The U.S. and the E.U. have very different approaches to privacy enforcement, with the U.S. focused on enforcing privacy promises that companies make and the E.U. enforcing privacy rights even when companies make no promises, said Paul Nemitz, director of fundamental rights and citizenship at the European Commission. The E.U. sees privacy as a basic right, and “our citizens expect that these rights are enforced,” he said at an E.U. conference on privacy and data protection at the U.S. Institute for Peace in Washington, D.C.
At a panel discussion about privacy enforcement, Nemitz and U.S. officials seemed to disagree whether the E.U. or U.S. takes a stronger role in privacy enforcement. Nemitz questioned an assertion by Cameron Kerry, general counsel at the U.S. Department of Commerce, that sister agency the U.S. Federal Trade Commission was a global leader in enforcing privacy protections.
The FTC is a global leader, “perhaps in PR,” Nemitz said.
Several European privacy agencies have been at least as active as the FTC, but their efforts aren’t as publicized because they don’t release information in English, Nemitz said. In addition, with 27 separate privacy protection agencies in the E.U., sometimes actions by individual countries don’t get much attention, added Jacob Kohnstamm, chairman of the E.U.’s Article 29 Working Party and the Dutch Data Protection Authority.
The FTC takes Nemitz’s comment about public relations as a “compliment,” said Maneesha Mithal, associate director at the FTC’s Division of Privacy and Identity Protection. The agency makes an effort to publicize its enforcement efforts as a deterrence to other companies, she said.
Some participants in the conference questioned whether E.U. privacy agencies are now effective against big companies such as Facebook and Google. In some cases, U.S. Internet companies appear to be breaking E.U. data protection rules with no consequences, said Austrian law student Max Schrems, a frequent critic of Facebook.
It shouldn’t be up to students to highlight bad privacy practices, Schrems said. “What does [the law] actually need to make at least the big shots compliant with the most basic principles we have in the law right now?” he said.
The E.U.’s proposed data protection rules, announced in January, should elevate the profile of E.U.’s data protection and privacy efforts and make company boards pay attention to privacy rules, Kohnstamm said. The proposed rules include fines of up to 2 percent of a company’s global revenue.
As the E.U. pushes for a single privacy law, U.S. President Barack Obama’s administration has called for privacy codes of conduct to be developed at the Department of Commerce with input from companies, privacy advocates and other groups.
Privacy protection is at a “pivotal moment” as both processes move forward and as the FTC continues to look at privacy protections, said Julie Brill, a commissioner at the FTC. While the details may differ in the U.S. and E.U. approaches, both governments are working toward a baseline set of privacy goals, including more transparency for consumers about how their data is used and more access to their data held by companies, she said.
Privacy enforcement agencies from the U.S., the E.U. and other countries are needed to provide adequate protections for consumers, Brill added.
Nemitz, and privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, both questioned the Obama administration’s so-called multistakeholder approach of allowing companies to help write privacy codes of conduct. Even with privacy advocates in the room, Internet companies could get their way because of vastly superior resources, Chester said.
A multistakeholder approach does not “carry the legitimacy” of privacy rules made by elected legislators, Nemitz added.
