The United States Government is taking its stance pressuring the European Union to weaken its new strengthened data protection bill. The European Union has a history of strong data protection standards, emboldened by the European Charter’s explicit provisions upholding data protection as a fundamental right. European Digital Rights (EDRi) revealed today a widespread U.S. lobbying effort against the leaked version of the legislative proposal for a Data Protection Regulation (DPR). DPR will repeal the existing EU Data Protection Directive, which details regulations regarding personal data processing within the European Union, and is due for official release on January 25th, 2012.
The U.S. lobbying efforts include phone calls and correspondence from senior figures in the U.S. Department of Commerce to top-level staff at the European Commission regarding a broad range of topics. An "informal note" was circulated, articulating U.S. concerns about DPR, which complained that the draft proposal “will break with international standards” and could “undermine” global interoperability between different privacy “regimes” around the world.
Some of the U.S. criticisms are fair. For instance, under the First Amendment, older minors possess greater rights than pre-adolescents, and should not be treated the same way. Similarly, the “right to be forgotten” creates free expression tensions. The U.S. position on interoperability, however, is of concern.
The U.S. - EU Safe Harbor Framework was cited as an example of a bilateral interoperability program. The Framework is an agreement between the European Commission and the United States Department of Commerce, whereby companies can join the Safe Harbor to demonstrate—in theory—compliance with the strong protection afforded by the EU Data Protection Directive. 1
- 1. The Safe Harbor allows transfer of Europeans’ personal data to the U.S. in circumstances where the transfer would otherwise not meet the European adequacy test for privacy protection. The framework was widely criticized in 2002, 2004, and 2008 for its lack of effectiveness to protect privacy. For many, the Safe Harbor represents a weak compromise between the comprehensive legislative model selected by the European Union and the self–regulatory model adopted by the U.S., which fails to meaningfully protect privacy. (Read here, here, and here to learn more about the criticisms against the Safe Harbor Framework.)
In today’s statement, EDRi criticizes the U.S.’s global interoperability approach. In practice, EDRi said, the concept of “interoperability” has often meant that data is simply being transferred to the U.S., where there are no data protection laws that protect non-U.S. persons. The concept remains contested and in flux, as discussed at the recent OECD Privacy Conference in Mexico, where EFF represented CSISAC. In that meeting, we voiced concern over the use of interoperability as a way to circumvent strong privacy safeguards. Recent incidents of high-profile privacy invasions and public outcries demonstrate erosion of user trust and highlight the need for strong and consistent privacy protections. During the same meeting, Mme Françoise Le Bail of the European Commission emphasized that interoperability must not be promoted at the expense of high standards.
Nigel Waters of Privacy International said, "interoperability must not be allowed to justify purely self-regulatory models that lack credibility." In the United States, self-regulation has failed to protect users' privacy expectations, especially given the increasing commodification of personal data. A U.S. study has shown that self-regulatory privacy programs emerge only when companies feel threatened by legislation, but dissipate when they believe the threat has passed. Such an approach fails to address trust or adequately protect privacy rights in the United States.
This ongoing process requires continued vigilance against vested interests promoting watered-down privacy protections in the name of interoperability. According to EDRi, U.S. lobbying efforts are aimed at weakening proposed DPR privacy standards, based on objections that are “flawed” and “interest-driven.” It must be noted that data protection laws are no longer a European phenomenon. A study by Graham Greenleaf shows there are now 29 legal frameworks protecting privacy outside Europe, with 78 national data privacy laws in total. Despite these efforts, the U.S. government still has not implemented OECD Privacy Guidelines into national law.
EFF will be monitoring the current negotiations to review existing international privacy instruments at the OECD, the Council of Europe, and the European Union. 2012 will be a key year for data protection. We must remain vigilant to ensure U.S. policies that are detrimental to privacy rights are not pushed into international fora.
For more info, please visit the EDRi Statement
For ongoing updates follow: @EDRi_org
EDRi point of contact: Joe McNamee <joe @ mcnamee . eu>
