The European Union regards the United States as being 'inadequate' when it comes to data protection. Europeans have tended to take this at face value and presume that there must be a good reason why the European Commission has come to such a radical conclusion. Americans, naturally enough, tend to take unkindly to being told they are inadequate, particularly when it implies that their democracy has failed to protect a fundamental right, like the right to privacy. So who is right?
There is relatively little probing debate about the legitimacy of the EU's view of US data protection laws. Instead, the high level debate in the EU tends to comprise fairly generic references to the United States not having a 'culture' of privacy, the bemoaning of any US federal data protection laws and an underlying suspicion that the US Patriot Act and other US security and anti-terror legislation is being used in a manner that tramples on the privacy rights of any person who has their data processed on a US server.
For its part, the US perspective often focuses on the existence of sector-specific privacy laws in the US, the vagueness of the EU data protection principles and their practical impact on the free movement of data (and therefore on innovation and commerce). US multinationals also point to the fragmented approach to the interpretation and enforcement of the existing EU Data Protection Directive across the EU's 27 Member States.
The contrast in the views of the two sides were captured succinctly in a recent New York Times article which featured the following quote from Cameron F. Kerry, General Counsel of the US Commerce Department:
"The sum of the parts of US privacy protection is equal to or greater than the single whole of Europe."
The next paragraph of the same article contained a quote from Peter Hustinx, the EU Data Protection Supervisor:
"Yes, we share the basic idea of privacy. But there is a huge deficit on the US side".
Upon closer examination, two of the world's biggest trading blocs are not as far apart as they sometimes seem when it comes to the regulation and protection of data.
Data security laws
Looked at objectively, US data security laws are more developed than those in the EU. While the EU relies upon a broad principle of 'adequate security' in the Data Protection Directive, the US has at least 30 acts of Congress that address the issue of information-based security with more than 40 Bills and Resolutions relating to cybersecurity proposed in the recent 112th Congress. The US legislative framework is complex, as it lacks an overarching cybersecurity framework law, the law being instead enshrined in many different federal and non-federal laws addressing various aspects of cyber-security. These extensive measures are rarely acknowledged in the EU debate about US adequacy.
In addition, the US has various Executive Branch actions, such as the George W. Bush Administration's 'Comprehensive National Cybersecurity Initiative' which was established by Presidential Directive in 2008. However, the contents of that initiative are classified, which does little to quell EU distrust.
Data breach notification laws
In the EU, mandatory data breach reporting is currently restricted to those in the communications industry under the e-Privacy Directive (2002/58/EC), although this is to extend to all sectors if the proposed Data Protection Regulation is adopted.
In the US, 46 States already have laws requiring notification of security breaches involving personal information (California was the first State to do so in 2002) while various federal statutes, regulations and memoranda require certain sectors (healthcare, financial, federal public sector and the Department of Veteran Affairs) to also report breaches.
The United States has plenty of laws governing lawful access to data. When viewed from abroad, a lot is made of the fact that lawful access to emails older than 180 days old is easier within the US as it can occur without judicial involvement on foot of a subpoena issued by a state prosecutor. This lacuna is put down to the fact that the Electronic Communications Privacy Act was enacted in 1986 before the emergence of universal email systems. Various proposals have been put forward to update the regime since.
In the EU, the Data Retention Directive (2006/24/EC) aims to protect email and internet content, and the e- Privacy Directive also restricts the ability of communications providers to retain and access location data and traffic data. However, notwithstanding these Directives, all EU Member States have their own national regimes governing lawful access to data in the context of criminal investigations, matters of national security, etc. Notably, the proposed EU data protection reform package includes a specific proposal for a further Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
In other words, both the US and the EU espouse internet freedom, but both regimes include wiretapping/ eavesdropping /lawful access laws (usually subject to judicial oversight) which mean that there are no absolute rights to privacy in either jurisdiction.
A Privacy Bill of Rights
In February 2012, President Obama announced a Consumer Privacy Bill of Rights which espoused principles which will be familiar to those who follow EU data protection. For example, principles such as transparency, respect of context (akin to 'purpose limitation' in the EU), data security, rights of access and rectification, limits on data collection and accountability were put forward on grounds that American citizens were entitled to higher standards of privacy than currently exist. However, while the Bill of Rights was welcomed by EU Commissioner for Fundamental Rights and Citizenship, Viviane Reding, it has since been described as moving at 'a glacial pace' since.
A number of questions would arise if the US was to adopt such a Bill of Rights. Would this be sufficient to overcome the EU reservations on US adequacy? If the answer is no, then is the EU position based on a minimum requirement for a more substantive federal US privacy law? If a minimum requirement is a federal privacy law, would this serve to materially improve the protection of privacy, or would it serve only to create a baseline for a new breed of class actions across the US?
Outside of the EU, many countries, for example in Latin America, have recently adopted EU-style privacy laws, no doubt in an effort to improve trade relations with the EU. In contrast, nobody has followed the US model. This does not necessarily mean that the EU model is superior to the US. The truth is that neither the EU or US privacy regimes can be presented in absolute terms, and any attempts to try to reconcile the two are probably futile. Often referred to as a patchwork quilt, the US approach is inherently complex. It has focused predominantly on data security and on sector-specific privacy laws with enforcement by the Federal Trade Commission.
Rather than get buried in the detail of these laws, a lazier narrative tends to be presented within the EU alleging, usually in absolute terms, that the US does not have 'adequate' data protection laws. However, the truth is that both trading blocs have a lot in common when it comes to privacy regulation, and both have their own inadequacies. Unfortunately, progress in bringing the sides together will continue to be hampered as long as there is a failure to understand and respect the legislative positions adopted on each side of the Atlantic Ocean.
This article first appeared in Data Protection Ireland journal Vol 6, Issue 3
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.