Since the 1970s, legislators and regulators have realised that the use of new technologies can raise difficult public policy issues, particularly in the area of privacy. They have responded over the course of several decades by enacting laws and regulations to protect personal data. As we enter the third decade of the commercial internet, however, some believe that these laws and regulations have begun to show their age.
Today, technology has advanced to allow increased data storage capacity at ever-declining cost. New, powerful, analytical tools can process unprecedented amounts of data, revealing unexpected correlations and promising breakthroughs in medical research and other areas. And ubiquitous connected devices and sensors that are part of the burgeoning ‘internet of things’ are beginning to automatically share data, some of it personal and potentially sensitive.
The internet of things and big data analytics hold tremendous potential to improve economic efficiency, detect and prevent the spread of disease, protect public safety and national security, and otherwise enhance the quality of life. But some policymakers are concerned that this new technology has outpaced the ability of existing laws to protect personal privacy, particularly in the dynamic global digital economy.
Policymakers around the world have begun to respond in various ways. This article explores at a high level how the US and the European Union (EU) are addressing these new privacy challenges. The US and the EU historically have taken different approaches to protecting consumer privacy. The US has protected certain categories of sensitive information and has given more leeway to businesses to use personal data for commercial purposes. The EU, on the other hand, protects consumer privacy through an overarching law that protects all personal data and imposes strict requirements on companies that collect, use and disclose such data.
There is some support in the US for an omnibus consumer privacy law, even though efforts to date in that regard have been unsuccessful. Meanwhile, the EU is about to update and strengthen its comprehensive consumer privacy law.
Unlike other countries that have omnibus data privacy laws, the US has taken a sectoral approach to privacy, enacting federal laws to protect discrete categories of data, such as electronic communications, financial records and healthrelated information. These statutes generally allow entities to collect, use and disclose personal information if they have obtained a consumer’s affirmative, prior consent after providing the consumer with notice about how their data will be used and shared.
“The Obama administration has sought to facilitate cross-border data flows.”
In the absence of a comprehensive data privacy law (but see footnote on states such as California) the Federal Trade Commission (FTC) has used its enforcement authority under the Federal Trade Commission Act to regulate data privacy at the federal level.
The FTC lacks rulemaking authority, but it has used its investigative and enforcement powers to bring actions against companies that violate their own privacy policies, fail to implement reasonable security measures to protect the data that they collect and maintain, or otherwise engage in deceptive or unfair practices related to the collection, use and disclosure of personal information.
Unlike the sector-specific federal privacy laws, which often require companies to obtain consent from consumers before using or disclosing personal information, the FTC generally has allowed companies to collect, use and disclose personal information as long as they provide consumers with notice and choice regarding the handling of personal data and comply with their privacy policies.
Although the internet economy grew and digital technologies developed at a rapid pace during the previous decade, neither Congress nor the Bush administration made consumer data privacy a big priority. The Obama administration has taken a different approach. In 2009, it established an Internet Policy Task Force (‘Task Force’) to address public policy issues affecting consumers and innovation, including privacy. To that end, the Task Force convened an interagency working group to develop an approach to consumer privacy that would protect consumers without impeding innovation.
In 2012, the Obama administration issued a report (the ‘White House privacy report’) summarising the Task Force’s findings. The report concluded that although the current consumer data privacy framework in the US was strong, it lacked:
The White House privacy report recommended that Congress pass legislation to codify a Consumer Privacy Bill of Rights. The report outlined a framework that included rights for consumers and corresponding obligations for companies based on the Fair Information Practice Principles (the ‘FIPPs’). This was significant. Some federal privacy statutes in the US include elements of the FIPPs, but the FTC has never incorporated all of them into its data privacy regime.
However, the FIPPs are the foundation for many international privacy regimes, including the European Union’s Data Protection Directive, the Asia-Pacific Economic Cooperation (APEC) Cross- Border Privacy Rules, and the Organisation for Economic Cooperation and Development (OECD) Privacy Principles. The Obama administration thus sought to create through the Consumer Privacy Bill of Rights an approach to consumer data privacy that it believed would facilitate cross-border data flows in the 21st century global digital economy.
In addition to calling for a federal omnibus privacy law modeled on the Consumer Privacy Bill of Rights, the White House privacy report also directed the US Department of Commerce to conduct an open, voluntary multi-stakeholder process to establish, through consensus, voluntary industry codes of conduct that the FTC would enforce. In this respect, the White House tried to give industry a way to use data to innovate, while protecting consumer privacy and ensuring accountability.
Some industry sectors have adopted this approach of combining self-regulation with the threat of enforcement. For instance, the online advertising industry has developed an enforceable code of conduct for third-party advertising companies that target ads to consumers online. The Council of Better Business Bureaus (CBBB) and the Direct Marketing Association (DMA) monitor and enforce compliance with the principles and manage a consumer complaint resolution process. To date, the accountability programme has announced 43 compliance actions, a number that does not include all of the instances in which either the CBBB or DMA has worked with companies to bring them into compliance.
Since the White House privacy report’s release, the Department of Commerce has completed one multi-stakeholder process to develop an industry code of conduct for mobile app transparency. It is in the process of developing another code for facial recognition technology, and is planning a third process to address drone privacy.
Unlike the online advertising industry’s selfregulatory regime, however, the code of conduct that emerged from the first Department of Commerce multi-stakeholder process has not been widely adopted by industry.
Self-regulatory efforts have not muted the call for omnibus federal privacy legislation. Just one month after the release of the White House privacy report, the FTC released its own privacy report, calling on Congress to enact baseline privacy legislation to augment self-regulatory efforts. According to the FTC, baseline privacy legislation should be technology neutral, sufficiently flexible to allow companies to continue to innovate, and provide clear rules of the road while also ensuring adequate deterrence through civil penalties and other remedies. A majority of the FTC commissioners repeated their call for baseline privacy legislation in a more recent report on the privacy issues raised by the internet of things.
Earlier this year, the Obama administration released its long-awaited draft of legislation that would codify the Consumer Privacy Bill of Rights. Based on the framework outlined in the White House privacy report, the administration’s proposal attempts to establish strong consumer privacy protections without inhibiting innovation in the digital economy.
“The privacy review board is intended to address privacy risks in the era of big data analytics.”
The proposal sets out a comprehensive privacy regime, based on the FIPPs, that would apply to all personal information, not just certain types of sensitive personal information in particular industry sectors. It would require entities that collect, create, process, retain, use or disclose such information to establish mechanisms that ensure the following:
Transparency: Companies would be required to provide consumers with concise, easy to understand, timely and conspicuous notice about the company’s privacy and security practices.
Individual control: Companies would be required to give individuals a reasonable means to control data processing in proportion to the privacy risk to the individual and consistent with context.
Respect for context: Companies would be required to follow additional requirements when they process personal data in ways that are not ‘reasonable in light of context’. The proposal provides 11 factors for companies to consider in determining whether data processing is inconsistent with the context of the relationship between the company and the consumer. When data processing is out of context, the proposal would require companies to provide additional notice and give consumers the chance to opt in to the processing of their data.
Focused collection and responsible use: Companies generally would be required to:
Security: Companies would be required to:
Access and accuracy: Companies would be required to provide individuals with reasonable access to, or an accurate representation of, their personal data, and a reasonable and appropriate mechanism to ensure that personal data under the company’s control are accurate.
In keeping with the tradition of self-regulation in this area, the proposal also would allow companies to develop and adopt codes of conduct that would be approved and enforced by the FTC. Under the proposal, the FTC could approve a code as long as it found that the code provided privacy protections equal to or greater than those guaranteed under the Consumer Privacy Bill of Rights.
Finally, the Obama administration’s proposal also would impose certain requirements on companies that identify privacy risks associated with particular uses of personal data. Specifically, the proposal would require such companies to provide notice to enable individuals to decide whether to reduce their exposure to risk, and a mechanism to allow individuals to exercise their choices with respect to such risk exposure.
Companies would be exempt from this requirement if an FTC-approved ‘privacy review board’ supervised the data processing and determined that:
The privacy review board is in large part intended to address privacy risks in the era of big data analytics. As discussed above, big data analytics require the collection and analysis of huge amounts of data from which unexpected beneficial discoveries ultimately can be made. Big data challenges the traditional ‘notice and consent’ regime and the principle of ‘focused collection’ because it involves the use of data for a purpose of which the consumer was unaware at the time of data collection. The concept of a privacy review board is a nod toward the idea of a ‘responsible use’ privacy framework, which would make room for big data analytics by focusing more on data use than on data collection.
After the administration released its draft proposal, advocates and industry praised some aspects and strongly criticised others. As a result, no one emerged as the bill’s champion, and observers have considered the proposal dead on arrival. Indeed, the administration has yet to find an ally in Congress who will introduce it as a standalone bill. Nonetheless, the aspects of the bill that various stakeholders support could find their way into other privacy bills, either in Congress or in state legislatures.
If Congress does not act, US multinational companies and companies that do business online could find themselves subject to even more onerous requirements, as other countries enact new laws that will have extraterritorial effect in the borderless internet economy.
Across the Atlantic, officials in the European Union have been busy updating the EU Data Protection Directive, an omnibus privacy law that has governed commercial data privacy in the EU since 1995. Unlike in the US, where commercial entities generally may collect, use and share personal information as long as they adhere to their privacy policies, the Data Protection Directive generally requires companies to obtain a consumer’s prior consent before collecting, using, disclosing or storing their personal data.
In January 2012, the European Commission released its proposal for a new General Data Protection Regulation (GDPR), which would impose a more prescriptive, and potentially burdensome, privacy and data security framework than the current Data Protection Directive. Because the GDPR will apply to any non-EU company that handles the personal data of EU citizens, even if that company is not physically located in the EU, it is certain to be a problem for US companies.
The European Parliament passed an amended version of the GDPR, and the European Commission and Parliament, and the EU Council of Ministers, which represents the interests of EU member states, have since been wrangling over the text. They must reach consensus on a final version before the GDPR can be adopted.
The current version of the GDPR includes a number of provisions that would affect companies doing business in the EU, such as a requirement to notify customers within 72 hours of a data breach and incentives to incorporate privacy by design principles and techniques into software development.
In addition, there are several outstanding issues that have not yet been resolved, including the following:
Definition of personal data: The draft applies to any information that can be directly or indirectly linked to an individual. This is consistent with the definition of ‘personal data’ under the Data Protection Directive. The European Parliament, however, favours a definition that would include information that does not necessarily reveal the identity of an individual, as long as it allows a person to be ‘singled out’ from a larger group.
Informed consent: The European Parliament and Council are debating the type of consent that a user must give before a company can process data about him or her. The draft allows some data collection and processing without consent, but only when a user could reasonably expect it under the circumstances.
Some member states want data controllers to have more leeway to subsequently use data for purposes that were not contemplated at the time of data collection.
Right to be forgotten: The draft GDPR includes what has been called the ‘right to be forgotten’. This provision would give anyone the right to request a ‘data controller’ (essentially, the entity that makes decisions about how and for what purpose data is processed) to delete or correct information about him or her.
Earlier versions of the GDPR would have given individuals expansive rights to request deletion. The current version, however, requires only data controllers who are publishing data in violation of the GDPR to delete data.
Sanctions: Fines for violation of the GDPR are potentially significant. The European Commission and the Council favour fines of up to 2% of a violating company’s annual global turnover, whereas the European Parliament favours higher fines of up to e100 million or 5% of a company’s annual global turnover.
Representatives from the European Commission expect negotiations to conclude by the end of this year, setting the stage for enactment of the new law throughout the 28 member states that comprise the European Union. If the GDPR is ultimately adopted in the EU, it will become effective after a two-year transition period.
“The European Union has refused to find the US privacy framework to be ‘adequate’.”
LIKELY PATH FORWARD
Congress is unlikely to pass the Obama administration’s proposal or any other omnibus consumer data privacy legislation in the near future. In the meantime, government institutions in the EU likely will reach consensus and adopt some version of the GDPR in late 2015 or early 2016. This will complicate cross-border data transfers for US firms that process the personal data of EU citizens.
EU law prohibits the transfer of personal data outside the EU to countries whose privacy laws the EU has not deemed ‘adequate’. Because the EU has refused to find the US privacy framework to be ‘adequate’, US multinationals that want to transfer personal data outside of the EU have had to operate under model contract clauses, binding corporate rules, or the US–EU Safe Harbor Agreement, which allows US companies to transfer such data if they agree to abide by certain data handling principles. But Safe Harbor has been in jeopardy, particularly since the Snowden revelations about the US government’s intelligence gathering activities.
But even if US and EU officials can overcome their differences and salvage Safe Harbor, the GDPR will nonetheless impose new requirements on US companies. Therefore, US companies need to prepare for new requirements regarding the handling of personal data, or they may face stiff headwinds trying to cross the Atlantic.
With pressure mounting for new personal data privacy rules, Nancy Libin and Joshua Bercu assess the current state of play in the US and EU.
We give innovators and regulators a forum in which to explore, debate and agree the best policies and regulatory frameworks for widest societal benefit.
Insight: Exchange: Influence
We give members a voice through conferences, symposiums and private meetings, as well as broad exposure of their differing viewpoints through articles, reports and interviews.
The new website will make it easier for you to gather fresh insights, exchange views with others and have a voice in the debateTake a look Learn more about our updates
You are seeing this because you are using a browser that is not supported. The International Institute of Communications website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.