US policymakers fret over EU data protection law becoming a global blueprint

16 September 2011. By Magnus Franklin

Brussels – Members of US Congress yesterday agonised over the perceived threat of EU data protection law curbing the innovative capacity of US hi-tech firms, while wondering whether the US needs to create a baseline data policy in order to be taken seriously.

At a hearing of the US Congress Subcommittee on Commerce, Manufacturing and Trade* yesterday, it quickly became clear that key policymakers did not perceive EU data protection rules kindly, but acknowledged that US business was at risk unless they brought forward legislation to avoid being 'blacklisted' as a trade partner for countries with a stronger culture of privacy.

The policy camps were clearly divided, between those who perceived a risk to US business if the country did not step up its privacy framework, and those who argued that any 'import' of stricter data rules would harm innovation driving the US economy.

"The EU believes privacy is a fundamental human right," Texas Republican Pete Olson told the chamber. "By contrast, the US approach of a sector-by-sector combination of legislation and industry self-regulation means that we favour a more balanced approach. With millions of Americans out of work, the last thing we need to do is to look to the EU for guidance on data protection. Just look at how the EU's over-burdensome regulation has damaged the EU economy. We want to avoid similar pitfalls at home," he added.

- Safe harbour -

Nicole Lamb-Hale, assistant secretary at the International Trade Administration – the US agency overseeing the 'safe-harbour' agreement between the US and EU, under which companies can self-certify their compliance with certain data protection practices and avoid having to deal with individual data protection authorities in the EU – was the first to give evidence.

However, safe-harbour certification is not available to sectors subject to specific regulation, such as telecoms, finance and insurance.

"While safe-harbour is good, it is not a perfect solution. Financial services, telecoms and insurance are not covered because regulators are not part of the negotiations," Lamb-Hale said.

"Certain key US players, including online advertisers, credit-card providers and social networks operate in sectors without statutory obligations," Lamb-Hale pointed out. "Because of this, the Obama administration is advocating stronger consumer protection rules."

Lamb-Hale continued to say that "what we need to do is to look at the EU example, and work to develop a baseline privacy policy that provides principles but is flexible, and doesn't supersede or over-ride the existing sector-by-sector framework."

She asserted that the US has a good set of values in terms of privacy, but that "to discover those principles, you have to parse through legislation sector by sector to get a sense of the privacy regime in the US."

"As a result, as we enter into negotiations with trading partners it would be helpful if we had a baseline of principles [...] I think it would be important if we have privacy principles in one place, as the EU does, quite frankly," she continued.

- EU blueprint -
Texas Congressman Olson questioned whether the growth experienced by online advertising in the US "could be achieved if the US operated under an EU-type privacy regime."

He also queried whether the safe-harbour regime is not "supposed to help US companies, and not let the European Parliament write our laws for us," with reference to the first FTC investigation into a company - Google - over alleged failure to comply with safe-harbour provisions.

California Republican and chair of the hearing Mary Bono Mack said that "Studies show that the EU approach stifles the internet economy. Why move to a regulatory approach that has been proven to hold back the internet sector?"

North Carolina Democrat George Butterfield, meanwhile, raised the question of whether an enhanced US privacy framework would reduce compliance costs in international markets. "Would we see a benefit abroad if we enact [stricter rules]?" he asked.

Butterfield went on to suggest that there are "fears that some Asian countries are looking to the EU as they draft their first privacy laws. Would having a US law in place change the dynamics?"

Ohio State University professor and adviser to former president Clinton Peter Swire, who helped design the safe-harbour framework, added that "Mexico and Latin America are adopting privacy laws, and are now copying the EU approach. If we had a baseline approach, it would be easier to copy the US approach, or at least have US-style principles adopted. Otherwise, a bad [EU] model would be accepted more generally."

"When we have information services and cloud computing as US areas of leadership, we can't ignore the rest of the world," Swire added. "The risk is that we do so little that the rest of the world says it is not enough."

Butterfield also added to the record a letter addressed to the committee from the Trans-Atlantic Consumer Dialogue (TACD).

Among other things, the letter stated that TACD was "somewhat surprised by what appears to be an effort to call into question the purpose and 'burden' of the EU Data Directive."

"We expected a hearing that would focus on the lessons that Congress might draw from the EU experience with data protection," the letter continued, adding that "we see spiralling levels of identity theft and security breaches. The US generates more spam (unsolicited commercial email) than any other country in the world, and spends more money monitoring its own citizens than any other country in the world."

- Behavioural advertising -

However, quite apart from the political sensitivities surrounding the data protection debate, Stuart Pratt, a witness from the Consumer Data Industry Association, which represents the credit-reporting industry, pointed to a more practical problem that may result from a stronger data protection framework in the US.

"Bringing an EU-style law would lead to a significant increase in private litigation," Pratt said.

"What the EU doesn't face, but that we have as a tradition, [are] private enforcement laws and a tort system with class action. This doesn't exist in the EU, which is a radical difference."

Pratt also rejected the idea that the US should have an EU-style data protection supervisory authority, suggesting that a regulator would "abrogate the congressional authority to legislate."

Online behavioural advertising also came up as a key debating point. On one hand were policymakers, spurred on by evidence given by academics such as Massachusetts Institute of Technology academic Catherine Tucker, who questioned why consumers should be served by untargeted adverts, rather than by tailored ads that would be of greater interest to them.

"When we look at it – Google, Twitter and Groupon – the innovation didn't come from the EU or Latin America. If we adopt the EU model that everything has to be opt-in, the innovation from online behavioural advertising would be lost," Florida Republican Cliff Stearns said.

He added that "some online behavioural advertising works to the benefit of the consumer - Groupon gives discounts [on] things you had not thought of, but is in your behavioural interest."

However, Swire answered that "if we think of advertising that is targeted, it could be done better if they saw every email, every text message and every moment-by-moment location." However, he added that this "creates some risk," particularly if that data is lost or leaked.

"We want privacy and good business, not to maximise what people can see [about us]," he added.