Groups at Odds Over Possible Privacy Provisions in U.S.–EU Trade Agreement

By Katie W. Johnson, Bloomberg BNA

Reproduced with permission from Privacy & Security Law Report, 12 PVLR 909 (May 27, 2013). Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033)  http://www.bna.com

Industry and consumer protection groups are divided over whether a potential United States–European Union trade agreement should address data protection.

The difference of opinion is detailed in comments submitted to the Office of the U.S. Trade Representative (USTR) in response to an April 1 solicitation for public comments on a possible ‘‘Transatlantic Trade and Investment Partnership’’ (TTIP).

The USTR requested input on ‘‘relevant electronic commerce and cross-border data flow issues that should be addressed in the negotiations.’’

The request followed up on Acting U.S. Trade Representative Demetrios Marantis’s notification to Congress in a March letter that President Obama intends to enter into negotiations with the European Union because ‘‘[a]n ambitious, comprehensive, and high-standard TTIP can generate new business and employment by significantly expanding trade and investment opportunities in the United States and the EU.’’

Although consumer groups urged the USTR not to address privacy and data protection issues in the U.S.–EU agreement, industry representatives said the agreement would provide a good opportunity to develop international consensus on standards.

Comments were due May 10. According to the regulatory docket, the office had received 378 comments as of May 23.

The office plans to hold a May 29–30 hearing on the TTIP proposal.

Will Context Change Negotiations? It is ‘‘interesting that privacy is going to be looked at under the rubric of e-commerce,’’ Paul Schwartz, University of California Berkeley School of Law professor and co-director of the Berkeley Center for Law & Technology, told BNA. He noted that data protection is not a separate category on which the USTR requested comments.

The discussion about privacy will likely ‘‘become[ ] part of a larger e-commerce discussion’’ and thus will be a ‘‘much bigger discussion with different regulators,’’ he explained.

Privacy ‘‘is by no means a new issue for trade agreements,’’ Alan Charles Raul, partner at Sidley Austin LLP in Washington, told BNA. Both the United States and the European Union addressed data flow issues in their respective trade agreements with South Korea, he said.

‘‘There is no question that data protection has an impact on free trade,’’ Martin Abrams, president of the Centre for Information Policy Leadership at Hunton & Williams LLP, in Washington, told BNA. ‘‘The question is whether it is an appropriate impact, whether it is acceptable to in some ways limit trade.’’

Schwartz also questioned the impact of the TTIP on the European Commission’s proposed data protection regulation (11 PVLR 178, 1/30/12) given that the regulation would be binding law in the European Union.

Undermining EU Regulation Democratic Process? ‘‘We don’t think that privacy or data flows should be included in the negotiations,’’ Susan Grant, director of consumer protection at the Consumer Federation of America (CFA), told BNA. ‘‘There is an important democratic process going on in Europe right now to enact a privacy regulation and we fear that it could be undermined by the trade negotiations, which are not a democratic process.’’

‘‘There is no question that data protection has an impact on free trade. The question is whether it is an appropriate impact, whether it is acceptable to in some ways limit trade.’’

Addressing privacy during the trade negotiations is ‘‘premature’’ given the lack of a U.S. privacy framework comparable to EU law, Grant said, adding that CFA is hoping for legislation to implement President Obama’s proposed Consumer Privacy Bill of Rights (11 PVLR 355, 2/27/12).

‘‘The lack of an adequate privacy protection regime in the US is a problem for cross-border trade, but the solution is to enact sufficiently strong privacy protections here, not to attempt to negotiate a deal that would oblige the EU to accept the patchwork of weak sectoral laws and self-regulatory programs in the US as an adequate basis for transatlantic data flows,’’ CFA said in its comments on the TTIP.

The Center for Democracy & Technology (CDT) encouraged the negotiators to ‘‘take a cautious and limited approach to data protection and privacy’’ given that there is a ‘‘very active democratic debate on both sides of the Atlantic’’ in this area. The agreement should ‘‘avoid both the reality and the appearance of attempting to preempt or bypass the regular democratic process on these issues,’’ CDT said in its comments.

The Center for Digital Democracy (CDD) took a similar position, saying in its comments that it is ‘‘ extremely critical’’ for U.S. and EU lawmakers to address their frameworks first. ‘‘USTR should not try to advance the interests of [the U.S.] digital marketing industry in a manner that will ultimately challenge and undermine the European Union’s data-protection framework.’’

The Electronic Privacy Information Center (EPIC) echoed those concerns in its comments, adding that ‘‘trade agreements are not the appropriate mechanism for determining international privacy standards, and thus the TTIP should exclude privacy and data protection entirely.’’

EPIC pointed to an April Bertelsmann Foundation and Atlantic Council survey report based on responses of some 120 business, academic, government, legislative, and media professionals that concluded data protection/privacy will be one of the most important and most difficult issues to address in the negotiations, and thus ‘‘has the potential to derail negotiations if not handled effectively.’’

CFA, CDD, EPIC, and other groups encouraged the USTR to ensure transparent negotiations and provide opportunities for public involvement. ‘‘For us, the process is equally as important as the subject matter to be discussed,’’ Grant of CFA said. ‘‘[W]e want the process to be transparent and open and we want a mechanism for consumer representatives to actually engage in a meaningful way.’’

‘‘The fundamental point is that neither the EU nor the US should discriminate against the other side’s business—digital or otherwise.’’

Avoiding Cross-Border Data Flow Barriers. Any U.S.-EU trade agreement should address privacy and data protection issues because those issues ‘‘are intrinsic to digital trade across the Atlantic,’’ Raul told BNA. Resolving ‘‘conflicts of laws and regulatory impediments’’ is important given digital trade’s importance in the world economy, he emphasized. For example, ‘‘many US companies and online offerings get targeted for EU enforcement actions and extra administrative burdens to do business for the EU,’’ he said. ‘‘This harms US trade interests and also holds back innovation in the EU to the detriment of EU consumers,’’ Raul emphasized.

‘‘The fundamental point is that neither the EU nor the US should discriminate against the other side’s business—digital or otherwise,’’ he said.

TTIP negotiators should ‘‘ensure that privacy rules do not act as an unnecessary barrier to cross-border flows of information,’’ the Software & Information Industry Association (SIIA) agreed in its comments. The agreement ‘‘should reaffirm the obligation to provide companies with a usable means to demonstrate compliance with local privacy rules so that  information can flow across borders,’’ SIIA said.

‘‘While privacy and data protection legal frameworks strive to protect the privacy of individuals and secure their data, the ability for industry to innovate and develop new products and services should not be impeded,’’ the Information Technology Industry Council (ITI) said in its comments. ITI said the agreement should contemplate accountability mechanisms that are already in place, such as binding corporate rules (BCRs) and codes of conduct.

The U.S.-EU Safe Harbor Program is another important mechanism to allow data to cross borders, BSA | The Software Alliance said in its comments.

‘‘We recognize that there are legitimate areas where exceptions to such enforceable obligations should be permitted, including . . . privacy,’’ BSA said, cautioning, however, that exceptions should not hinder crossborder data flows.

Opportunity to Make Frameworks Interoperable. ‘‘The TTIP presents a ‘once-in-a-generation’ opportunity to progress the interoperability of data privacy frameworks in a way that endures,’’ the Coalition for Privacy & Free Trade said in its comments, adding that data privacy should be ‘‘a top priority’’ during the negotiations. The Hogan Lovells LLP-affiliated organization is a new coalition of companies advised by legal experts and former U.S. officials and formed to address free trade barriers set in place by differing data protection and privacy regimes around the world (12 PVLR 507, 3/25/13).

The group said the agreement presents ‘‘an opportunity to lead the development of a contemporary, reasonable, and sustainable policy framework for cross-border personal data flows—one that will have influence around the world—while at the same time promoting digital trade.’’ The coalition added that ‘‘the TTIP process should recognize, respect, and seek to reconcile fundamental differences between the US and EU privacy frameworks . . . .’’

A separate, informal coalition of internet and technology companies—the ‘‘Digital Trade Coalition’’—said the timing of the TTIP negotiations is ‘‘opportune’’ given the proposed EU data protection regulation and U.S. privacy developments like the White House’s consumer privacy white paper and the Federal Trade Commission’s 2012 consumer privacy report (11 PVLR 590, 4/2/12).

‘‘[B]y seeking to reconcile privacy and data protection standards—and by promoting digital interoperability—TTIP can meaningfully reduce nontariff barriers to US companies . . . ,’’ Raul said in comments submitted on behalf of the coalition.

‘‘TTIP can help ensure that future privacy rules are smarter than they are today: simpler, better coordinated, more cost-effective and efficient, and less burdensome and discriminatory,’’ Raul said in the comments. ‘‘This will lead to more digital trade and ecommerce without sacrificing consumer protection.’’

The Digital Trade Coalition encouraged the USTR to seek: (1) confirmation in the TTIP of the European Union’s proposed ‘‘one-stop-shop,’’ or ‘‘the concept of a ‘lead’ data protection regulator for US companies doing business in the EU’’; (2) EU judgment that the United States provides ‘‘adequate’’ privacy protection; and (3) the establishment of a ‘‘US-EU Privacy and Data Protection Working Group,’’ which would aim ‘‘to identify and reconcile key differences in order to promote interoperability.’’

Abrams, however, told BNA that ‘‘[a] focus on adequacy in the free trade context is misplaced. Society-to-society discussion has already addressed U.S. adequacy through BCRs and the Safe Harbor Program.’’ ‘‘The TTIP must acknowledge that there can be multiple approaches that achieve a compatible regulatory outcome, particularly in areas such as data protection and privacy,’’ the U.S. Chamber of Commerce said in its comments.

‘‘The difficult points of contention involve cultural differences in the treatment of access to information,’’ Abrams said. ‘‘In the United States we have a strong First Amendment and a tradition of allowing access to information,’’ but, he said, ‘‘[t]hat sense of open information just doesn’t translate in the European Union in the same way.’’

‘‘This cultural gap is nothing new,’’ Abrams said. The fundamental differences between the European Union and the United States demonstrated by the First Amendment were a problem when the Organisation for Economic Co-operation and Development adopted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, and they were cited as a problem at the 2010 30th anniversary celebration of the guidelines, he said.

Is There a Way to Meet in the Middle? If the TTIP ends up addressing privacy and data protection, industry and consumer groups seemed to agree that the trade agreement should only broadly address those topics.

The TTIP should not include ‘‘substantive domestic privacy rules,’’ the SIIA cautioned.

‘‘If privacy or data flows are included, we would want the scope of that to be very narrow,’’ Grant of CFA told BNA. ‘‘We are not prepared yet to say what we think the scope might be—we don’t want them in there at all—but if they are, we will make constructive suggestions.’’

CDT emphasized that the TTIP should not include provisions that would diminish an individual’s privacy rights and should not allow companies to avoid compliance with data protection laws. ‘‘For these reasons, TTIP should steer clear of commitments concerning the substance of data protection regimes,’’ CDT said. ‘‘The TTIP trade negotiation process is not a suitable forum for harmonizing or otherwise making decisions about substantive rights, rules, and protections in the area of privacy.’’

Negotiators should, however, discuss a process for encouraging cross-border data flows while minimizing the impact on substantive data protection policy choices in the United States and the European Union, CDT added, such as assuring U.S. companies that the European Union will deem their personal data practices adequate.

‘‘To the extent that TTIP provisions impact crossborder data flows, they should allow governments to provide exceptions or limitations that strengthen the protection of their citizens’ privacy,’’ EPIC said. The agreement should not turn into ‘‘a vehicle for weakening stronger European laws,’’ the group added.

‘‘The trade process should not necessarily be the vehicle for making detailed policy on privacy and data protection,’’ Raul told BNA. ‘‘However, the US and EU can make important baseline commitments to each other’’ that could be followed up in more detail. He gave the example of a possible EU finding that the U.S. data protection scheme is adequate.

‘‘[T]he two sides are pretty close today, and likely to get even closer going forward,’’ Raul said. ‘‘The trade process can help nurture and cement this growing convergence.’’

Ripe Topics for Negotiation. Given the context of the ongoing revision of the EU data protection framework, there are several topics that may crop up during the TTIP negotiations, Jim Halpert, a partner at DLA Piper’s Washington office, told BNA, including:

  • possible elimination of adequacy determinations and revocation of the U.S.-EU Safe Harbor Program;
  • impact on data transfers from Europe to the United States for the purpose of compliance with tax reporting, anti-corruption, anti-terrorism, or money laundering laws;
  • regulation of producers, which would include non-EU software manufacturers and service providers; and
  • sanctions, which include fines of up to 2 percent ofa company’s worldwide gross income.

‘‘At a minimum, legal compliance [and] Safe Harbor are going to be topics of negotiation,’’ he predicted.