More than several degrees of separation distinguish European legislation for consumer data privacy and its enforcement mechanisms from those of the United States. In the European Union (EU), individuals’ data privacy—considered a “fundamental right”—is protected by the 1995 EU Data Protection Directive, national privacy laws, and data protection authorities. Within the electronic realm, the European concept of privacy extends beyond personally identifiable information (PII) or other confidential records to include the broader scope of an individual’s digital record such as IP addresses and posts on social networking sites. The U.S. approach has been driven by addressing privacy legislation on a sector-by-sector basis, with separate laws governing education, health, financial, and even video rental records, as well as the storage, use, and dissemination of PII stored by the government. The disparate approaches are creating real world challenges, as global interoperability of many corporations increasingly will depend on the ability of companies to implement PII control regimes that satisfy both U.S. and EU guidelines.
For years, more sweeping legislation has laid stagnant in the U.S. Congress. However, realization of companies’ growing ability to aggregate, utilize, and disseminate individuals’ information as well as several high-profile enforcement cases may have begun to turn the tide of political action in both the executive and legislative branches. With the release of the Obama Administration’s and Federal Trade Commission’s (FTC) respective reports on consumer data privacy, the European and American legal conceptions of data privacy may be taking some initial steps towards convergence. The problem for companies and other organizations looking to encourage global interoperability and turn a profit in the digital age, however, is that the means of implementing the new privacy regimes show little sign of moving closer.
In late March, the FTC released “Protecting Consumer Privacy in an Era of Rapid Change,” a report encouraging companies that collect and use personal—referred to as “consumer”—data to implement a series of best practices protecting consumers’ private information. Earlier this year, the Obama Administration’s released a similar report calling for legislation declaring a “Consumer Privacy Bill of Rights” and a voluntary stakeholder engagement process to create codes of conduct for their enforcement. Europe’s current patchwork of national privacy laws and data protection authorities—all created in response to the 1995 EU Directive on Data Protection—could be succeeded by EU legislation regulating the processing and movement of all personal data across the EU as early as 2014.
An agreement on the definition of aspects of consumer privacy as a right or “core value” is a necessary first step if the EU and U.S. are to create interoperable privacy controls that will remove obstacles to the growth of key aspects of the digital economy. The Obama Administration’s consumer privacy framework and proposed EU Data Protection Regulation share basic commitments to a number of information practice principles, including transparency, access and accuracy, accountability, data security, and individual control. As extensions of previously validated Fair Information Practice Principles (FIPPs), these values have long been advocated as best practices by the FTC and adopted in legislation and policy by national governments and international institutions, including the EU. It is this step towards defining consumer privacy principles as rights protected by U.S. legislation that more clearly unites American policy intentions with those of its European counterparts.
U.S. and European proposals begin to differ, however, when it comes to the implementation of these principles. Both recognize the importance of “privacy by design” or “privacy by default,” but differ in the ways in which they designate specific privacy controls. The “right to be forgotten,” a clause contained in the proposed EU Data Protection Regulation, defends the rights of individuals to demand that personal data collected by a particular organization online be permanently deleted so long as its holding is not protected by law. This provision is already the subject of controversy for the headaches it may cause for companies like Google and Facebook whose business models depend in large part on the aggregation of user data across the Internet. Both the Obama Administration’s proposal and the FTC report advocate the creation of simple choice mechanisms for individual approval of personal data collection and its withdrawal, but neither goes so far as to claim a right to total removal.
More fundamentally, the very mechanisms of change and applicability of legislation protecting consumer privacy, present or future, diverge at the definitional level. While the EU is proposing broad-based regulation, both U.S. proposals remain limited in their applicability and call for industry-led, voluntary self-regulation supplemented by limited legislation. Despite its broad definition of consumer privacy rights, the Obama Administration’s report proposes that codes of conduct and legislation apply to only those commercial entities not already covered by privacy legislation (e.g., the health sector, financial services, and education entities). For its part, the FTC limits its proposed privacy framework to businesses that collect data from more than 5,000 consumers. This disparity between the U.S. and EU approaches matters less for governments and international institutions that require only mutual recognition, but could prove more of a challenge for companies subject to implementing these controls.
Global interoperability will depend on the ability of companies to implement consumer privacy controls that meet both EU and U.S. standards. U.S. and European policymakers should continue their collaboration to ensure that they share a common definition for consumer data privacy and limit regulation where it relates to the specific technical realization of these principles. Continued innovation and global interoperability in the digital age depend on it.
 U.S. Federal Trade Commission. “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers.” March 2012. http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.