The proposals to strengthen online privacy rights, unveiled by the European Commission on 25 January, have received a mixed reaction so far from key US stakeholders. A spokesperson for the social network Facebook told Europolitics that the more harmonised framework envisaged by the Commission was a positive step but that provisions on data breach notifications, fines and the ‘right to be forgotten’ could be problematic to implement. By contrast, a representative from a Washington-based online privacy lobby group warmly welcomed the proposals and predicted they would incentivise US policy makers to update the country’s privacy laws. The US administration’s priority, meanwhile, is to ensure that the future EU regime will be interoperable with the US system and will not hamper the growth of the internet.

According to Erika Mann, director for EU affairs at Facebook, the single set of rules in the form of a regulation being proposed is an improvement on the current framework, which is fragmented due to varying national interpretations of the 1995 EU Data Protection Directive. Mann, who was a German MEP from 1994-2009, voiced concern, however, about the provision requiring data breaches to be notified within 24 hours, noting “this is not always so simple to do”. The Commission’s proposal that companies may be fined up to 2% of their annual turnover for breaching the privacy law also was “not really helpful,” she added, arguing it would be better to instead promote more positive cooperation with national data protection authorities. On the ‘right to be forgotten’, she said “we support this in principle” and pointed out that Facebook users have the right to remove their profile from the system at any time. What would be trickier to implement, she predicted, was removing content which has since been moved to other websites. Overall, Mann said she hoped the new legislation would take into account the positive role that internet-based companies have played in promoting jobs and innovation.

“FAVOURABLE DYNAMIC”

Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, called the proposals “thoughtful and far-reaching,” adding that “they also create a favourable dynamic in the US”. His organisation would like the US to enact more comprehensive and binding data privacy rules. He criticised the Department of Commerce for delaying adoption of its white paper (it is due out in the coming weeks), saying “it has missed an opportunity to engage with the EU”. As for the three bills introduced in Congress in 2011 to enhance online data privacy and security, he said “not much has happened so far but we remain optimistic. There is public support for this and it is a bipartisan issue”. He felt that the existing EU-US framework to facilitate transatlantic data transfers, the 2000 Safe Harbour Agreement, was insufficient in view of the new EU proposals. Rotenberg suggested that the US should ratify the Council of Europe’s 1981 convention on protection of personal data to help resolve the problem of the EU and US’ divergent legal frameworks.

A spokesman for the Department of Commerce, the lead agency on this issue, said “we share the EU’s commitment to protecting individual privacy and continue our own efforts to preserve online privacy in the US. We look forward to working with the EU on the interoperability of our respective approaches, which will enhance consumer trust and promote the continued growth of the global internet economy”. In its upcoming white paper, the Department of Commerce is expected to advocate a voluntary but enforceable code of conduct for companies, according to various sources, rather than a legally binding regulation along the lines of what the Commission is proposing for the EU. The current lack of a comprehensive data privacy legal framework in the US prevents the Commission from adopting a so-called ‘adequacy’ decision that would allow free flow of personal data between jurisdictions. The Safe Harbour Agreement has been the solution to this regulatory divergence to date.