Privacy and Security TidBits

EU – US Privacy and Protection of Personal Data: Americans Are from Mars, Europeans Are from Venus

The High Level EU Conference on Privacy and Protection of Personal Data, held on March 19, was organized by the European Commission and hosted by the US Institute of Peace in Washinton D.C. The conference was held simultaneously in Brussels as well, via a video conference link.

This conference was meant to deepen transatlantic dialogue on commercial data privacy issues in order  to achieve further interoperability between the two systems at a time, when both the EU and the US have taken significant steps towards new data potection legislation.

On January 25, the European Commission had published a draft proposal for a new Data Protection Regulation , and on February 23, the White House had released its privacy blueprint, including the Consumer Privacy Bill of Rights.

On the occasion of this conference,  Commerce Secretary John Bryson and European Union Commissioner Viviane Reding announced in a joint statement a new commitment to collaborate on privacy issues and laws.

While most all panelists on the EU side insisted on the necessity of a binding set of laws, accompanied by individual rights of action in order to get significant privacy compliance from data controllers, most panelists on the U.S. side affirmed that voluntary codes of conduct, combined with enforcement by the FTC would achieve the same result, while allowing for more flexibility in adapting to the constantly changing technological landscape.

Even though the panelists went through great efforts to stress the common values and goals of the EU and U.S. policy makers, there is no denying that the European and American “privacy DNAs”remain vastly different. One major difference is the fact that, even in the commercial realm, privacy and data protection is a human and constitutional right in the EU, while in the U.S. it is at best considered a consumer right, if a right at all.

Did the conference achieve its goal of bringing the two sides a little bit closer together?

In order to enable those who could not attend the conference, either live or through video transmission, to judge for themselves, I wrote a “play” in three acts, based on the actual discussions that took place during three panels.


Americans Are from Mars, Europeans Are from Venus

Act 1: A Law or not a Law?

 Francoise Le Bail (EC): I realize I am in the Lion’s Den (giggle), but I shall be brave. It is critical to have a privacy LAW, so that people will TRUST the internet!

 Daniel Weitzner (White House): We will call on Congress to legislate in order to provide people with the necessary TRUST in the new information economy. But, meanwhile, we hope that the stakeholders will create their own little codes of conduct.

 David Vladeck (FTC): We all agree! Yay! By the way, did you know that in the U.S. Voluntary Codes of Conduct are just like Laws? We are so good, we even obey the law, when there is no law! And they are so flexible, to boot!

 Douwe Korff(EDRi): Waddya all talking about?? Did you know that in the EU, privacy is a human right? You need a CONSTITUTION to guarantee a human right! Voluntary codes of conduct, humph.

Mark Rothenberg (EPIC): I see a window of opportunity. I see legislation on the horizon.

Vivian Reding (EC): One-Stop-Shop!

John Bryson (White House): This will be a landmark year for data protection!

Ed Markey (D-MA): The Europeans are coming! I love them. We must legislate, especially my own very excellent proposal. Do it for the children, folks! It’s immoral not to.


Act 2: The Interoperability Dream

Lawrence Strickling (DoC): Yes, we can!

Jennifer Stoddart (Privacy Commissioner Canada): If the Europeans can do it with the Canadians, they can do it wit the Americans too!

Peter Hustinx (EDPS): Now wait, little children: first eat your voluntary codes, and make them binding, and then we shall see. I might have a surprise for you!

Daniel Pradelles (HP): Self Regulation Rocks! Plus, we at HP are the only ones to have BCRs approved by all DPAs of all the EU Member States.

Claus-Dieter Ulmer: (Deutsche Telekom): Will you make up your minds already?  The faster and the easier the solution, the better for us. Either way, we need to know.

Marie-Helene Boulanger (EC): First, second, third and finally, fourth. And if you Americans will get off your and legislate already, well then, we might just become interoperable with you guys.

Axel Voss ((MEP): What we really need is global data traffic regulation.

Joe Alhadeff (Oracle): HOW on earth are you going to do all this?


Act 3: Let Me Count the Ways I Enforce Thee

Julie Brill (FTC): We at the FTC protect the Global Community with our fierce enforcement actions!

Cameron Kerry (DoC): The FTC is the Global Leader in enforcing privacy protection!

Paul Nemitz (EC): Global Leader?? Global Leader in P.R., ha!

Maneesha Mithal (FTC): Paul Nemitz, we make sure to publicize our daring dawn raids, so the bad guys will tremble in their board rooms, ha!

Jacob Kohnstamm (Dutch DPA) (with an inexplicable tired look on his face): We need to enforce to get compliance. And FYI, opt-out in OBA is NOT adequate. You give me explicit consent, I give you adequate, capice?

Kostas Rossoglou (BEUC): I wish we had class actions for data protection law suits.

Jeff Chester (CDD): The FTC enforces, and Google and Facebook are expanding their data collection like never before. Please listen to me, the entire world is analyzing the entire world!

Law Student Max Schrems (Europe v. Facebook) (fresh faced): I took Facebook to task, so why can’t you, old geezers?

Maneesh Mithal and Jacob Kohnstamm (in unison): if I were a rich man, lala lala lala la, all day long I’do nothing but enforce, la la la la la!


PANEL 3, moderated by Cedric Laurant, or where can be heard what really was said :



Safe Harbor, discussed during the fourth panel, will be the subject of a seperate post.