The development of online privacy protections is at a critical moment as policy makers in both the US and European Union push for changes to their privacy rules, but coordination of enforcement across the Atlantic Ocean may be tricky, several privacy experts claimed.
America and Europe have very different approaches to privacy enforcement, with the US focused on enforcing privacy promises that companies make and the EU enforcing privacy rights even when companies make no promises, said Paul Nemitz, director of fundamental rights and citizenship at the European Commission.
Europe sees privacy as a basic right, and "our citizens expect that these rights are enforced," he said at a conference on privacy and data protection at the Institute for Peace in Washington, DC.
At a panel discussion about privacy enforcement, Nemitz and US officials seemed to disagree on which government takes a stronger role in privacy enforcement. Nemitz questioned an assertion by Cameron Kerry, general counsel at the US Department of Commerce, that sister agency the Federal Trade Commission was a global leader in enforcing privacy protections.
The FTC is a global leader, "perhaps in PR," Nemitz said.
Several European privacy agencies have been at least as active as the FTC, but their efforts aren't as publicised because they don't release information in English, Nemitz said. In addition, with 27 separate privacy protection agencies in the EU, sometimes actions by individual countries don't get much attention, added Jacob Kohnstamm, chairman of the Article 29 Working Party and the Dutch Data Protection Authority.
The FTC takes Nemitz's comment about public relations as a "compliment," said Maneesha Mithal, associate director at the FTC's Division of Privacy and Identity Protection. The agency makes an effort to publicise its enforcement efforts as a deterrence to other companies, she said.
Some participants in the conference questioned whether European privacy agencies are now effective against big companies such as Facebook and Google. In some cases, Internet companies appear to be breaking EU data protection rules with no consequences, said Austrian law student Max Schrems, a frequent critic of Facebook.
It shouldn't be up to students to highlight bad privacy practices, Schrems said. "What does [the law] actually need to make at least the big shots compliant with the most basic principles we have in the law right now?" he said.
The proposed data protection rules, announced in January, should elevate the profile of EU's data protection and privacy efforts and make company boards pay attention to privacy rules, Kohnstamm said. The proposed rules include fines of up to 2 percent of a company's global revenue.
As the EU pushes for a single privacy law, US President Barack Obama's administration has called for privacy codes of conduct to be developed at the Department of Commerce with input from companies, privacy advocates and other groups.
Privacy protection is at a "pivotal moment" as both processes move forward and as the FTC continues to look at privacy protections, said Julie Brill, a commissioner at the FTC. While the details may differ in their approaches, both governments are working toward a baseline set of privacy goals, including more transparency for consumers about how their data is used and more access to their data held by companies, she said.
Privacy enforcement agencies from the US, the EU and other countries are needed to provide adequate protections for consumers, Brill added.
Nemitz, and privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, both questioned the Obama administration's so-called multi-stakeholder approach of allowing companies to help write privacy codes of conduct. Even with privacy advocates in the room, Internet companies could get their way because of vastly superior resources, Chester said.
A multistakeholder approach does not "carry the legitimacy" of privacy rules made by elected legislators, Nemitz added.