• The White House and European Union Privacy Proposals
  • April 26, 2012 | Author: Timothy J. Toohey
  • Law Firm: Snell & Wilmer L.L.P. - Los Angeles Office
  • The Obama Administration and the European Union (EU) have recently submitted two major proposals that are likely to have a significant impact on the ongoing discussions regarding consumer privacy in our increasingly globalized and connected economy. On February 23, 2012, the White House announced its proposal for Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (Framework) which suggests adoption and implementation of a “Consumer Privacy Bill of Rights” for the Internet aimed at providing “clear protections for consumers and greater certainty for companies.” Approximately one month earlier, on January 25, 2012, the European Commission — the executive body of the EU responsible for drafting and submitting legislation — proposed a comprehensive new General Data Protection Regulation (EU Regulation) that, for the first time, would have all EU member states follow mandatory and consistent rules for data protection and privacy.

    Proposed White House Privacy Framework
    The privacy framework proposed by the White House is based on the premise that the existing approach to privacy under federal law does not provide the privacy protection needed for consumer trust in a globalized and interconnected economy. Framework, p. 1. In contrast to the current approach of federal law, which regulates privacy through specific statutes governing particular business sectors such as the Health Insurance Portability and Accountability Act (HIPAA) or the Fair Credit Reporting Act (FCRA) and through general consumer protection prohibitions against unfair or deceptive trade practices enforced by the Federal Trade Commission (FTC), the White House proposes a comprehensive federal privacy policy and legislation for commercial Internet activities. As the White House states in its proposal:

    The consumer data privacy framework in the United States is, in fact, strong ... The current framework, however, lacks two elements: a clear statement of basic privacy principles that apply to the commercial world, and a sustained commitment of all stakeholders to address consumer data privacy issues as they arise from advances in technologies and business models.

    Framework, p. 1.

    To address these deficiencies and to “extend baseline protections to the sectors that existing Federal statutes do not cover,” the White House calls for establishment of a Consumer Privacy Bill of Rights either voluntarily or through federal legislation. Framework, pp. 6-7. The proposed Consumer Privacy Bill of Rights for Internet activities would “provide[] a baseline of clear protections for consumers and greater certainty for companies” and consists of “six comprehensive, globally recognized Fair Information Practice Principles:”

    • Individual Control by consumers of the data collected by companies and how those companies use such data;
    • Transparency through “easily understandable and accessible information about privacy and security practices;”
    • Respect for Context in the collection of personal data in order to ensure that companies use data in ways that are consistent with the context in which the consumer provides the data;
    • Security and responsibility in handling personal data;
    • Access and Accuracy including the right of consumers to access and correct personal data;
    • Focused Collection through reasonable limits on collection and retention by companies of personal data; and
    • Accountability to ensure that companies handling data adhere to the Consumer Privacy Bill of Rights.

    Framework, p. 1.

    According to the White House, the proposed Consumer Privacy Bill of Rights is designed to protect consumer expectations regarding the Internet while “providing companies with the certainty they need to continue to innovate.” Framework, p. 9. Consumer expectations are addressed in the proposal through the concept of control, which is the first and arguably the key element of the Consumer Privacy Bill of Rights. Although the White House’s proposal does not specify any particular mechanism for such control, such as affirmative consumer action through opt-in consent, it encourages companies dealing directly with consumers on the Internet to give consumers “choices about data sharing, collection, use and disclosure that are appropriate for the scale, scope and sensitivity of personal data in question.” The White House further states that “privacy-enhancing technologies,” such as the “Do Not Track” mechanism incorporated into browsers and websites, may be a promising means to give consumers greater control over how their information is tracked and used. Framework, pp. 12-13.

    In contrast to the proposed EU privacy regulation, discussed below, the White House’s proposed Consumer Privacy Bill of Rights does not include a right by consumers to request erasure of data that they have provided to a company and which has been disseminated, i.e., the “right to be forgotten.” Indeed, the proposal emphasizes that a consumer bears responsibility regarding his or her choices of privacy settings on the Internet and the decision to share personal data in contexts such as social networks. Framework, p. 13. Moreover, the proposal explicitly notes that companies are not required to permit withdrawal of personal data collected before implementing the Consumer Privacy Bill of Rights. Framework, p. 14.

    The primary implementation procedure for the Consumer Privacy Bill of Rights envisioned by the proposal is an open process in which businesses, after consultation with other “stakeholders,” including consumers and the FTC, voluntarily adopt a binding code of conduct incorporating the privacy principles of the bill of rights. Framework, pp. 24-25. Once a business has adopted a code of conduct incorporating the Consumer Privacy Bill of Rights, the code will be legally enforceable under Section 5 of the FTC Act (15 U.S.C. § 45) pertaining to deceptive or unfair trade practices. The FTC’s authority to enforce such codes would be similar to the power it currently has to force a company to adhere to its statements regarding its privacy principles. Framework, pp. 29-30.

    Although not explicitly acknowledging the possibility that companies may be reluctant to place upon themselves the burden of voluntarily adopting legally enforceable codes, the White House suggests, as an alternative to voluntary adoption, that Congress pass legislation incorporating the Consumer Privacy Bill of Rights. Framework, p. 35 et seq. The FTC would be given authority to enforce adherence to such legislation, which would preempt state law. Framework, pp. 36-37. The White House also calls on Congress to adopt a national standard for security breach notification in place of the “patchwork of State laws” which it claims “creates significant burdens for companies without much countervailing benefit for consumers.” Framework, p. 39.

    As a practical matter, it is unlikely that privacy and data breach legislation stands much chance of passing through Congress in this election year even though recent surveys have shown that concerns regarding privacy are not particularly partisan. Nonetheless, the Consumer Privacy Bill of Rights proposed by the White House is an important contribution to the ongoing debate over privacy on the Internet. If legislation of the type proposed were to be enacted, the United States would, for the first time, have a national privacy and data breach legislation similar to that of other countries. The FTC, which already has significant authority in enforcing sectoral privacy legislation and through its enforcement actions against unfair and deceptive trade practices, would further expand its authority in the privacy and data breach fields.

    European Data Protection Regulation
    In contrast to the White House’s proposal, which is limited to consumer transactions online and seeks adoption of a voluntary code of conduct in the first instance, the Data Protection Regulation (EU Regulation) proposed by the European Commission is detailed, comprehensive and, if passed by the European Parliament and Council, binding on all EU member states. Indeed, the proposed regulation,[1] which replaces the current EU data protection directives, would likely have a much greater effect on companies operating outside the EU than is currently the case with the existing EU laws.

    The proposed EU Regulation, which is 82 pages in length and contains 139 recitals, is a complex and multi-faceted proposal. Given the complexity of the proposed regulation and the divergent viewpoints in the EU member states, it is likely that the regulation will be modified in the coming months. Moreover, the regulation will only come into force two years after it is adopted by the European Parliament and Council. It is nonetheless important for companies to consider the salient features of the proposed law well before it is enacted and goes into effect because the proposed law will affect not only the collection and processing of data in the EU, but also the transfer of such data outside the EU. The law may also affect the internal structure of many companies’ data protection efforts.

    Scope of the Law: In contrast to the White House proposal, which affects only consumers online, the EU Regulation applies to almost all data collection and processing activities, which is consistent with the fact that data protection is a fundamental right embodied in the Charter of Fundamental Rights of the European Union. Communication, p. 2. Indeed, the proposed regulation applies to the collection and processing of data regarding data subjects in the EU by controllers and processors located in the EU as well as those outside the EU if they offer goods or services to data subjects in the EU or monitor their behavior. EU Regulation, Article 3. In addition, the regulation applies to collection of all data wholly or partly by automated means with very limited exceptions, including data related to the prevention, investigation, detection or prosecution of criminal offenses. EU Regulation, Article 2.

    Increased Consumer Control of Data: The regulation is also much more specific regarding consumer control of data than is the White House proposal. For example, processing of personal data is only lawful if certain specific conditions are met, including informed consent by the data subject. EU Regulation, Article 5. Consent generally must be opt-in, i.e., given freely and explicitly through a “clear affirmative action by the person concerned.” Communication, p. 6. A data subject may withdraw consent at any time and consent is not a legal basis for processing where there is a “significant imbalance between the position of the data subject and the controller.” EU Regulation, Article 7. The proposed regulation specifies that this is “particularly the case . . . where personal data are processed by the employer of employees’ personal data in the employment context.” Id., Recital 34.

    The Right to be Forgotten: In a provision that has already prompted much commentary and controversy, the proposed EU Regulation would give Internet users a “right to be forgotten,” i.e., a right for a data subject to have his or her personal data erased, even if the data has been made public. Once a data subject has withdrawn consent for data processing, a data controller must take “all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data.” EU Regulation, Article 17.

    Data Transfer Protections: The proposed regulation seeks to improve current mechanisms for transferring data outside the EU by providing general principles that have to be fulfilled for transfers of data outside the EU. These mechanisms include “adequacy" decisions and the use of “appropriate safeguards,” such as binding corporate rules. EU Regulation, Articles 41-43. For example, the regulation allows companies to adopt binding corporate rules if the rules fulfill certain requirements relating to collection and processing of data, are enforceable by data subjects and are legally binding. If adopted by a company, binding corporate rules will be applicable to all of the company's affiliates and can be relied upon by the company in each EU member state. EU Regulation, Article 43. Decisions by the European Commission under the prior directive, including adequacy mechanisms such as the U.S. Safe Harbor system and standard contractual clauses approved by data protection authorities, will continue in force. EU Regulation, Article 41(8). Although the mechanisms for transfer have been liberalized somewhat, all data must meet the more exacting conditions for collecting and processing set forth in the regulation. EU Regulation, Article 40.

    Consistent Enforcement of Data Protection Rules in the EU: A major aim of the proposed EU Regulation is consistency of data protection rules and enforcement of those rules in the 27 EU member states. The regulation thus allows companies to deal with a single data protection authority where the company’s designated “main establishment is located,” rather than with multiple data protection authorities applying inconsistent legal provisions, as is currently the case. Communication, p. 8. See also EU Regulation, Articles 51, 55-56. The practices of data protection authorities will also be harmonized. Id., Articles 52-53. Although compliance burdens will be reduced in this respect, companies with more than 250 permanent employees will be required to appoint a data protection officer and will be required to provide notice regarding data breaches “where feasible” within 24 hours. EU Regulation, Articles 31, 35-37.

    Greater Enforcement Authority to Data Protection Authorities: Under the proposed regulation, data protection authorities would be given additional powers, including authority to consider complaints and carry out investigations. Data protection authorities would also be given greater enforcement authority, including the ability to impose very significant penalties and fines on those who do not comply with the regulation. Depending upon the nature of the violation, data protection authorities are given the power to impose fines from .5 percent to 2 percent of a company’s annual worldwide turnover for certain negligent or intentional acts. EU Regulation, Article 79. Such fines, which could extend to tens or even hundreds of millions of dollars, depending upon the size of the company, are far beyond those imposed in the past and have the potential of significantly impacting a company’s bottom line.

    The White House and EU proposals serve as barometers of the degree to which privacy continues to play a central role in our increasingly connected global economy. Although both proposals seek to ensure economic growth and innovation, they reveal a great divide between the European approach, which applies to an enormous range of data collecting and processing activities and places emphasis on an individual’s control of data, compared to that suggested by the White House, which relates only to Internet transactions and balances control and consumer responsibility. Although both proposals face an uncertain future, companies should carefully consider the impact of the potential changes in privacy policies on their operations.


    [1] A “regulation” in the EU is a law directly applicable to all EU member states, whereas a “directive” sets forth guidelines for member states’ laws.