As the EU embarks on a sweeping revamp of data privacy policy with the European Commission's unveiling, on 25 January, of new legislative proposals, a similar debate is getting underway across the Atlantic. With the internet unconstrained by political borders, industry and policy makers are carefully eyeing regulatory developments on each other's territory. Although it is still early days, the EU seems more favourably disposed to passing legislation to bolster online data privacy than the US, where there remains stronger support for the view that the internet should be left as unregulated as possible to assure its unfettered development. However, the countervailing view, that some taming of the 'wild West' legal environment is desirable, has been gaining credence.

The US administration plans to unveil a major policy document in the coming weeks. The Department of Commerce, the lead government agency on the issue, is expected to refrain from proposing binding legislation along the EU model and instead call on industry to adopt voluntary codes of conduct that would be enforceable. The Federal Trade Commission (FTC), which protects consumers from anti-competitive practices, is also drafting a data privacy policy paper. And lawmakers on Capitol Hill are paying attention to the issue. In 2011, three bills were introduced sponsored by a mix of Democrats and Republicans, which aim to enhance online data privacy and security. The bills have not yet been put to a vote in the full House or Senate. In recent congressional hearings, political support appeared stronger for legislation on data security than on data privacy, where sharper divisions were evident.

Positions fluid 

But positions in Washington on internet regulation are fluid. A good illustration of this was the recent storm whipped up over two bills that sought to clamp down on websites that reproduce artistic materials - films, music, etc - in breach of copyright law. In a battle dubbed 'Silver screen versus Silicon Valley,' music and film industry lobbyists were initially very successful at pushing bills through Congress to stop internet piracy. But then the digital industry fought back with a smart campaign that struck a deep cord with the general public, with sites like the online encyclopaedia Wikipedia going blank for 24 hours, on 18 January, in protest. The political tide turned as lawmakers suddenly abandoned support for the bills in their droves and the draft legislation was shelved. Many EU officials and parliamentarians breathed a sigh of relief at this turn of events as they had serious concerns over the bills' extra-territorial provisions, which could have led to Europe-based websites being disabled without a court hearing. The bills also had provisions to stop credit card companies, advertisers and search engine providers dealing with such websites. Digital Agenda Commissioner Neelie Kroes tweeted that the legislation was "bad" and that "you don't put speed bumps on the motorway".

In the coming weeks, the gaze is likely to shift back across the Atlantic as Justice Commissioner Viviane Reding's data privacy package comes under the microscope. From a US viewpoint, the package has pros and cons. On the one hand, by converting the 1995 Data Protection Directive (95/46/EC) into a regulation, the rules should become more harmonised across the EU27, something American businesses in particular should welcome. However, Commissioner Reding's push to enshrine data privacy in EU law as a fundamental right, including with such innovative provisions as 'the right to be forgotten', could raise red flags in the US, especially from tech industry giants like Oracle and Google. Presently, the smooth flow of data between the EU and US is assured by the 2000 EU-US Safe Harbour Agreement, under which US companies pledge to comply with the seven data protection principles set out in Directive 95/46/EC. While businesses and the administrations seem satisfied with this regime, many data privacy advocates are not, viewing it as a loophole that allows US firms that do business in Europe to evade EU data protection rules.