Hogan Lovells Privacy Leader Christopher Wolf, founder and co-chair of the Future of Privacy Forum (FPF), a Washington, DC-based think tank dedicated to advancing personal privacy, convened a “Who’s Who” of governmental privacy officials at an FPF session in Brussels on 23 January to discuss the proposed EU General Data Protection Regulation. Chis led the session with FPF Senior Fellow Omer Tene.
The focus of the session was a series of White Papers co-authored by Messrs. Tene and Wolf on the issues of consent, jurisdiction and de-identification (available here).
Participants included MEP Jan Philipp Albrecht, a member of the European Parliament and Rapporteur on the proposed General Data Protection Regulation, whose recent Report has created substantial controversy. In response to the first question put to him about technical aspects of his Report concerning the lead regulator/one-stop shop concept, Mr. Albrecht challenged criticisms of and questions about the proposed Regulation and his Report at the program as not first acknowledging the “fundamental nature of privacy rights in the European Union.”
Later, despite the call in his Report for sunset of the EU-US Safe Harbor after two years, in an exchange with panel participant FTC Commissioner Julie Brill, Albrecht conceded that enforcement by the Federal Trade Commission under the Safe Harbor appears to be working “better and better.” Paul Nemitz, Director of Fundamental Rights and Citizenship at the European Commission reminded the audience that adequacy determinations, including of the EU-US Safe Harbor, can be reviewed at any time. In response to a question from Chris Wolf on the potential for the US to be recognized as “adequate” by the European Commission (thus allowing the free flow of data across borders to the US), Mr. Albrecht invoked the USA Patriot Act and the issue of governmental access to data as an element that would have to be considered. (On the issue of governmental access to data, see this White Paper prepared earlier this year by Hogan Lovells.)
Also participating in the discussion was Bojana Bellamy, Director of Data Privacy at Accenture, who asked the EU officials whether the policymakers’ focus on Google and Facebook resulted in a proposed Regulation that was potentially too burdensome for the majority of businesses not in the online sector. Ms. Bellamy was joined by Gabriela Krader, Corporate Data Protection Officer, Deutsche Post DHL as the other business representative at the program. Seamus Carroll, Chair of the Working Group on the Information Exchange and Data Protection (DAPIX), in the Council of the European Union mentioned the Privacy by Design, codes of conduct and privacy seals concepts in the draft as vehicles for providing flexibility to companies. Peter Hustinx, European Data Protection Supervisor enorsed the Codes of Conduct concept, a topic discussed by Chris Wolf at a European Privacy Association luncheon in the EU Parliament earlier in the day focused on profiling and hosted by MEP and Industry Committee Rapporteur on the proposed Regulation, Sean Kelly, who also attended the Future of Privacy program.
Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party and the Dutch Data Protection Authority, addressed the issue of expanded jurisdiction under the proposed Regulation and justified the approach as necessary to protect EU citizens. When questioned about the extension of jurisdiction to companies that “monitor” EU citizens and what “monitoring” means for purposes of jurisdiction, Paul Nemitz said it was obvious and that the dictionary definition of monitoring would answer the question. Commissioner Brill acknowledged that extraterritorial jurisdiction of national or regional laws was common where there are impacts on a nation’s citizens, without challenging the proposed scope of the Regulation’s jurisdiction proposal. She said that the US believes it has extraterritorial jurisdiction – as in the SAFEWEB Act – but it grounds that jurisdiction on a principle that is understandable, like minimum contacts. Ms. Brill mentioned expanded use of mutual enforcement agreements.
Mr. Peter Schaar, Federal Commissioner for Data Protection and Freedom of Information, Germany said that the goal of the Regulation is not to stop companies like Google and Facebook that provide free services in exchange for data use, but urged that greater use of pseudonymization and de-identification, as well as opt outs, were necessary additions to the provision of such services.
Wojciech Rafał Wiewiórowski, Inspector General for the Protection of Personal Data, Poland defended the concept of explicit consent to the collecion of data in the proposed Regulation and likened it to US state bar rules requiring lawyers to obtain the explicit consent of clients for the use of cloud computing to store data. Chris Wolf reminded Mr. Wiewiórowski that the attorney-client privilege by definition makes attorney-client communications “sensitive information” for which consent is normal, but that the explicit consent requirement in the Regulation would apply to all personal data.
Several of the EU officials went to lengths to explain that the draft Regulation was just that, a draft, and subject to changes this year.
At the conclusion of the program, Chris Wolf thanked the senior privacy officials in attendance for their willingness to receive the FPF viewpoints and for their active discussion.
On Friday, 25 January, Chris will be a panelist at the Computers, Privacy and Data Protection program in Brussels on Key Challenges in the Proposed EU Data Protection Regulation, moderated by the Head of the Data Protection Unit in DG Justice at the European Commission, Marie-Hélène Boulanger.