By Joyce E. Cutler, Privacy & Security Law Report
Reproduced with permission from Privacy & Security Law Report, 12 PVLR 508 (March 25, 2013). Copyright 2013 by The Bureau of National Affairs Inc. (800-372-1033) <http://www.bna.com>
PALO ALTO, Calif.–International free trade agreements now being
negotiated offer the opportunity to harmonize privacy regimes and
avoid a potential privacy collision between the United States and
the
European Union, panelists said March 21.
The European Commission’s
proposed
data
protection regulation (11 PVLR 178, 1/30/12) conflicts with
U.S. privacy schemes and strong First Amendment practices,
Christopher
Wolf, a partner with Hogan Lovells in Washington, and co-founder
of
the Future of Privacy Forum, told a University of California
Berkeley
Center for Law & Technology privacy law forum.
In that context, President Obama’s state of the union address
announcement of the negotiation of a free trade agreement with the
European Union–along the lines of the North American Free Trade
Agreement between the United States, Canada, and Mexico–is
significant, he said.
A U.S.-EU agreement has the potential to improve the economies on
both sides of the Atlantic and promote trade in an unprecedented
way,
Wolf added.
The discussion comes as Japan recently announced it was joining
the
11-nation Trans-Pacific Partnership negotiations, Wolf noted.
“[Y]ou can’t have a discussion about trade today without
having a discussion about digital free trade” and regulatory
impediments, he said.
“The coming free trade negotiations provide an opportunity
around the world to talk about our common commitment to privacy
and a
way to promote inter-operability and the free flow of data while
respecting the variations in different regions,” Wolf said.
“[T]he trade issue is the new lens through which we can
promote privacy,” Wolf said. “Privacy is an essential
element of trade and has to be built in.”
Wolf and Hogan Lovells March 18 announced the formation of a new
free trade coalition designed to promote privacy issues during the
ongoing trade negotiations (see related report).
EC Proposed Regulation Problems Alleged.
The bad news about the EC’s proposed data protection regulation
is
that it would give the Commission a lot of power it did not have
before, Karl-Nikolaus Peifer, director of the Institute for Media
Law
and Communications Law at the University of Cologne Law School,
said.
The good news may be that there will be “one address you can
speak to, and that will be the Commission,” Peifer said. U.S.
companies would no longer have to deal with individual member
states
and other data protection authorities, such as the state level
DPAs in
Germany, he said.
Or as Michael Hintze, Microsoft Corp. chief privacy counsel and
assistant general counsel, put it: “A lot in the regulation is
problematic [but] it’s much easier to deal with something that
sucks
in one way rather than sucks in 27 different ways,” as would be
the case with a single EU-wide regulation versus 27 individual
member
state laws interpreting the current Data Protection Directive
(95/46/EC).
The problematic issues include the concept of the right to be
forgotten, under which companies would be required to remove an
individual’s personal data from the internet upon demand, Hintze
said.
This is an impractical attempt to push a genie back in the bottle
after information has been released, he said.
A further problem is the “doubling down on explicit consent
in the regulation,” Hintze said.
“In an era where data is collected through so many different
ways, through sensors on toll roads, through all these online
services, through every transaction you make is recorded in some
way,
the idea [that] there’s going to be an explicit consent experience
for
every piece of data, for every data use is absurd. You’d never get
past the pop-ups to do what you want to do,” he said.
“Despite what [the proposed regulation] says, I think at the
end of the day we’re all going to find a way to live with it,”
Hintze concluded.
EU v. U.S. Privacy Schemes.
The European Union emphasizes limits on data collection, data
quality principles, and notice, access, and correction rights for
individuals, UC Berkeley Law Professor Paul Schwartz said.
The European Union also has fair information practices, such as
the
principle that personal information can be processed only if there
is
a legal basis for doing so, he said. Similar principles are hard
to
find in the United States, “unless you kind of torture the
comparison,” he said.
In the U.S. First Amendment tradition, “you can process
information to your heart’s content, unless there’s actually a
statute
that prevents it or provides some obligation when you do it,”
Schwartz said.
One of the multitudes of silver linings is that the EC proposed
regulation calls for collaboration and data protection among a
broad
variety of actors, “so it sounds like harmonization networks and
it sounds like it’s open to that,” Schwartz said.
“To avert the privacy collision ahead, we need to think about
accountability through transparency,” he said.
By Joyce E. Cutler
Copyright 2013, The Bureau of National Affairs, Inc.