Experts explore data privacy and divergence in transatlantic regulation
On March 28, GMF hosted a luncheon discussion on "Transatlantic Cooperation and Conflict over Data Privacy Rules: Lessons for International Market Regulation" with Professor Abraham Newman from Georgetown University. William Sweeney of EDS (Electronic Data Systems, Inc.) spoke from a private-sector perspective. The event was moderated by Richard Salt, GMF Transatlantic Fellow, as part of GMF's research program on International Regulatory Cooperation and the Transatlantic Marketplace. Academics, journalists, think-tank and government representatives, as well as a variety of non-profit policy institutions were in attendance.
Professor Newman presented an overview of his paper, a GMF publication, which examines the background to transatlantic divergence in data privacy standards, the factors which influenced cooperation between the EU and the United States, and contemporary challenges to those efforts. Data privacy laws, Newman explained, deal with "the collection, processing and exchange of personal information" in the advent of the technology age, and the explosion of international data networks.
Globally, Newman argued, the United States remains a relative outlier in its more limited approach to data privacy protection. In the past decade, there has been a global shift towards comprehensive regulation of data privacy, most vividly illustrated by the tough standards embodied in the EU's 1995 Privacy Directive and, in particular, the extraterritorial clause which required any third country receiving personal information from inside the EU to meet certain regulatory standards including a regulatory body specifically for privacy issues. As international trade increasingly involved the exchange of personal information, transatlantic differences in protection and the absence of an independent privacy regulation body in the United States inevitably caused tension in the transatlantic relationship.
The solution to this had been the Safe Harbor Agreement, which creates a framework that enables multinational companies to function within the boundaries of the European Union's comprehensive data privacy laws and the United States' more limited regime. What made Safe Harbor effective was that it bridged the gap between two seemingly intractable differences: more comprehensive data privacy laws were unlikely to be enacted in the United States, while the EU continued (and continues) to see U.S. standards as not "adequate" to protect information held on EU citizens. The Safe Harbor Agreement represents a compromise in that multinational companies voluntarily sign up either to self-regulate or self-certify in order to comply with European privacy standards: the former means that they agree to comply with European principles and join an independent dispute settlement body; the latter involved US firms voluntarily registering with a European data privacy authority and agreeing to regulation by that agency. The end result is that US domestic law was unchanged, and clear differences remain between the two regulatory systems. But despite this, it has been possible to reconcile the two systems, allowing them to co-exist.
The solution embodied in Safe Harbor is what Professor Newman calls a "regulatory interface" - a mechanism for allowing two distinct regulatory systems to operate alongside one another, helping businesses that operate across regimes, without creating new international standards or laws, and explicitly recognize that there are different and entirely valid systems of regulation and enforcement. This unique solution to a complex problem required no change in domestic law or regulatory practices.
In his response, Bill Sweeney drew attention to the historical differences which underlay U.S. and European approaches to data privacy, noting that European sensitivities about the use and transmission of personal data could be traced back to the Holocaust - an illustration of how deeply entrenched the values embedded in regulatory standards could be. He also commented on the challenges that were presented to data privacy cooperation by contemporary security challenges, perhaps most obviously over Passenger Name Record data, and linked the issue to national developments in privacy rights and legislation. He argued that there has been an insufficient discussion on the issue of individual privacy as governments sought to combat terrorism, in particular where policies adopted in many democracies have clashed or otherwise interacted with conceptions of basic privacy rights; according to Sweeney, there has not been enough questioning of how to balance these (seemingly) competing demands.
Questions from the audience covered many aspects of the privacy debate, from national security issues and the private sector to congressional reaction and the need for increased regulatory oversight. Asked about recent legislation being considered in U.S. government concerning regulation and its possible impact on the situation, Professor Newman argued that the single most important thing the United States could do to improve European confidence would be to create an independent data privacy authority. Citing the experience of Canada, which often followed a similar model of industry-led regulation as the United States, he noted that a similar step had strengthened European confidence - and even led to the EU finding Canadian privacy rules as meeting the "adequacy" standard. He emphasized that it would not necessarily mean changing U.S. regulatory philosophy or approach, but some "institutional harmonization" helped boost mutual trust between authorities.