At the 35th annual Conference of Data Protection Authorities and Privacy Commissioners in Warsaw, Poland today, Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and trade in light of the ongoing Transatlantic Trade and Investment Partnership negotiations between the EU and the U.S. (Hogan Lovells is leading the Coalition for Privacy and Free Trade.) Also participating in the privacy conference were partners Winston Maxwell from the firm’s Paris office and Stefan Schuppert from Munich.
Here is the text of Wolf’s prepared remarks on the topic of privacy and trade, where he emphasized the opportunity both to promote cross-border data flows important to international trade and to protect the privacy of personal data in ways that make differing privacy frameworks interoperable:
Thank you for the opportunity to discuss privacy and trade with you here in Warsaw. Last year, I had the privilege of speaking at the opening plenary session of the 34th Annual Conference of DPAs and Privacy Commissioners in Uruguay. There, I urged that interoperable privacy frameworks are the key to development of global privacy protection in the growing information society. I agreed with then-General Counsel of the U.S .Commerce Department, Cameron Kerry, who said that “the global marketplace will require mutual recognition and innovative solutions that permit businesses to streamline their operations across countries with differing legal regimes.”
One year later, the need for interoperability and mutual recognition remains an urgent priority if we truly are to have global privacy. Today, I want to urge that the Transatlantic Trade and Investment Partnership, for which negotiations recently have begun, offers the chance for the EU and U.S. to work together to reduce barriers to the free flow of information and establish privacy protections for trans-Atlantic data flows, benefiting individuals on both sides of the Atlantic.
And to be honest, one year later, we see new obstacles to the realization of interoperability. In the wake of revelations about U.S. government surveillance programs, some have called for the dismantling of cross-border transfer arrangements, such as the EU-U.S. Safe Harbor. And some have gone so far as to suggest that data should be balkanized.
As the global information society continues to develop, we must address concerns about national security access to personal data in light of the unique challenges and opportunities presented by the Internet and ubiquitous global communications. The United States is engaged in a robust domestic debate regarding intelligence agencies’ surveillance practices. But we need more than domestic solutions. We must develop global approaches that increase transparency and respect fundamental human rights while acknowledging the legitimacy of some surveillance practices. We need frameworks that respect privacy while facilitating the transborder flows of data that contribute to economic and social development.
The Organization for Economic Co-operation and Development’s recently revised its Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The OECD recognizes that “countries have a common interest in promoting and protecting the fundamental values of privacy, individual liberties, and the global free flow of information” and also recommends that countries “refrain from restricting transborder flows of personal data” where the recipient country substantially observes the OECD Guidelines or controllers have put in place effective safeguards to ensure protections consistent with the guidelines. The OECD also recommends that transborder restrictions be proportionate to the risks presented and the context and purpose of the processing.
Part 6 of the Guidelines is devoted to international cooperation and interoperability. The OECD calls on member countries to “take appropriate measures to facilitate cross-border privacy law enforcement co-operation,” and to enhance “information sharing among privacy enforcement authorities.” Countries are encouraged to “support the development of international arrangements that promote interoperability among privacy frameworks that give practical effect to these Guidelines” and to “encourage the development of internationally comparable metrics to inform the policy making process related to privacy and transborder flows of personal data.” In recent years, we have seen considerable progress in the development of interoperability mechanisms, from Binding Corporate Rules, to the APEC Privacy Framework, to recent efforts led by the CNIL to build bridges between the APEC and EU frameworks. These initiatives have taught us a lot about how to strengthen interoperability, and we should continue to develop frameworks that establish privacy protections in globally scalable and practically enforceable ways.
A central principle of the Guidelines is that of accountability. Data controllers should be accountable for their compliance with measures that give effect to the Guidelines’ principles. This requires that controllers have effective privacy management programs, and controllers should be prepared to demonstrate the adequacy of those programs. Accountability also requires, according to the OECD, that controllers notify privacy enforcement authorities when there has been a significant security breach. Data subjects should be notified when a breach is likely to adversely affect them. Last, and important to the subject of cross-border transfers, the OECD states that controllers should be accountable for personal data no matter where it is located.
Current trade talks provide countries with opportunities to establish interoperable frameworks with global accountability mechanisms that promote the free flow of information and respect privacy. If we remove interoperability from these talks or place undue restrictions on cross-border transfers, we risk losing the social and economic benefits that can be derived from the free flow of information.
Of course there are those who will be quick to say that while they are happy to encourage free flows of information among countries that give effect to the principles contained in the OECD’s guidelines, they do not believe that the United States lives up to those standards. I disagree.
There are important differences between the U.S. privacy framework and EU-style privacy frameworks. But these differences are largely in the application of privacy principles and not in the underlying principles themselves. Both frameworks evolved from the same Fair Information Practice Principles—or FIPPs—reflected in the 1980 OECD Data Protection Guidelines.
While the U.S. may not have an omnibus privacy law similar to the EU, the U.S. privacy framework is robust, especially with respect to law enforcement and a growing privacy profession.
Certain sectors, such as health, finance, children’s privacy, consumer credit, and genomic information, are fully regulated under United States federal law. Federal laws and regulations provide substantial privacy protections for these sectors. Where there are gaps in federal law, the FTC, state regulators, and industry standards have filled them in to a very large extent.
The FTC regularly carries out privacy and security enforcement actions, which often result in settlements that establish privacy and security expectations. Individual states pioneered data breach notification laws, with almost every U.S. state having breach notification laws that reflect OECD Guidelines. Many states are also taking an active role in other areas of privacy law, including children’s privacy, guidelines for mobile application developers, and health privacy. And most major companies in the United States increasingly are aware of the importance of privacy and act to protect it. This is evidenced by the rapid growth in the number of privacy professional positions at the top layer of U.S. and global companies.
No framework is perfect. That is true of the frameworks in the US as well as those in the EU. But it is not accurate to say the US privacy framework is inferior because it is different.
Likewise, it is inaccurate and unfair to say that government access to data dooms the U.S. framework to isolation. I urge the policymakers here in Warsaw to take care to ensure that concerns about U.S. government access do not needlessly compromise global trade, especially when those concerns blind us to government access issues in other countries. When adjusted for population and the number of Internet users in each respective country, the United States issues requests for information from service providers at a rate comparable to, and sometimes lower than, that of other countries, including many EU member states. The United States offers at least as much, if not more, due process and oversight on foreign intelligence than other countries afford.
And the U.S. surveillance revelations have prompted the government to address the privacy issues. Recently released FISA Court opinions show that the court is not the “rubber stamp” people once feared. The Obama Administration has established an independent surveillance review panel and announced proposals to reform the NSA surveillance programs, including the addition of a privacy advocate to proceedings before the FISA Court.
I am not here to divert attention from the government access issues, but I am here to promote ongoing discussions about the thing that privacy and trade officials directly can impact.
Now is the time for privacy officials and stakeholders from around the world to collaborate in the development of frameworks that will address current privacy issues and those that are still on the horizon. Those frameworks should establish high privacy standards reflecting globally accepted privacy principles. Entities should be held accountable for complying with those principles. To that end, the frameworks should establish cross-border enforcement cooperation and interoperability mechanisms that will allow the international community to protect privacy while continuing to enjoy the economic and social benefits that come from the free flow of information.
The current trade discussions offer the promise of realizing these goals. I hope that at the 36th Annual Conference of Data Protection Authorities and Privacy Commissioners, we can celebrate progress in discussions about interoperability, and that the issues around government access are put in their proper perspective.
Thank you again for inviting me to be with you here in Warsaw.