Data Protection Regulation and the Politics of Interoperability
The United States Government is taking its stance pressuring the European Union to weaken its new strengtened data protection bill. The European Union has a history of strong data protection standards, emboldened by the European Charter’s explicit provisions upholding data protection as a fundamental right. European Digital Rights (EDRi) revealed today a widespread U.S. lobbying effort against the November 29th leaked version of the legislative proposal for a Data Protection Regulation (DPR). DPR will repeal the existing EU Data Protection Directive, which details regulations regarding personal data processing within the European Union, and is due for official release on January, 25th 2012.
The U.S. lobbying efforts include phone calls and correspondence from senior figures in the U.S. Department of Commerce to top-level staff at the European Commission regarding a broad range of topics. An "informal note" was circulated, articulating U.S. concerns about DPR, which complained that the draft proposal “will break with international standards” and could “undermine” global interoperability between different privacy “regimes” around the world.
Some of the U.S. criticisms are fair. For instance, under the First Amendment, older minors possess greater rights than pre-adolescents, and should not be treated the same way. Similarly, the “right to be forgotten” creates free expression tensions; to its credit, the EU draft proposal appears to provide exceptions for free speech. The U.S. position on interoperability, however, is of concern.
The U.S. - EU Safe Harbor Framework was cited as an example of a bilateral interoperability program. The Framework is an agreement between the European Commission and the United States Department of Commerce, whereby companies can join the Safe Harbor to demonstrate--in theory--compliance with the strong protection afforded by the EU Data Protection Directive.1 The framework was widely criticized in 2002, 2004, and 2008 for its lack of effectiveness to protect privacy. For many, the Safe Harbor represents a weak compromise between the comprehensive legislative model selected by the European Union, versus the self–regulatory model adopted by the U.S. which fails to meaningfully protect privacy (Read here, here and here to learn more about the criticisms against the Safe Harbor Framework).
In today’s statement, EDRi criticizes the U.S.’s own global interoperability work. In practice, EDRi said, that the concept of “interoperability” has often meant that data is simply being transferred to the U.S., where there are no data protection laws that would protect the data of non-U.S. persons. The concept of interoperability remains contested and in flux as discussed at the recent OECD Privacy Conference in Mexico, where EFF represented CSISAC. In that meeting, we voiced concern over the concept of “interoperability”, arguing that it should not be used as a way to circumvent strong privacy safeguards. Recent incidents of high profile privacy invasions and subsequent public outcries demonstrate a general erosion of users’ trust and indicate a pressing need for strong and consistent privacy protections. During the same meeting, Mme Françoise Le Bail of the European Commission also emphasized that interoperability must not be promoted at the expense of high standards.
Nigel Waters of Privacy International said, "interoperability must not be allowed to justify purely self regulatory models that lack credibility." In the United States, self-regulation has failed to protect users' privacy expectations, especially given the increasing commodification of personal data. A U.S. study has shown that self-regulatory privacy programs emerge only when companies feel threatened by potential legislation, but dissipate when companies believe that the threat has passed. Such an approach fails to address user trust issues or adequately protect privacy rights in the United States.
This ongoing process requires continued vigilance of vested interests intent on promoting a watered-down version of privacy protections in the name of interoperability. According to EDRi, U.S. lobbying effort are aimed at weakening proposed privacy standards established in the DPR, based on objections that are “flawed” and “interest-driven”. It must be noted that data protection laws are no longer a European phenomenon. A study done by Graham Greenleaf shows that there are now 29 legal frameworks that protect privacy outside Europe, 78 national data privacy laws in total. Despite these efforts, the U.S. government has still failed to implement OECD Privacy Guidelines into their national law.
EFF will be monitoring the current negotiations to review existing international privacy instruments at the OECD, the Council of Europe and the European Union. 2012 will be a key year for data protection. We must keep our eyes open to make sure the U.S. government does not force the worst of its policies -- that are detrimental to user privacy rights -- into the international fora.
For ongoing updates follow: @EDRi_org
EDRi point of contact: Joe McNamee <joe @ mcnamee . eu>