Europe Revisiting Privacy Laws is Opportunity, Not Catastrophe
Last week, the European Commission issued an important report discussing how the European Union plans to update its Data Protection Directive. The Directive, now 15 years old, provides the kind of cross-industry, baseline privacy protections that don’t exist in the United States, but it has been long criticized as being inconsistently applied and erratically enforced. As a result, European companies have been limited in their ability to take advantage of services such as distributed cloud computing that allow international processors to more cheaply and efficiently store data. This report by the EC represents a renewed effort to make the Directive work.
The reaction from American Press to this report has focused almost entirely on one narrow provision calling for clarification of a “right to be forgotten.” Most predicted that Europe was moving to still stricter and more business-unfriendly rules. Some have even suggested that this “radical” idea would “cripple the European information economy while hamstringing international data flows.”
I think this reaction to the report is by and large off-base. For one thing, lost in the familiar cries about oppressive regulation coming from Europe are many more interesting parts of the report, which recognize the failings of the traditional European model and put forward ideas for practical and flexible solutions for a more workable approach.
Fundamentally, the report admits that the European approach of vague top-down principles with little practical guidance has failed to protect consumers, and has placed unnecessary constraints on businesses that collect and process personal data. The report notes that the Directive as currently deployed unduly restricts data flows not just within Europe, but worldwide. — in fact, it specifically calls out processes such as the Binding Corporate Rules process for moving European data to regimes such as the U.S. as needing to be “improved and streamlined.” In general, the report emphasizes that there is a “general need to improve the current mechanisms allowing for international transfers of personal data” (emphasis in original).
The paper also calls for new and innovative approaches to privacy law, such as government-approved self-regulatory programs similar to those proposed in the legislation introduced here in the United States by Representative Bobby Rush (which CDT strongly supports). This approach recognizes that poor enforcement and varying interpretation of EU norms by 27 member states has provided little guidance to even the most well-meaning companies, and that industry initiatives (with government approval and oversight) could help standardize privacy practices and give regulators and business the ability to more quickly and efficiently adapt privacy norms to evolving technology and business models.
The emphasis by critics on the “right to be forgotten” is peculiar. The concept of data minimization — including deleting data no longer necessary to achieve a consumer purpose — has been a bedrock concept of Fair Information Practice principles (the “FIPs”) for years. (It was included in the most recent iteration of the FIPs by the Department of Homeland Security in 2008.) Certainly, taken to illogical extremes, a “right to be forgotten” could run counter to free speech norms and be counterproductive for consumers. But as enunciated in the EC report, the idea makes a lot of sense: Data should be deleted once it no longer serves a legitimate business purpose, and if consumers consent to store data about themselves remotely, the service provider should delete that data after the consumer has decided to move it elsewhere. The example provided in the FAQ accompanying the report merely says that consumers who wish to delete the profiles they created on a social networking site should be able to do so. This seems like a reasonable policy, not a prescription for disaster.
Over the next couple of years, we are going to have an unprecedented opportunity to rework flawed privacy protection frameworks both in the United States and in the European Union. Both houses of Congress are working on consumer privacy legislation that has long been lacking in this country. Europe is trying to adapt its law to address both the modern realities of consumer-benefiting cross-jurisdictional data flows and dramatically advanced technologies for consumer tracking and targeting. Companies and consumer advocates need to take advantage of this moment to improve both the American and European approaches, or risk another fifteen years of disparate and ineffective international rules.