Moving forward together

Abstract

As 2010 wore to a close, major reports on privacy were released almost simultaneously in the European Union and USA. The first, published on 4 November, came from the European Commission, ‘A Comprehensive Approach on Personal Data in the European Union’. The following month two US agencies released privacy reports. The Federal Trade Commission’s report, ‘Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers’, appeared on 1 December, and two weeks later the US Department of Commerce released its green paper on ‘Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework’. These three significant and long-awaited government reports provide new insights into how regulators on both sides of the Atlantic view privacy challenges and the extent to which those views may be converging. In fact, many observers were surprised by the extent to which the three reports overlap. For example, all three reports are prompted by similar issues and address similar problems—mainly, that current approaches to data protection have become ineffective in response to the rapid expansion in information technologies and applications. All three reports explicitly recognize the tension between innovation and intrusion and acknowledge both the value and risks of information flows. Notice and choice, particular hallmarks of US privacy protection, but also found in European laws, come in for special (and well-deserved) criticism, especially in the EU and FTC reports. All three reports stress the importance of not over-focusing on notice and choice and ensuring that, when presented, notices are clear, concise, and simple to use. The reports also recognize the importance of industry responsibility, self-regulation, and international cooperation in enforcement. All three focus new attention on accountability, rather than mere compliance, as a principled basis for data protection. And all three reports were issued in draft form and specifically invited public comment, reflecting the fundamental importance of individual and industry participation in formulating workable privacy policies. These and other similarities appear to reflect growing convergence in transatlantic thinking about data protection issues. In fact, elements of each report sound themes historically associated with regulators on the other side of the Atlantic. The EU report reflects concerns about the burden of complying with data protection laws, the tension between protecting privacy and not stifling innovation, inconsistency among member state laws, and the practicality of current restrictions on international transfers of data—concerns that seasoned privacy observers might find more reminiscent of US regulators. Meanwhile, the FTC and Commerce reports expand the range of privacy principles to which companies might be held accountable, the data that might raise privacy issues (even if no unique identifiers are involved), and interests that should be protected—all points traditionally associated with European regulators. The reports are, of course, not the only sign of convergence. The FTC joined with twelve European and other regulators in March 2010 to launch the Global Privacy Enforcement Network to facilitate multinational cooperation in enforcing privacy laws. In October, the FTC was officially admitted to the annual conference of data protection and privacy commissioners. Department of Commerce officials have been