Nineteen renowned privacy experts from the US and the EU have developed ten practical proposals to increase the transatlantic level of protection of personal data. Most proposals can be implemented within existing different legal systems and are applicable worldwide. It concerns pragmatic bridges that benefit people, companies, governments and supervisory authorities. The experts cooperated in the Privacy Bridges project and present the bridges during the International Privacy Conference at the end of October in Amsterdam. “I took note of the end result of the Privacy Bridges project with great enthusiasm. I look forward to the discussions about the proposed bridges with the 700 conference participants next week”, states Jacob Kohnstamm, Chairman of the Dutch DPA and initiator of the Privacy Bridges project.
US and EU
The Internet is borderless, transferring enormous amounts of personal data around the world. Rules and legislations on the other hand are limited to national borders. For example the rules governing the collection and use of personal data, differ significantly between the EU and the US. These differing and sometimes even contradictory rules do make it difficult for citizens to understand their rights and get redress when they feel their rights are violated, make it complicated for companies doing business on both sides and difficult for supervisory authorities to cooperate, which is necessary in this globalized world.
“For many years attempts have been made by both the EU and the US to convince the other side that the only right way of doing things is theirs. Furthermore, both sides are re-inventing the wheel themselves. Due to this behaviour, seemingly simple solutions to increase the protection of personal data worldwide have not been thought of or launched”, says Kohnstamm. “Members of the project have put aside the differences in legislation. This has led the group to come up with realistic first steps to build practical bridges that make the lives of people, companies, governments and supervisory authorities a little easier and that will raise the level of data protection”.
Bridge: User control
One of the important bridges is to further develop a mechanism to ensure the Internet user is again in control of its personal data. “The Internet user is now a puppet on a string, without knowing who is actually pulling the strings; collecting and using his personal data. It is high time that people are put back in control”, according to Kohnstamm. Companies should be able to use the technique to design their Internet service in such a way that their service incorporates the different applicable rules in the US and the EU when collecting and using personal data. Furthermore, Internet users have to be able to indicate their preferences in a simple, persistent manner. To build this bridge, use can be made of the existing building blocks developed in the framework of earlier initiatives, including the W3C Tracking Protection Working Group.
Bridge: Standardization data breach notification procedure
Data breaches are not confined to national borders, their impact is worldwide. Therefore the answer to a data breach should take this into account. At the moment there are dozens of different laws on the obligation to notify a data breach, with large varieties with regard to the definition of a data breach and the time period within which to notify. The proposal is to come to a standardization of the notification procedure, without changing the laws; one form that companies can use to notify a data breach to all relevant supervisory authorities and where applicable the people concerned. Kohnstamm: “This would mean a significant reduction in red tape”.
Bridge: government-to-government engagement
Policy makers in the US and the EU often deal with the same issues and cases. They do however not coordinate, but act in parallel to each other. It would be more efficient and effective if there would be a more structural exchange of information, sharing experiences and cooperating more often on common societal challenges. It starts with knowing whom to call on the other side and to engage into a dialogue. “It is amazing actually that this is not yet happening regularly and certainly not structurally” says Kohnstamm. “It is time for the US administration and the European Commission to take joint action on this”.
Privacy Bridges project
The Privacy Bridges project was led by the Institute for Information Rights (IViR) of the University of Amsterdam and the Massachusetts Institute of Technology (MIT ). The project was coordinated by Danny Weitzner, the White House’s deputy chief technology officer for Internet policy in the first Obama administration and by Nico van Eijk, professor in Information Law at the Institute for Information Law (University of Amsterdam), one of the leading privacy-research groups in Europe.
The full Privacy Bridges report is now available.
Visit the website of the 37th International Privacy Conference for more information.