US 'Essentially Equivalent' to or Better Than EU in Privacy, Data Protection, Brill Says
The U.S. has privacy and data protections that are on par with and, in some cases, exceed what's offered in the European Union, FTC Commissioner Julie Brill said, providing a litany of examples during a safe harbor discussion hosted by the Progressive Policy Institute and the Lisbon Council Wednesday. "These protections are strong and I think that they do show that we are essentially equivalent," she said. The issue goes to the heart of the October European Court of Justice ruling, which invalidated the 15-year-old safe harbor framework. The European Commission hadn't ensured that EU citizen data is adequately protected when transferred to the U.S., said the high court, adding that the EC needs to make sure U.S. protections are essentially equivalent.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
"We have constitutional protections under the Fourth Amendment for inappropriate access by government," Brill said. "We have a Wiretap Act. We have the Electronic Communications Protection [sic] Act. We have the [Foreign Intelligence Surveillance Act] law and the FISA Court that oversees access by the intelligence community. We have the Privacy and Civil Liberties Oversight Board, which also is an independent agency that examines some of the ways in which this information is accessed." In addition, the USA Freedom Act enacted last year ensures more appropriate and rigorous oversight of such activity and President Barack Obama can also use Presidential Policy Directive 28 to implement additional protections, she said.
She said the U.S. system to protect consumer data is "second to none" and the FTC is a strong enforcer of such laws. But she also said the U.S. has one "important mechanism" that Europe lacks -- the Fair Credit Reporting Act. She said FCRA provides adverse action notices -- or "just-in-time notices" -- to consumers when information is used in a way that harms them, such as higher interest rates on loans, more expensive insurance, or denial of job or promotion. The notices, she said, "give consumers the just-in-time perfect teaching moment for them to say, ‘Oh, I better go look and see what’s in my report.’" She said entities using this consumer information in an inappropriate manner could be on the hook for violations. “So who’s equivalent to whom? Who has more protection than whom? I think we really need to have an honest conversation of all that exists in the United States. Where we do act, we are highly protective," Brill added.
But Brill said the U.S. and EU do need a stronger data protection mechanism and the FTC is committed to investigating any complaints sent by individual data protection authorities (DPAs). Since 2000, she said, DPAs have sent four such referrals, and the FTC has been proactive in investigating safe harbor violations, bringing 39 such cases. She said states also offer many protections that must be recognized. While she said both U.S. and EU officials are spending a lot of energy to develop a new safe harbor framework, they also need to look at the bigger picture of data transfers and transparency such as the growing prevalence of big data analytics and IoT devices, which collect a huge amount of sensitive data but are also vulnerable to hacking.
“We are approaching what we hope is the last mile of this negotiation with a constructive spirit,” said another panelist, Bruno Gencarelli, head of the EC's data protection unit. He said a revised safe harbor arrangement is "feasible" and negotiators are working with a "sense of urgency" to provide "pragmatic" proposals that can withstand a court challenge. But he repeated that the EU is making sure that certain elements are included. They include a redress mechanism for EU citizens if they believe their data are being inappropriately used by U.S. government agencies, stronger and clearer assurances for limited access by U.S. national security agencies, and continuous monitoring "that covers all aspects of the functioning of the arrangement including increased transparency" regarding data access by U.S. authorities. He acknowledged the U.S. legal landscape for privacy and data protections has changed over the past two years.
Progressive Policy Institute President Will Marshall said trans-Atlantic data flows aren't "well measured phenomena" and they are important to growing both the U.S. and European economies. He said new research has found that the mobile app economy has produced 1.6 million jobs in the EU, Switzerland and Norway -- similar to what's been generated in the U.S. -- in less than a decade, a figure he called "remarkable." He said it's all stemmed from the open flow of cross-border data.