Their names say it all. The White House white paper title is indicative of the US approach towards privacy: “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” This search for a balanced framework between consumer protection and business development is different from the proposed EU Regulation which focuses “on the protection of individuals with regards to the processing of personal data and on the free movement of such data.” The primary objective in the EU is the protection of individuals and their personal data, defining the rights of the data subject and the obligations of the data controller and processor. President Obama’s foreword to the White House report recognizes that much of the innovation on the Internet is “enabled by novel uses of personal information.” Promoting innovation through data use is not, however, the goal of the proposed EU Regulation. In fact, the word “innovation” is mentioned only once throughout the entire Regulation in recital 66 related to technical standards to ensure the security of data processing. In the EU’s proposed Regulation, business will benefit through harmonization in the digital single market and through a reduction of red tape that, together with a technology-neutral approach, are certainly steps in the right direction. There is not, however, a forward-looking perspective towards the promotion of new business models based on the use of information, as demonstrated by its strong reliance on explicit and affirmative consent for all data processing activity.
The White House report calls for the implementation of a Consumer Privacy Bill of Rights based on Fair Information Practice Principles that will be developed in a multi stakeholder process through enforceable codes of conduct and eventually formalized through legislation. Even though those Fair Information Practice Principles are considered common ground in the approach towards privacy in the EU and the US, their interpretation and reach in each territory is different. As an example, the proposed EU Data Protection Regulation codifies the controversial right to be forgotten, while the White House Report refers more loosely to a right of access and accuracy where companies should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or limitation of use.
The stark contrast between a flexible, ex-post, pro-innovation, enforcement-based regime and a rigid, ex-ante, consumer-focused approach makes one wonder where the sweet spot is, in which enhanced consumer trust through data privacy meets business innovation. That sweet spot is key for companies that do business on both sides of the Atlantic and risk being subject to a race to the top where they are forced to comply with the higher standards as the common denominator. In the privacy debate the EU may be calling the shots, but we should not forget the intertwined debate on security where the US may retaliate establishing patterns that would have to be observed by companies doing business in the US market.
It is clear that there is a need of dialogue between USA and Europe. This cooperation is on its way, as shown in the High level data protection conference jointly held in Brussels and Washington last week, with the joint statement issued from this event. This is just the beginning…