By Joyce E. Cutler, Privacy & Security Law Report
Reproduced with permission from Privacy & Security Law Report, 12 PVLR 508 (March 25, 2013). Copyright 2013 by The Bureau of National Affairs Inc. (800-372-1033) <http://www.bna.com>
PALO ALTO, Calif.--International free trade agreements now being negotiated offer the opportunity to harmonize privacy regimes and avoid a potential privacy collision between the United States and the European Union, panelists said March 21.
The European Commission's proposed data protection regulation (11 PVLR 178, 1/30/12) conflicts with U.S. privacy schemes and strong First Amendment practices, Christopher Wolf, a partner with Hogan Lovells in Washington, and co-founder of the Future of Privacy Forum, told a University of California Berkeley Center for Law & Technology privacy law forum.
In that context, President Obama's state of the union address announcement of the negotiation of a free trade agreement with the European Union--along the lines of the North American Free Trade Agreement between the United States, Canada, and Mexico--is significant, he said.
A U.S.-EU agreement has the potential to improve the economies on both sides of the Atlantic and promote trade in an unprecedented way, Wolf added.
The discussion comes as Japan recently announced it was joining the 11-nation Trans-Pacific Partnership negotiations, Wolf noted.
“[Y]ou can't have a discussion about trade today without having a discussion about digital free trade” and regulatory impediments, he said.
“The coming free trade negotiations provide an opportunity around the world to talk about our common commitment to privacy and a way to promote inter-operability and the free flow of data while respecting the variations in different regions,” Wolf said.
“[T]he trade issue is the new lens through which we can promote privacy,” Wolf said. “Privacy is an essential element of trade and has to be built in.”
Wolf and Hogan Lovells March 18 announced the formation of a new free trade coalition designed to promote privacy issues during the ongoing trade negotiations (see related report).
The bad news about the EC's proposed data protection regulation is that it would give the Commission a lot of power it did not have before, Karl-Nikolaus Peifer, director of the Institute for Media Law and Communications Law at the University of Cologne Law School, said.
The good news may be that there will be “one address you can speak to, and that will be the Commission,” Peifer said. U.S. companies would no longer have to deal with individual member states and other data protection authorities, such as the state level DPAs in Germany, he said.
Or as Michael Hintze, Microsoft Corp. chief privacy counsel and assistant general counsel, put it: “A lot in the regulation is problematic [but] it's much easier to deal with something that sucks in one way rather than sucks in 27 different ways,” as would be the case with a single EU-wide regulation versus 27 individual member state laws interpreting the current Data Protection Directive (95/46/EC).
The problematic issues include the concept of the right to be forgotten, under which companies would be required to remove an individual's personal data from the internet upon demand, Hintze said. This is an impractical attempt to push a genie back in the bottle after information has been released, he said.
A further problem is the “doubling down on explicit consent in the regulation,” Hintze said.
“In an era where data is collected through so many different ways, through sensors on toll roads, through all these online services, through every transaction you make is recorded in some way, the idea [that] there's going to be an explicit consent experience for every piece of data, for every data use is absurd. You'd never get past the pop-ups to do what you want to do,” he said.
“Despite what [the proposed regulation] says, I think at the end of the day we're all going to find a way to live with it,” Hintze concluded.
The European Union emphasizes limits on data collection, data quality principles, and notice, access, and correction rights for individuals, UC Berkeley Law Professor Paul Schwartz said.
The European Union also has fair information practices, such as the principle that personal information can be processed only if there is a legal basis for doing so, he said. Similar principles are hard to find in the United States, “unless you kind of torture the comparison,” he said.
In the U.S. First Amendment tradition, “you can process information to your heart's content, unless there's actually a statute that prevents it or provides some obligation when you do it,” Schwartz said.
One of the multitudes of silver linings is that the EC proposed regulation calls for collaboration and data protection among a broad variety of actors, “so it sounds like harmonization networks and it sounds like it's open to that,” Schwartz said.
“To avert the privacy collision ahead, we need to think about accountability through transparency,” he said.
By Joyce E. CutlerCopyright 2013, The Bureau of National Affairs, Inc. 3/25/2013