By Katie W. Johnson, Bloomberg BNA
Reproduced with
permission from Privacy & Security Law Report, 12 PVLR
909 (May 27, 2013). Copyright 2013 by The Bureau of National
Affairs, Inc. (800-372-1033) http://www.bna.com
Industry and consumer protection
groups are divided over whether a potential United States–European Union trade
agreement should address data protection.
The difference of opinion is
detailed in comments submitted to the Office of the U.S. Trade Representative
(USTR) in response to an April 1 solicitation for public comments on a possible
‘‘Transatlantic Trade and Investment Partnership’’ (TTIP).
The USTR requested input on
‘‘relevant electronic commerce and cross-border data flow issues that should be
addressed in the negotiations.’’
The request followed up on Acting
U.S. Trade Representative Demetrios Marantis’s notification to Congress in a March letter that
President Obama intends to enter into negotiations with the European Union
because ‘‘[a]n ambitious, comprehensive, and high-standard TTIP can generate
new business and employment by significantly expanding trade and investment
opportunities in the United States and the EU.’’
Although consumer groups urged
the USTR not to address privacy and data protection issues in the U.S.–EU
agreement, industry representatives said the agreement would provide a good
opportunity to develop international consensus on standards.
Comments were due May 10.
According to the regulatory docket, the office had received 378 comments as of
May 23.
The office plans to hold a May
29–30 hearing on the TTIP proposal.
Will Context Change Negotiations?
It is ‘‘interesting that privacy is going to be looked at under the rubric of
e-commerce,’’ Paul Schwartz, University of California Berkeley School of Law
professor and co-director of the Berkeley Center for Law & Technology, told
BNA. He noted that data protection is not a separate category on which the USTR
requested comments.
The discussion about privacy will
likely ‘‘become[ ] part of a larger e-commerce
discussion’’ and thus will be a ‘‘much bigger discussion with different
regulators,’’ he explained.
Privacy ‘‘is by no means a new
issue for trade agreements,’’ Alan Charles Raul, partner at Sidley Austin LLP
in Washington, told BNA. Both the United States and the European Union
addressed data flow issues in their respective trade agreements with South
Korea, he said.
‘‘There is no question that data
protection has an impact on free trade,’’ Martin Abrams, president of the
Centre for Information Policy Leadership at Hunton
& Williams LLP, in Washington, told BNA. ‘‘The question is whether it is an
appropriate impact, whether it is acceptable to in some ways limit trade.’’
Schwartz also questioned the
impact of the TTIP on the European Commission’s proposed data protection
regulation (11 PVLR 178, 1/30/12) given that the regulation would be binding
law in the European Union.
Undermining EU Regulation Democratic
Process? ‘‘We don’t think that privacy or data flows should be included in the
negotiations,’’ Susan Grant, director of consumer protection at the Consumer
Federation of America (CFA), told BNA. ‘‘There is an important democratic
process going on in Europe right now to enact a privacy regulation and we fear
that it could be undermined by the trade negotiations, which are not a
democratic process.’’
‘‘There is no question that data
protection has an impact on free trade. The question is whether it is an
appropriate impact, whether it is acceptable to in some ways limit trade.’’
MARTIN ABRAMS, PRESIDENT,
CENTRE FOR INFORMATION POLICY
LEADERSHIP,
HUNTON & WILLIAMS LLP
Addressing privacy during the
trade negotiations is ‘‘premature’’ given the lack of a U.S. privacy framework
comparable to EU law, Grant said, adding that CFA is hoping for legislation to
implement President Obama’s proposed Consumer Privacy Bill of Rights (11 PVLR
355, 2/27/12).
‘‘The lack of an adequate privacy
protection regime in the US is a problem for cross-border trade, but the
solution is to enact sufficiently strong privacy protections here, not to
attempt to negotiate a deal that would oblige the EU to accept the patchwork of
weak sectoral laws and self-regulatory programs in the
US as an adequate basis for transatlantic data flows,’’ CFA said in its
comments on the TTIP.
The Center for Democracy &
Technology (CDT) encouraged the negotiators to ‘‘take a cautious and limited
approach to data protection and privacy’’ given that there is a ‘‘very active
democratic debate on both sides of the Atlantic’’ in this area. The agreement
should ‘‘avoid both the reality and the appearance of attempting to preempt or
bypass the regular democratic process on these issues,’’ CDT said in its comments.
The Center for Digital Democracy
(CDD) took a similar position, saying in its comments that it is ‘‘ extremely critical’’ for U.S. and EU lawmakers to address
their frameworks first. ‘‘USTR should not try to advance the interests of [the
U.S.] digital marketing industry in a manner that will ultimately challenge and
undermine the European Union’s data-protection framework.’’
The Electronic Privacy
Information Center (EPIC) echoed those concerns in its comments, adding that
‘‘trade agreements are not the appropriate mechanism for determining
international privacy standards, and thus the TTIP should exclude privacy and
data protection entirely.’’
EPIC pointed to an April
Bertelsmann Foundation and Atlantic Council survey report based on responses of
some 120 business, academic, government, legislative, and media professionals
that concluded data protection/privacy will be one of the most important and
most difficult issues to address in the negotiations, and thus ‘‘has the
potential to derail negotiations if not handled effectively.’’
CFA, CDD, EPIC, and other groups
encouraged the USTR to ensure transparent negotiations and provide
opportunities for public involvement. ‘‘For us, the process is equally as
important as the subject matter to be discussed,’’ Grant of CFA said. ‘‘[W]e
want the process to be transparent and open and we want a mechanism for
consumer representatives to actually engage in a meaningful way.’’
‘‘The fundamental point is that
neither the EU nor the US should discriminate against the other side’s
business—digital or otherwise.’’
ALAN CHARLES RAUL,
PARTNER, SIDLEY AUSTIN LLP
Avoiding
Cross-Border Data Flow Barriers. Any U.S.-EU trade agreement should
address privacy and data protection issues because those issues ‘‘are intrinsic
to digital trade across the Atlantic,’’ Raul told BNA. Resolving ‘‘conflicts of
laws and regulatory impediments’’ is important given digital trade’s importance
in the world economy, he emphasized. For example, ‘‘many US companies and
online offerings get targeted for EU enforcement actions and extra
administrative burdens to do business for the EU,’’ he said. ‘‘This harms US
trade interests and also holds back innovation in the EU to the detriment of EU
consumers,’’ Raul emphasized.
‘‘The fundamental point is that neither
the EU nor the US should discriminate against the other side’s business—digital
or otherwise,’’ he said.
TTIP negotiators should ‘‘ensure
that privacy rules do not act as an unnecessary barrier to cross-border flows
of information,’’ the Software & Information Industry Association (SIIA)
agreed in its comments. The agreement ‘‘should reaffirm the obligation to
provide companies with a usable means to demonstrate compliance with local
privacy rules so that
information can flow across borders,’’ SIIA said.
‘‘While privacy and data
protection legal frameworks strive to protect the privacy of individuals and
secure their data, the ability for industry to innovate and develop new
products and services should not be impeded,’’ the Information Technology
Industry Council (ITI) said in its comments. ITI said the agreement should
contemplate accountability mechanisms that are already in place, such as
binding corporate rules (BCRs) and codes of conduct.
The U.S.-EU Safe Harbor Program
is another important mechanism to allow data to cross borders, BSA | The
Software Alliance said in its comments.
‘‘We recognize that there are
legitimate areas where exceptions to such enforceable obligations should be
permitted, including . . . privacy,’’ BSA said, cautioning, however, that
exceptions should not hinder crossborder data flows.
Opportunity to
Make Frameworks Interoperable. ‘‘The TTIP presents a
‘once-in-a-generation’ opportunity to progress the interoperability of data
privacy frameworks in a way that endures,’’ the Coalition for Privacy &
Free Trade said in its comments, adding that data privacy should be ‘‘a top
priority’’ during the negotiations. The Hogan Lovells
LLP-affiliated organization is a new coalition of companies advised by legal
experts and former U.S. officials and formed to address free trade barriers set
in place by differing data protection and privacy regimes around the world (12
PVLR 507, 3/25/13).
The group said the agreement
presents ‘‘an opportunity to lead the development of a contemporary,
reasonable, and sustainable policy framework for cross-border personal data
flows—one that will have influence around the world—while at the same time
promoting digital trade.’’ The coalition added that ‘‘the TTIP process should
recognize, respect, and seek to reconcile fundamental
differences between the US and EU privacy frameworks . . . .’’
A separate, informal coalition of
internet and technology companies—the ‘‘Digital Trade Coalition’’—said the
timing of the TTIP negotiations is ‘‘opportune’’ given the proposed EU data
protection regulation and U.S. privacy developments like the White House’s
consumer privacy white paper and the Federal Trade Commission’s 2012 consumer
privacy report (11 PVLR 590, 4/2/12).
‘‘[B]y seeking to
reconcile privacy and data protection standards—and by promoting digital
interoperability—TTIP can meaningfully reduce nontariff barriers to US
companies . . . ,’’ Raul said in comments submitted on behalf of the coalition.
‘‘TTIP can help ensure that
future privacy rules are smarter than they are today: simpler, better
coordinated, more cost-effective and efficient, and less burdensome and
discriminatory,’’ Raul said in the comments. ‘‘This will lead to more digital
trade and ecommerce without sacrificing consumer protection.’’
The Digital Trade Coalition
encouraged the USTR to seek: (1) confirmation in the TTIP of the European
Union’s proposed ‘‘one-stop-shop,’’ or ‘‘the concept of a ‘lead’ data
protection regulator for US companies doing business in the EU’’; (2) EU
judgment that the United States provides ‘‘adequate’’ privacy protection; and
(3) the establishment of a ‘‘US-EU Privacy and Data Protection Working Group,’’
which would aim ‘‘to identify and reconcile key differences in order to promote
interoperability.’’
Abrams, however, told BNA that
‘‘[a] focus on adequacy in the free trade context is misplaced. Society-to-society
discussion has already addressed U.S. adequacy through BCRs and the Safe Harbor
Program.’’ ‘‘The TTIP must acknowledge that there can be multiple approaches
that achieve a compatible regulatory outcome, particularly in areas such as
data protection and privacy,’’ the U.S. Chamber of Commerce said in its
comments.
‘‘The difficult points of
contention involve cultural differences in the treatment of access to
information,’’ Abrams said. ‘‘In the United States we have a strong First
Amendment and a tradition of allowing access to information,’’ but, he said,
‘‘[t]hat sense of open information just doesn’t translate in the European Union
in the same way.’’
‘‘This cultural gap is nothing
new,’’ Abrams said. The fundamental differences between the European Union and
the United States demonstrated by the First Amendment were a problem when the Organisation for Economic Co-operation and Development
adopted the Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data in 1980, and they were cited as a problem at the 2010
30th anniversary celebration of the guidelines, he said.
Is There a Way to Meet in the
Middle? If the TTIP ends up addressing privacy and data protection, industry
and consumer groups seemed to agree that the trade agreement should only
broadly address those topics.
The TTIP should not include
‘‘substantive domestic privacy rules,’’ the SIIA cautioned.
‘‘If privacy or data flows are
included, we would want the scope of that to be very narrow,’’ Grant of CFA
told BNA. ‘‘We are not prepared yet to say what we think the scope might be—we
don’t want them in there at all—but if they are, we will make constructive
suggestions.’’
CDT emphasized that the TTIP
should not include provisions that would diminish an individual’s privacy
rights and should not allow companies to avoid compliance with data protection
laws. ‘‘For these reasons, TTIP should steer clear of commitments concerning
the substance of data protection regimes,’’ CDT said. ‘‘The TTIP trade
negotiation process is not a suitable forum for harmonizing or otherwise making
decisions about substantive rights, rules, and protections in the area of
privacy.’’
Negotiators should, however,
discuss a process for encouraging cross-border data flows while minimizing the
impact on substantive data protection policy choices in the United States and
the European Union, CDT added, such as assuring U.S. companies that the
European Union will deem their personal data practices adequate.
‘‘To the extent that TTIP
provisions impact crossborder data flows, they should
allow governments to provide exceptions or limitations that strengthen the
protection of their citizens’ privacy,’’ EPIC said. The agreement should not
turn into ‘‘a vehicle for weakening stronger European laws,’’ the group added.
‘‘The trade process should not
necessarily be the vehicle for making detailed policy on privacy and data
protection,’’ Raul told BNA. ‘‘However, the US and EU can make important
baseline commitments to each other’’ that could be followed up in more detail.
He gave the example of a possible EU finding that the U.S. data protection
scheme is adequate.
‘‘[T]he two sides are pretty
close today, and likely to get even closer going forward,’’ Raul said. ‘‘The
trade process can help nurture and cement this growing convergence.’’
Ripe Topics for
Negotiation. Given the context of the ongoing revision of the EU data
protection framework, there are several topics that may crop up during the TTIP
negotiations, Jim Halpert, a partner at DLA Piper’s
Washington office, told BNA, including:
-
possible
elimination of adequacy determinations and revocation of the U.S.-EU Safe
Harbor Program; - impact
on data transfers from Europe to the United States for the purpose of
compliance with tax reporting, anti-corruption, anti-terrorism, or money laundering
laws; - regulation of producers, which would include non-EU software manufacturers and
service providers; and - sanctions, which include fines of up to 2 percent ofa
company’s worldwide gross income.
‘‘At a minimum, legal compliance
[and] Safe Harbor are going to be topics of negotiation,’’ he predicted.