The idea that the EU takes a harder line on privacy and data protection than its US cousins is a myth, says Mary Ellen Callahan, partner, Jenner & Block
For almost two decades, a myth has been circulating that the European Union’s approach to privacy and data protection is “stricter” than the sectorial approach the US employs. In my experience, both as a privacy lawyer and as chief privacy officer for the Department of Homeland Security, the two region’s approaches have more in common than the myth would suggest.
Both approaches to privacy are grounded in the concept of fair information practice principles (FIPPs). First proposed by a US privacy commission in the early 1970s, the FIPPs are internationally recognised, having been articulated and echoed in the US Privacy Act of 1974, the Organisation for Economic Cooperation and Development Guidelines, the European Union Directive 95/46/EC, and the Asia-Pacific Economic Cooperation Privacy Framework.
Although differences in emphasis, interpretation and implementation exist, they provide an invaluable lens through which governments and companies can analyse whether they are employing appropriate privacy protections.
The FIPPs have been adopted as concepts in many US sectorial enactments, including the Children’s Online Privacy Protection Act, Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. The Obama administration recently proposed a “consumer bill of rights” amplifying and clarifying the application of FIPPs in commercial settings.
In the EU, the 1995 Data Protection Directive and implementing national laws are the current governing approach to privacy. A re-evaluation of the 1995 directive is under way; a regulation proposed by the European Commission in early 2012 tweaks the 1995 requirements and integrates new obligatory rights. Whether analysing the 1995 directive or the proposed regulation, however, the conclusion is the same – the FIPPs are the framework through which privacy protections are applied.
In contrast to the US’s more sectorial approach to privacy protections, the EU frequently adopts an umbrella approach, in which broad standards or principles are easily promulgated, but often require the creation of exceptions or derogations to apply the standards. The US can be more agile and specific in its legislation, but may appear more reactive to high-profile privacy violations.
Both systems have virtue, and each supports the general approach to governing that its community expects; it is only when viewing each through the other’s lens, that the methodologies may seem deficient.
Regardless of the theories associated with privacy protections, a major movement on both sides of the Atlantic is to embed the FIPPs into information business practices and processes. The final FIPP – accountability – has received increased attention from US regulators such as the Federal Trade Commission and Department of Commerce, and the European Commission incorporated the concept into its draft regulation.
Both approaches need to find an appropriate way to reward companies that take responsibility for managing their information while penalising those that don’t.
By focusing on the end results of a privacy approach, the differences in framework will fade away, revealing the underlying common core values.