Globalization and technological advances pose common challenges to providing a progressive, sustainable model for protecting privacy in the global Internet environment. The situation is further complicated by tensions between different legal systems around the world, including the European Union and the United States, that can result in a loss of confidence for users and confusion for commercial entities.
The report from the 37th International Privacy Conference, Privacy Bridges: EU and US Privacy Experts in Search of Transatlantic Privacy Solutions, identifies practical ways to address gaps between current approaches to data privacy in a way that produces a higher level of protection, furthering the interests of individuals, and increasing certainty for commercial enterprises. These “privacy bridges” respect the substantive and procedural differences between the jurisdictions of the EU and the US, while advancing strong privacy values in a consistent and achievable manner.
This report is based on a series of discussions held by independent privacy and data protection experts from the EU and the US. The group was convened by Jacob Kohnstamm, the chairman of the Dutch Data Protection Authority, and the sessions were co-organized by the Massachusetts Institute of Technology Cybersecurity and Internet Policy Research Initiative (IPRI) and the Institute for Information Law at the University of Amsterdam.
This summary will briefly touch on ten privacy bridges that emerged from those conversations. It is hoped that they will advance privacy protection for individuals and foster greater Transatlantic collaboration for the future.
Deepen the Article 29 Working Party/Federal Trade Commission Relationship
The Article 29 Working Party, as leading representative of the EU Data Protection Authorities, and the United States Federal Trade Commission (FTC) should commit to regular, public dialogue and policy coordination on key privacy challenges faced in the Transatlantic region. This bridge would institutionalize this working relationship through a Memorandum of Understanding, fostering closer cooperation and delivering enhanced privacy protection to individuals on both sides of the Atlantic.
This bridge calls on technology companies, privacy regulators, industry organizations, privacy scholars, civil society groups, and technical standards bodies to collaborate in developing user-friendly mechanisms for expressing individual choice and consent in how data is handled and data protection are addressed. The technology would be developed through an open standards-setting process and combined with clear guidance from EU and US regulators.
New Approaches to Transparency
This bridge recommends that the Article 29 WP and the FTC coordinate their recommendations on privacy notices and jointly encourage an international standardization process; this would take place under the umbrella of the MOU described in Bridge 1. The goals of such a collaboration include the development of more definitive guidance on transparency and support for the conditions necessary to create and implement the user controls described in Bridge 2.
User-Complaint Mechanisms: Redress of Violations Outside a User’s Region
This bridge encourages all online services to provide contact information and calls upon the appropriate EU and US public agencies to create a directory of information about relevant jurisdictions, including details on how complaints concerning data privacy may be brought.
Government Access to Private Sector Personal Data
This bridge offers guidance to telecommunication and Internet service providers that face surveillance from domestic and/or foreign governments. It recommends that such companies establish uniform internal practices for handling such requests regardless of jurisdiction, citizenship, and data location. It also advocates the establishment of regular reporting on practices relating to government access requests and the adoption of best practices based on international standards, such as those of the Global Network Initiative.
Best Practices for De-Identification of Personal Data
This bridge calls on EU and US regulators, who already share common views about de-identification, to establish concrete, shared standards concerning de-identification practices. Common standards will improve privacy protections and enhance legal certainty for EU and US organizations that follow the recommendations.
Best Practices for Security Breach Notification
This bridge recommends that when dealing with multi-nation security breaches, the relevant authorities cooperate, both in terms of enforcement and in establishing a more harmonized breach-reporting regime. It also recommends that firms complement their reporting obligations by adopting robust information governance systems, which should result in an increase in the level of privacy protection for end users.
Both EU and US regulators have accepted the idea of organizational responsibility (or “accountability”) as a means to assure data protection and for firms to satisfy domestic legal obligations. This bridge recommends that the Article 29 WP and FTC harmonize their approaches, while emphasizing the need for the private sector to develop more effective means for external verification and scaling of accountability programs for use by small and medium enterprises.
Greater Government-to-Government Engagement
This bridge proposes that European and US agencies and decision-making bodies engage in active dialogue and effective coordination of their regulatory activity, where appropriate. Such government-to-government engagement seems especially valuable in a number of new sectors in the Transatlantic economy that pose acute privacy challenges, (the use of drones, for example). The development of transparent platforms for active discussion and practical policy development will yield a variety of benefits to governments, individuals, and commercial entities.
Collaborating on Privacy Research Programs
This bridge encourages the growth of common perspectives on privacy by fostering collaborative, multidisciplinary engagement of privacy researchers on both sides of the Atlantic. It identifies barriers in bringing academics together to work on joint research projects and suggests ways to overcome those obstacles.
These ten privacy bridges provide practical steps that do not require changes to current laws. The objective is to achieve better-informed and more consistent efforts in regulatory cooperation, policy guidance, and enforcement activities. Ideally, the Privacy Bridges report will bring about improvements in privacy protection due to positive actions not only by governments and regulatory authorities, but also by the private sector, civil society, and others, all of whom may implement its recommendations.