The United States Department of Commerce launched a significant lobbying campaign against the leaked draft proposal for a Data Protection Regulation. The campaign included high-level phone calls from senior figures in the US Department of Commerce to top level staff in the European Commission covering topics such as US business, multilateral and bilateral treaty organizations, PNR, national security, law enforcement, trade and innovation. A somewhat less critical, but nonetheless alarming, “informal note” was also circulated (pdf)
In the following sections, we would like to highlight some of the most prominent exaggerations and misunderstandings in the US paper:
Section 1: Interoperability
The US praises its own global work on “interoperable” privacy standards and says that the EU’s draft proposal “widens, rather than narrows, the gap” between existing practices. The concept of “interoperability” has often meant in the past that data is simply being transferred to the US – without US laws that would protect the data non-US persons. After opposing innovation in the new framework, the note then says that substantial innovation is “of course” appropriate.
Data breach requirements
After acknowledging the positive impacts, the analysis of data breach notification requirements descends into logical truisms – “overly” strict standards would be overly strict and would “divert attention” away from improving corporate data security practices. It refers to the “broad” definition of personal data breach without further comment – as if a broad definition was, by definition, a flaw. The note explains in a lot of words that, in some exceptional circumstances, the 24-hour notification deadline may be disproportionate and would risk “over-notification” – although most US data breach notification statutes use very similar language. The note claims that this would put the focus on process rather than security.
Right to be forgotten
The note points out that requiring “any” link to personal data to be deleted is very expansive and may interfere with free speech rights. Ironically, a footnote, which runs exactly contrary to the current US proposals on copyright, explains that there is no point in using legal instruments to keep content off the Internet – quoting an academic who said “there is no (legal) remedy that is available that could prevent such a thing from happening – this is of course due to the decentralized, multijurisdictional character of the web”. They use an example where an injunction increased rather than decreased availability of the objected-to data.
Definition of “child”
The note points out that it may be problematic to treat teenagers in exactly the same way as small children. The note states that the Children’s Online Privacy Protection Act (COPPA) defines “child” as individuals under the age of 13 and that it could be difficult to always require parental permission, especially when teenagers are becoming more independent.
The note argues that the proposed draft regulation increases complexity by adopting a horizontal approach (which the Lisbon Treaty requires), adding another layer of problems to an already “burdensome, opaque and ‘indeterminate’ process. Interestingly, the note focuses on an ECJ decision in Akzo Nobel on attorney-client privilege in other countries implying that adequacy assessments in a data protection ‘regime’ would be even more difficult and impossible.
Alternative provisions for data transfer
The US authorities appear to have had difficulty in understanding the draft proposal and how it will deal with codes of conduct, privacy certification schemes, seals and trustmarks – the US worries in particular that these may not be considered “adequate” for transfers for to third countries.
Section 2: Regulatory enforcement and International Cooperation
The US authorities attack the restrictions in Article 42 on access to European data in the absence of an EU legal framework – with no empathy at all with the idea that the EU has an obligation to protect European fundamental rights and cannot deliberately leave a loophole open, where foreign governments can gain access to European data. The note also worries that the current draft does not clearly permit – and may restrict – transfers of data from regulatory enforcement agencies in the EU or its member states to third country agencies such as the FTC.
Finally, the US authorities complain that the Regulation “appears” to limit full cooperation on cross-border cooperation on privacy enforcement to countries which have an adequate data protection regime.