The development of online privacy protections is at a critical moment as policy makers in both the U.S. and European Union push for changes to their privacy rules, but coordination of enforcement across the Atlantic Ocean may be tricky, several privacy experts said Monday.
The U.S. and the E.U. have very different approaches to privacy enforcement, with the U.S. focused on enforcing privacy promises that companies make and the E.U. enforcing privacy rights even when companies make no promises, said Paul Nemitz, director of fundamental rights and citizenship at the European Commission. The E.U. sees privacy as a basic right, and "our citizens expect that these rights are enforced," he said at an E.U. conference on privacy and data protection at the U.S. Institute for Peace in Washington, D.C.
At a panel discussion about privacy enforcement, Nemitz and U.S. officials seemed to disagree whether the E.U. or U.S. takes a stronger role in privacy enforcement. Nemitz questioned an assertion by Cameron Kerry, general counsel at the U.S. Department of Commerce, that sister agency the U.S. Federal Trade Commission was a global leader in enforcing privacy protections.
The FTC is a global leader, "perhaps in PR," Nemitz said.
Several European privacy agencies have been at least as active as the FTC, but their efforts aren't as publicized because they don't release information in English, Nemitz said. In addition, with 27 separate privacy protection agencies in the E.U., sometimes actions by individual countries don't get much attention, added Jacob Kohnstamm, chairman of the E.U.'s Article 29 Working Party and the Dutch Data Protection Authority.
The FTC takes Nemitz's comment about public relations as a "compliment," said Maneesha Mithal, associate director at the FTC's Division of Privacy and Identity Protection. The agency makes an effort to publicize its enforcement efforts as a deterrence to other companies, she said.
Some participants in the conference questioned whether E.U. privacy agencies are now effective against big companies such as Facebook and Google. In some cases, U.S. Internet companies appear to be breaking E.U. data protection rules with no consequences, said Austrian law student Max Schrems, a frequent critic of Facebook.
It shouldn't be up to students to highlight bad privacy practices, Schrems said. "What does [the law] actually need to make at least the big shots compliant with the most basic principles we have in the law right now?" he said.
The E.U.'s proposed data protection rules, announced in January, should elevate the profile of E.U.'s data protection and privacy efforts and make company boards pay attention to privacy rules, Kohnstamm said. The proposed rules include fines of up to 2 percent of a company's global revenue.
Sign up for CIO Asia eNewsletters.