In Pursuit of Adequacy: Data Privacy Protection in the US-EU FTA

by Justin Streight

In US-EU Free Trade negotiations, making business regulations compatible, harmonized and simple will be the lead. Not that they don’t have tariffs to argue about, but there are so many regulatory non-tariff barriers in place, tariffs have been eclipsed. However, when it comes to the data-centered firms of the internet economy, harmonization is far from the goal. When it comes to important matters of data privacy laws, the two economies seem too invested in their own legal structures. Instead, some US groups are hoping the FTA can be a means to convince European policymakers to allow data to be freely transferred from between Europe and America. What would be the effects of moving data privacy regulations into bilateral trade negotiation? And more importantly, would those negotiations advance or undermine consumer protection in data privacy?

EU Data Protection Directive vs. US Regulatory Pastiche

In the European Union, a law known as the data protection directive (Directive 95/46/EC) protects consumer data privacy across all 27 member-states. Article 25.1 of that directive prohibits the transfer of data originating in the EU to a country without “adequate” data privacy laws (DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995). The US is one of those countries the EU deems inadequate, but what does adequate mean? For the EU, it means a comprehensive law that protects all personal data based on the 7 Information Privacy Principals (IPP) laid out by the OECD in 1980: notice, choice, transfer, access, security, data integrity and enforcement. (Rubik, F., & Scholl, G. (2002). Integrated Product Policy (IPP) in Europe—a development model and some impressions. Journal of Cleaner Production, 10(5), 507-515.)

The problem with the US law is not that it does not cover one of these areas; it is that there is no comprehensive data privacy protection law at all. Instead US data privacy protection is a patchwork of various laws protecting specific data privacy issues, such the 1970 Fair Credit Reporting Act that regulates consumer credit reports or the 1988 Video Privacy Protection Act that prevents video rental stores from blabbing about consumer porn rental histories (Norman, F. (1999, Jan 9). Example: US versus EU internet privacy policy ). There are, as one might guess, a lot of holes in the laws where there is little or no private data protection. These holes are supposed to be covered by self-regulation where the Federal Trade Commission (FTC) and other government agencies call upon industry to create their own standards and live by them. In effect, the laws protect data privacy sometimes, in some ways, when it is enough of a crisis.

Aspirational Vision vs. Adequate Protection

Since 1998, when the EU data protection directive was fully implemented, the US government has been trying to convince the EU that its hodgepodge system meets the EU’s lofty ideal of adequate. After all, the US is the home of the original data protection legislation, the 4th amendment of the US constitution. The FTC regularly cracks down on firms that do violate privacy laws, in the areas where laws exist. And when it comes to self-regulation the FTC has put together a report on best practices that uses rigid, authoritarian language like, “Companies should promote consumer privacy.” (Federal Trade Commission. (2012). Protecting consumer privacy in an era of rapid change: Recommendations for businesses and policymakers.) Because of powerful arguing points like these, there have been some successes in negotiating for adequacy. US firms that take extra efforts to be certified may transfer data from the EU under the “Safe Harbor Agreement.” (Export.gov, (2012). US-EU safe harbor overview) This agreement is how Google has penetrated the European market and has given European privacy law enforcement officials endless headaches.

Nonetheless, US efforts to sell its regulatory system have been hindered by one important factor: the enormous amount of privacy violation horror stories that have become a regular part of American life.

For example, 60 million personal health records belonging to around 10 million Americans were illegally seized according to a lawsuit filed by John Doe Company last month. Medical records do have privacy protection under US law. (Brewin, B. (2013, May 15). Lawsuit Says IRS Illegally Seized 60 million Health Records. Nextgov
) The theft of these records should be an issue of security compliance, if John Doe made sufficient efforts to protect that information, but it is not, because of who took the records: the IRS. The case puts the spotlight on the biggest violator of data privacy: the US government. The Patriot Act already allows government officials to take data from companies for the purposes of national security without a warrant. How can European internet users feel their privacy is respected if it flows freely into America?

And what about the little things? It has become internet common sense to delete cookies when buying a plane ticket, because ticket selling sites will charge a higher price based on browsing history. Self-censorship is a good idea whenever writing an email in Google mail. If a brand name ever appears in an email, Google will customize ads for that product that will then become a peripheral part of the inbox for months. Entering an email address or phone number into internet registration contains the threat of endless spam, since that information might be sold off. In the European system, consumers have the right to know when websites are collecting their information, what they are using if for, and how to opt out (Reidenberg, J. (2013, Mar 8). Should the u.s. adopt european-style data-privacy protections? Wall Street Journal
). To innovators in the fields of eerily accurate targeted advertizing and internet-based price discrimination, consumer privacy rights are like molasses on a race track.

Now there is the potential for America to bypass the unfruitful practice of arguing for adequacy based on merit. US trade negotiators, by complaining that adequacy is a barrier to trade, can put data-flow regulations on the FTA negotiating table. The negotiators can attempt to persuade the EU to change its requirements to allow data-flows into the US in exchange for the removal of some choice US trade barriers in other areas. If the offer is good enough, or if the privacy issue looks like it can destroy the entire agreement, European lawmakers might feel pressured enough to give America a free pass.

According to news from America, that might be possibility. With regards to issues to be discussed, former trade representative Ron Kirk said the U.S. “certainly would include the issue of cross-border data flows.” ((2013, 02) NAM Warns Against EU Labor Standards, Data Privacy In U.S.-EU Deal . Inside US Trade . Inside US Trade ) Industry groups like the National Association of Manufacturers, Digital Trade Coalition, and the Information Technology Industry Council have all made public comments asserting that the US Trade Representative should discuss cross border data-flows ((2013, 03). NAM Warns Against EU Labor Standards, Data Privacy In U.S.-EU Deal . Inside US Trade ). As the Digital Trade Coalition stated,

“TTIP could be a vehicle for the US Administration to make the case to the EU that the US privacy regime is “adequate” relative to the rest of the world.” ((2013, 05). Comments of an Informal Coalition of Tech and Internet Companies in Support of Digital Trade and Privacy (“Digital Trade Coalition”). Retrieved 05, 2013)

Making the negotiations even more complicated, the European Union is considering legislation to update the data protection directive. The legislation might even include controversial items like “the right to be forgotten” the right of any individual to demand a company removes all personal information from their records. (O’Brien, K. (2013, Jan 25). Silicon valley companies lobbying against europe’s privacy proposals. NY Times.) This right would severely impede practices like selling personal data to marketing companies and detecting fraud. More than that, it would make the American system even less adequate by comparison. Peter Allgeier, president of the U.S. Coalition of Service Industries, has argued that privacy provisions like the right to be forgotten are the reason cross-border data flows need to be discussed in FTA negotiations. When talking about the right to be forgotten Mr. Allgeier stated,

“This [proposal] was prompted primarily by concerns they had with various social media, but then they apply that to other businesses. It’s really unworkable.” ((2013, 04). U.S., EU Services Firms Take Different Approaches On Privacy In Trade Deal. Inside US Trade )
Countries and Computer Privacy Legislation (Source: TRPC Pte Ltd)
Canada: Comp. Privacy Protection, EU approved
Australia: Comp. Privacy Protection, EU approved
New Zealand: Comp. Privacy Protection, EU approved
Singapore: Comp. Privacy Protection
Chile: Comp. Privacy Protection
Mexico: Comp. Privacy Protection
Peru: Comp. Privacy Protection
Malaysia: Comp. Privacy Protection
Brunei: No law, but committed to reform
Vietnam: Patchwork system
US: Patchwork system
Measuring Up: The way forward

With data privacy becoming a regular part of transatlantic trade news, months might be spent trying to convince Europe the broken US system is adequate. But there is another route. The US could actually become adequate. Civil society groups, who are currently worried that the FTA will undermine privacy protections, can submit their comments to the US Trade Representative. The FTA can be an opportunity to give legislators an incentive to create comprehensive data privacy protection laws that will meet EU standards and satisfy the complaints of millions of Americans.

The idea of flipping the debate from national security and business interests to personal rights is difficult to imagine. But there are signs that forces in the US government want to change. A recent FTC report on data privacy outlines best practices that companies should use. In it the FTC states, “The Commission calls on Congress to develop baseline privacy legislation that is technologically neutral and sufficiently flexible to allow companies to continue to innovate.” (Federal Trade Commission. (2012). Protecting consumer privacy in an era of rapid change: Recommendations for businesses and policymakers.) Will bureaucratic willingness be enough to overcome special interests and legislative gridlock? Of course not. The responsibility falls to civil society groups dedicated to the idea that people have a right to protect their information to realize that having data on the negotiating table can be an opportunity, not a threat.

Appendum on the TPP:

In the Pacific, the TPP is far less likely to bring about data privacy reform. At first glance, the TPP multilateral negotiations have the same potential to reform data privacy laws as the EU-US FTA. There is a similar ideological divide between TPP states over data privacy (see table) and enormous popular support from businesses and citizens to see their data protected, especially after the PRISM scandal. But there are important differences in TPP that make data privacy reform especially difficult.

In the US-EU FTA the US is on the offensive, it is trying to create a regulatory change rather than change itself. The EU wants the subject off the table, because it already has protection against US surveillance. TPP countries are not protected from US surveillance and would have to convince the US to change its laws if they want privacy protection. The US government is currently unable to provide data privacy protection or even stop infringing on the privacy rights of people around the world. The US congress recently attempted to defund excessive surveillance programs in the 2014 Defense Department appropriations bill. The amendment had popular support; however, the bill was defeated by a bipartisan majority. (Alexis, A. (2013, July 29). House rejects proposal to defund sweeping u.s. government surveillance.)

So what about leverage? The pro-privacy TPP countries can force the inclusion into the TPP agreement because of their economic weight. Although both sides have considerable leverage in the EU-US FTA, the TPP is a different story. The US already has FTAs with all of the TPP countries except Vietnam, Malaysia and Brunei. Leaving very few trade barriers the US wants to see eliminated. If the TPP becomes too intrusive to sovereignty, it is easy to walk away and continue to enjoy the largely free trade environment already present in the region.

In conclusion, there may be growing pressure to make data privacy a more important issue in the TPP negotiations, but it is not the right medium. If countries want to create true data privacy protection, domestic laws that prohibit transferring data to “inadequate” countries, similar to the EU laws, might be the only way. Such laws would surely infringe upon trade agreements already established, such as the FTAs with the US. But data privacy is undoubtedly a national security issue, and national security always trumps trade. PRISM can be a catalyst for domestic change and then, through trade, domestic change can create international change. The popular mantra “act locally, think globally” can now apply to data protection.

zp8497586rq
Tagged with: , , , , ,
Posted in Uncategorized

News & Events