Privacy and Security TidBits

The Review of the EU Data Protection Framework v. The State of Online Consumer Privacy in the US

Yesterday, on March 16, 2011, I had a field day.

As an attorney, licensed both in the EU and in the US, with a special interest in privacy law, I was able to observe quasi simultanuous policy making by both Brussels and Washington, D.C. on the same subject matter, from the comfort of my office in New York, thanks to the marvel of web streaming.

In Brussels, a meeting of the “European Privacy Platform” group of the European Parliament convened to hear Viviane Reding, Vice President of the European Commission, Commissioner for Justice, Fundamental Rights and Citizenship, give her insights on the “The Review of the EU Data Protection Framework”, the proposed overhaul of the European Data Protection Directive 95/46/EC. Axel Voss, Rapporteur on the Communication of the Commission on the strategy for personal data protection in the European Union shared his opinion as well. The event was chaired by  MEP Sophie in ‘t Veld, and was attended by a vast array of stakeholders, among whom I recognized attorneys Monika Kuschevsky and Tanguy Van Overstraeten, Marisa Jimenez from Google and privacy consultant Dan Manolescu.

On the same day, in Washington, D.C., the U.S. Senate Committee on Commerce, Science and Transportation, held a hearing on “The State of Online Consumer Privacy”, with a witness panel consisting of FTC Chairman Leibowitz, Lawrence E. Strickling, Assistant Secretary for Communications and Information of the Department of Commerce, Erich D. Andersen of Microsoft, John Montgomery, COO of GroupM Interaction, Ashkan Soltani, a researcher and consultant, Barbara Lawler, the Chief Privacy Officer of Intuit, and Chris Calabrese, Legislative Counsel for the American Civil Liberties Union.

Check out the recorded stream of the EP session here, and for a complete overview of the Senate hearing’s witnesses’ prepared statements, look  here.

In Brussels, the debate occurred in the context of the revision of the comprehensive data protection directive, passed a good 16 years ago, while in Washington the hearing was held in the context of a possible introduction of a comprehensive privacy bill for the very first time.

These two sessions, held simultaniously across the two sides of the Atlantic, exposed how very different the EU’s and US’s approaches to privacy still are.

At the basis lies a dramatically different motivation for the passing of privacy laws and regulations or systems self-regulation.

As Viviane Reding reminded the audience in her opening statement, the Charter of Fundamental Rights and the Lisbon Treaty guarantees the right to protection of personal data in the EU as a human right.

In the US, there has never been a recognition of privacy and protection of personal data as a human right. Instead, there seemed to be a consensus at the hearing that the introduction of a global privacy bill (or “Consumer Privacy Bill of Rights”) with some baseline principles should be warranted because it would offer a competitive advantage to corporations by increasing consumer trust and would improve international commerce by alignigning the US with the Asia-Pacific Economic Coordination (APEC) Privacy Principles and the E.U. Directive.

In the competing interests between individual rights and commerce, commerce always comes first in the US.

The difference in approach also gets translated in the language that is used: While in the EU the debate is about “individuals, people, EU citizens and data subjects”, in the US the only concern seems to be for “consumers”.

While in Washington, D.C., the stakeholders were debating on how to introduce some basic online privacy protection legislation, the session in Brussels was trying to finetune an entrenched, but already antiquated body of laws.

In Wasington, D.C., Jon Leibowitz, Chairman of the Federal Trade Commission (FTC), proposed a framework to balance consumer privacy with industry innovation by:

1) building privacy protections into everyday business practices (“privacy-by-design”);

2) simplifying privacy choices for consumers; and

3)improving transparency with clearer, shorter privacy notices.

The FTC also proposed a Do Not Track mechanism that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers – Microsoft and Mozilla – “have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use.”

Ashkan Soltani explained the two types of Do Not Track mechanisms:

The Header Approach: The user who toggles a Do Not Track setting in his web browser sends a signal to each remote server that he wishes not to be tracked. But “The online industry has not yet committed to respect the header” and “Of course, in order this mechanism to be effective, it will depend upon a clear set of rules defining what websites should do when they receive this signal.”

The Blocking Approach: the consumer has to engage a list of unwanted servers engaged in tracking behavior, in order for the browser to block the connections to the servers. The problem is that there are about 600 domains engaged in tracking and growing…

Lawrence E. Strickling, Assistant Secretary for Communications and Information of the Department of Commerce, urged Congress to enact new legislation setting forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights” consisting of comprehensive Fair Information Practice Principles (FIPPs), providing the FTC with the authority to enforce any baseline protections. Of course, this legislation would also contain the usual loopholes, a.k.a. safe harbors for companies that implement codes of conduct that are consistent with the baseline protections.

Christopher R. Calabrese, Legislative Counsel American Civil Liberties Union, made a poignant statement, refuting the many sceptics who still dispute the possibility of harm to the consumer brought on by the status quo in datamining and lack of data protection.

“The harms caused by excessive and invasive data collection are real and pressing. They begin with straightforward invasions of privacy. Should anyone have the right to know and sell to others the fact that you are overweight, or depressed, or gay? These are all commonplace occurrences with marketers and social networking sites routinely making and selling these determinations. They have significant consequences for consumers who have no say in the collection and use of their own information.

Personal information can also reveal weaknesses that unscrupulous actors can exploit. Ninety-two year old veteran Richard Guthrie was bilked out of more than $100,000 by criminals who identified him from marketing lists. InfoUSA routinely advertised lists of:

―Elderly Opportunity Seekers,‖ 3.3 million older people ―looking for ways to make money,‖ and ―Suffering Seniors,‖ 4.7 million people with cancer or Alzheimer‘s disease.

―Oldies but Goodies‖ contained 500,000 gamblers over 55 years old, for 8.5 cents apiece. One list said: ―These people are gullible. They want to believe that their luck can change.‖

He also warned of the real risk to First Amendment Rights the status quo poses:

“Courts have uniformly recognized that government requests for records of which books, films, or other expressive materials individuals have received implicate the First Amendment and trigger exacting scrutiny.These cases are grounded in the principle that the First Amendment protects not only the right of individuals to speak and to express information and ideas, but also the corollary right to receive information and ideas through books, films, and other expressive materials. Within this protected setting, privacy and anonymity are vitally important.

An individual may desire anonymity when engaging in First Amendment activities—like reading, speaking, or associating with certain groups—because of ―fear of economic or official retaliation, . . . concern about social ostracism, or merely . . . a desire to preserve as much of one‘s privacy as possible.”

In Brussels meanwhile, Vivian Reding introduced her “four pillars” on which people’s rights need to be built:

1)The right to be forgotten:

The right ( and not the mere possibility) of the data subjects to withdraw their consent to data processing, with the burden of proof shifting to the data controller to show that retention of data is necessary.

2) More transparency:

“Individuals must be informed about which data is collected and for what purposes. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated. They must be told about the risks related to the processing of their personal data so that they don’t loose control over their data or that their data is not misused. This is particularly important for young people in the online world.”

3) Privacy by Default:

Vivian Reding introcuced a new concept here, not to be confused with Anne Cavoukian’s “Privacy by Design”.

Whereas under ‘Privacy by Design” , the default settings are always set to “private”, in “Privacy by Default”, Reding explained, the privacy settings are designed to be easily found and manipulated by the user, so that “you don’t have to be an engineer to set your privacy settings.” This does not imply, however, that the default setting has to be “private” or, in other words, this does not imply an opt-in requirement, like “Privacy by Design” does.

So “Privacy By Design” implies privacy settings by default, while “Privacy by Default” does not imply privacy settings by default.

Between “Privacy by Design” and “Privacy by Default”, I am by now confused by design and perplexed by default.

4) Protection regardless of location of data:

Since personal data protection of EU citizens is a human right, Reding argued it should be safeguarded no matter the location of the data, the servers, or the controllers.

The present framework is “controller centric”. The defining criterion is the location of the data “controller”: is it/he/she located within the EU/EEA, either physically or symbolically? If yes, the controller is subject to the EU Data Protection framework.

Contrast this to the US model, which is “consumer centric”: The defining criterion for most US privacy laws, like e.g. COPPA, is the targeted market. Is the company targeting children in the US market? If yes, the US laws, in this case COPPA, are applicable, regardless of where the data controller is located.

Reding’s proposal of a “targeted market” model would actually emulate the US system.

Reding cited the following example “For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules. To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.”

This had the headlines screaming: Facebook, Google “must adhere” to EU privacy rules.

Conclusion:

While in the Washington, D.C., the different stakeholders seemed to finally agree on a need for more transparancy for consumers, but were still unsure on whether to implement it through legislation, regulation, self regulation, or Do Not Track mechanisms that so far have no oversight nor  enforcement of the user’s wishes, in Brussels, the regulators were arguing for more stringent transparency and for an additional right of the data subject, the right to be forgotten.

While the general understanding in the US is that we are moving towards a system of self-regulation, with maybe a very basic and vague privacy bill for good measure, the EU seems to be moving towards a much more stringent application of personal data protection of its citizens.

When asked about the possibility of including self-regulation in the future framework, Vivian Reding answered: “Self-regulation is an interesting concept, but it has to be based on EU law, has to be compatible with EU law and has to be enforceable.”

As Sophie in’t Velt woefully noted:”We still have a lot of work to do across both sides of the Atlantic.”