Although Europe and the US have taken different regulatory approaches to consumer privacy — the EU adopted a comprehensive privacy directive in 1995 while the US has a patchwork quilt of incomplete laws with many gaps — consumers, businesses and regulators on both sides of the Atlantic are grappling with the privacy implications of many of the same changes in technology and business practices. In response, reviews of privacy are underway in both the US and Europe: The Federal Trade Commission is conducting a series of public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. At the same time, the European Commission is conducting an online “Consultation on the legal framework for the fundamental right to protection of personal data.”
The EU consultation seeks input on three questions: views on the new challenges to personal data protection in the EU in light of new technology and globalization; whether the legal framework sufficiently meets these challenges; and what action, if any, would be needed to address the identified challenges.
Last week, CDT submitted comments to the European consultation, drawing on CDT's extensive expertise addressing the challenges of consumer privacy protection in the face of technological change. We focused in particular on five trends: cloud computing, behavioral advertising, deep packet inspection, location-awareness, and re-identification of anonymous data, pointing the Commission to CDT's reports and testimony on these topics. As we did in our comments to the FTC, we emphasized to the European Commission the importance of the full set of Fair Information Practices (FIPs). Also echoing our FTC comments, we explained that notice and consent alone are not sufficient to ensure privacy but that renewed focus on comprehensively applying the FIPs will significantly help to protect consumer privacy in the 21st century.
Stay tuned as the Commission begins publishing the results of the consultation. They will likely serve as the basis for a larger conversation about a possible revision of the EU Data Protection Directive in the next several years.