The New York Times reported on May 13 that U.S. companies showed up in force at the International Data Protection Day conference that day in Berlin. The Times article also mentioned the presence of Hogan Lovells at the conference. In addition to the heightened interest in data protection evidenced by U.S. business that is described in the NY Times, the Berlin conference showcased the continued sparring between the EU and the U.S. on the adequacy of U.S. privacy laws and also provided a comprehensive update on data protection developments worldwide. The topics for the day began with the proposed EU data protection regulation and ended with U.S. privacy and security enforcement, with numerous developments in other countries sandwiched in between.
In the Times article, the reporter focused on the determined opposition of U.S. technology companies to the proposed EU data protection regulation, which contains unworkable requirements like the “Right to be Forgotten” and staggering penalties of up to 2% of a company’s worldwide “turnover” (i.e., global revenue). The article notes that the parliamentary vote on the regulation has been delayed by a large number of proposed amendments.
Indeed, a view circulating sotte voce at the conference was that the arguments of those technology companies may be having their intended result. The threat of choking off future investment in the EU, coupled with the current economic downturn, may have created at least momentary hesitance among those whose support is necessary for the EU regulation to be adopted.
However, it was David Vladeck and U.S. enforcement that may have created the biggest stir the first day of the conference. Giving a spirited defense of U.S. privacy and security laws, which the EU tends to discount and still finds “inadequate”, Vladeck, former Director of the FTC’s Bureau of Consumer Protection, enumerated an impressive list of aggressive privacy and security enforcement actions undertaken by the FTC. The EU may have more stringent requirements, but it is known also for a noticeable lack of enforcement.
Drama aside, the bulk of the first day of the conference was devoted almost entirely to data protection laws in countries other than the EU or the U.S., a subject that may not be as provocative as the new regulation or the EU-U.S. name-calling, but in the end may be more noteworthy. Speakers described numerous developments in Asia, Latin America and the Middle East, virtually all of which adopt an EU-like approach to data protection regulation, though each with its own twist.
The take-home from the first day of the conference was that data protection laws are here to stay and global businesses may ignore them at their peril. In the end, the laws of countries other than the EU and U.S. may pose the greatest challenges to businesses. More than 90 countries were reported to have adopted data protections laws and the number continues to increase. Companies are faced with somehow harmonizing these laws into coherent and workable data protection compliance programs. To make matters worse, these international laws in many cases appear to combine the most demanding aspects of both the EU and U.S. approaches–stringent requirements and vigorous enforcement.