by the Commission in making such an “adequacy” determination would include comparisons to a European-style system of data protection. The provisions do not recognize the existence of privacy protection systems that are structured differently, but ensure an equally high level of protection and enforcement, like those in the United States.
BCRs and Codes of Conduct
Binding Corporate Rules (BCRs) (art. 43) offer a valuable tool for holding multinational actors accountable for their global practices and achieving global interoperability. However, the draft regulation focuses entirely on how these rules can be approved by EU supervisory authorities. No procedure seems to be foreseen for BCRs to interact or merge with privacy regimes in non-EU countries, such as the system of enforceable codes of conduct envisaged in the United States. Approved codes of conduct and certification schemes could very well provide the basis for cross-border transfer of data. Unfortunately, the regulation, as it is now drafted, doesn’t explicitly mention this possibility.
Technical Standards/Delegated Acts
Government-imposed standards often fail to keep up with technological developments and therefore have a tendency to slow down innovation. We are concerned to see that the draft regulation gives broad authority to the Commission to unilaterally prescribe technical standards for data protection (delegated and implementing acts), without the full participation of industry interests.
Another concern we have is the regulation’s requirement for explicit consent in all circumstances. We are concerned that a one-size-fits-all consent requirement would frustrate individual users because of the sheer number of consent requests they would be faced with, leading eventually to users just clicking through instead of making informed choices. At the same time, explicit consent can make it difficult for companies to use personal data in innovative ways to offer better services to consumers. We believe that consent need not always be active opt-in consent and that the means for individuals to communicate their choices should match the scale, scope, and sensitivity of the personal data that organizations use or disclose.
Right to be Forgotten/Right to Erasure
The provisions of the regulation on the so-called Right to be Forgotten (article 17) have a lot in common with the principles laid down in the Consumer Privacy Bill of Rights. The problem with the way this provision is currently formulated is that it would make a data controller who has made personal data public (with the individual’s consent) responsible for taking steps to inform third parties when consent is withdrawn. The text also considers data controllers to be responsible for further third party dissemination that they have authorized. Such obligations would require data controllers to be responsible for data that is no longer under their control and potentially expose them to liability for failing to compel erasure of data. Furthermore, in the financial sector context, the “right to be forgotten” could also lead to moral hazard, where defaulting parties demand their credit histories be deleted, putting the European financial system at risk. We also have concerns about the very limited protection to the freedom of expression that the regulation offers.
Data Breach Notification
Another concern relates to the notification period for informing supervisory authorities and consumers of data breaches (article 31). The draft regulation mandates notifications to supervisory authorities “without undue delay” and, where possible, within 24 hours. In our experience, detecting breaches and assessing their scope may require more than 24 hours. Furthermore, requiring businesses to provide notice if possible within 24 hours could lead to over-notification of consumers as businesses will include and notify consumers before the scope of the breach is fully defined, leading consumers to ignore notifications or act on erroneous information.
Regulatory agencies across the world cooperate to ensure that businesses that are active at the international level comply with their national laws. Because such cooperation often entails the sharing of personal information, we are concerned that the regulation could hinder such international cooperation considerably – perhaps even invalidating existing bilateral cooperation agreements and arrangements.
The Federal Trade Commission, for example, is entrusted with the enforcement of anti-trust law (along with the Department of Justice), consumer protection rules and privacy protections. Its enforcement actions often depend on obtaining from abroad personal information about the target or the victim of the case. So there is a need to confirm in the regulation that companies and regulators in the EU may continue to the possibility to share data with enforcement agencies elsewhere to make sure businesses acting globally can be held accountable for their activities.
Another example concerns the functions carried out by banking and securities regulators, whose enforcement investigations can lead to criminal investigations and prosecutions, and whose supervisory actions may actually prevent risky or illegal behavior. The records firms are required to keep under U.S. law, which may include information from EU-based companies active on the U.S. market, often offer crucial evidence for many kinds of civil and criminal cases.
We want to enable regulatory agencies to continue their high level of supervisory and enforcement cooperation. The regulation could do this by expressly recognizing that the “public interest” basis for information-sharing extends beyond EU law when regulatory or enforcement cooperation agreements are in place.
To close, a few remarks about the proposed data protection directive. We are concerned that some aspects of the draft directive could have a considerable negative effect on the ability of the EU member states, the United States and other countries around the world to effectively share law enforcement information in the future, crippling international criminal investigations and making our citizens less safe. That is certainly not the intent of anyone, but the directive may have a number of unintended consequences:
Article 60 of the directive would require member states to renegotiate within five years all international agreements on the sharing of law enforcement data to the extent that they are not in compliance with the directive. This would call into question hundreds of established, well-functioning bilateral and multilateral law enforcement-related agreements between EU member states and third countries, including the United States. We believe that transfers to third countries under pre-existing agreements should be unaffected by the directive.
We are also concerned about the directive’s reliance on an “adequacy” finding as the primary mechanism for the transfer of personal data to third countries. We are concerned that these constraints would significantly slow, or even prevent, the robust and effective international law enforcement cooperation that currently exists.
In summary, the United States and the EU share the same goals – to protect privacy and facilitate trade and economic growth. The United States wants to work with the EU and other nations to achieve global interoperability of data protection. Creating poorly-connected regulatory environments for data exchange will slow down transatlantic and global trade, instead of providing the right conditions for businesses to innovate and thrive in a global marketplace and to generate the jobs and growth we so much need these days.
Europe, the United States and other democracies around the world share many of the same values. We need to accept that each of these democracies has the right to choose whatever legal framework is suited best for them to defend and protect those values. As long as we trust each other’s commitments and ability to uphold those rights, we should be able to move towards a global data protection system, based on our different, but equally robust, privacy frameworks.