As an EU privacy professional working in the US, one of the things that regularly fascinates me is each continent's misperception of the other's privacy rules. Far too often have I heard EU privacy
As an EU privacy professional working in the US, one of the things that regularly fascinates me is each continent's misperception of the other's privacy rules. Far too often have I heard EU privacy professionals (who really should know better) mutter something like "The US doesn't have a privacy law" in conversation; equally, I've heard US colleagues talk about the EU's rules as being "nuts" without understanding the cultural sensitivities that drive European laws.
So I thought it would be worth dedicating a few lines to compare and contrast the different regimes, principally to highlight that, yes, they are indeed different, but, no, you cannot draw a conclusion from these differences that one regime is "better" (whatever that means) than the other. You can think of what follows as a kind of brief 101 in EU/US privacy differences.
1. Culturally, there is a stronger expectation of privacy in the EU. It's often said that there is a stronger cultural expectation of privacy in the EU than the US. Indeed, that's probably true. Privacy in the EU is protected as a "fundamental right" under the European Union's Charter of Fundamental Rights - essentially, it's akin to a constitutional right for EU citizens. Debates about privacy and data protection evoke as much emotion in the EU as do debates about gun control legislation in the US.
2. Forget the myth: the US DOES have data protection laws. It's simply not true that the US doesn't have data protection laws. The difference is that, while the EU has an all-encompassing data protection framework (the Data Protection Directive) that applies across every Member State, across all sectors and across all types of data, the US has no directly analogous equivalent. That's not the same thing as saying the US has no privacy laws - it has an abundance of them! From federal rules designed to deal with specific risk scenarios (for example, collection of child data online is regulated under the Children's Online Privacy Protection Act), to sector-specific rules (Health Insurance Portability and Accountability Act for health-related information and the Gramm-Leach-Bliley Act for financial information), to state-driven rules (the California Online Privacy Protection Act in California, for example - California, incidentally, also protects individuals' right to privacy under its constitution). So the next time someone tells you that the US has no privacy law, don't fall for it - comparing EU and US privacy rules is like comparing apples to a whole bunch of oranges.
3. Class actions. US businesses spend a lot of time worrying about class actions and, in the privacy realm, there have been multiple. Countless times I've sat with US clients who agonise over their privacy policy drafting to ensure that the disclosures they make are sufficiently clear and transparent in order to avoid any accusation they may have misled consumers. Successful class actions can run into the millions of $$$ and, with that much potential liability at stake, US businesses take this privacy compliance risk very seriously. But when was the last time you heard of a successful class action in the EU? For that matter, when was the last time you heard of ANY kind of award of meaningful damages to individuals for breaches of data protection law?
4. Regulatory bark vs. bite. So, in the absence of meaningful legal redress through the courts, what can EU citizens do to ensure their privacy rights are respected? The short answer is complain to their national data protection authorities, and EU data protection authorities tend to be very interested and very vocal. Bodies like the Article 29 Working Party, for example, pump out an enormous volume of regulatory guidance, as do certain national data protection authorities, like the UK Information Commissioner's Office or the French CNIL. Over in the US, American consumers also have their own heavyweight regulatory champion in the form of Federal Trade Commission which, by using its powers to take enforcement against "unfair and deceptive practices" under the FTC Act, is getting ever more active in the realm of data protection enforcement. And look at some of the settlements it has reached with high profile companies - settlements that, in some cases, have run in excess of US$20m and resulted in businesses having to subject themselves to 20 year compliance audits. By contrast, however vocal EU DPAs are, their powers of enforcement are typically much more limited, with some even lacking the ability to fine.
So those are just some of the big picture differences, but there are so many more points of detail a well-informed privacy professional ought to know - like how the US notion of "personally identifiable information" contrasts with EU "personal data", why the US model of relying on consent to legitimise data processing is less favoured in the EU, and what the similarities and differences are between US "fair information practice principles" and EU "data protection principles".
That's all for another time, but for now take away this: while they may go about it in different ways, the EU and US each share a common goal of protecting individuals' privacy rights. Is either regime perfect? No, but each could sure learn a lot from the other.
So I thought it would be worth dedicating a few lines to compare and contrast the different regimes, principally to highlight that, yes, they are indeed different, but, no, you cannot draw a conclusion from these differences that one regime is "better" (whatever that means) than the other. You can think of what follows as a kind of brief 101 in EU/US privacy differences.
1. Culturally, there is a stronger expectation of privacy in the EU. It's often said that there is a stronger cultural expectation of privacy in the EU than the US. Indeed, that's probably true. Privacy in the EU is protected as a "fundamental right" under the European Union's Charter of Fundamental Rights - essentially, it's akin to a constitutional right for EU citizens. Debates about privacy and data protection evoke as much emotion in the EU as do debates about gun control legislation in the US.
2. Forget the myth: the US DOES have data protection laws. It's simply not true that the US doesn't have data protection laws. The difference is that, while the EU has an all-encompassing data protection framework (the Data Protection Directive) that applies across every Member State, across all sectors and across all types of data, the US has no directly analogous equivalent. That's not the same thing as saying the US has no privacy laws - it has an abundance of them! From federal rules designed to deal with specific risk scenarios (for example, collection of child data online is regulated under the Children's Online Privacy Protection Act), to sector-specific rules (Health Insurance Portability and Accountability Act for health-related information and the Gramm-Leach-Bliley Act for financial information), to state-driven rules (the California Online Privacy Protection Act in California, for example - California, incidentally, also protects individuals' right to privacy under its constitution). So the next time someone tells you that the US has no privacy law, don't fall for it - comparing EU and US privacy rules is like comparing apples to a whole bunch of oranges.
3. Class actions. US businesses spend a lot of time worrying about class actions and, in the privacy realm, there have been multiple. Countless times I've sat with US clients who agonise over their privacy policy drafting to ensure that the disclosures they make are sufficiently clear and transparent in order to avoid any accusation they may have misled consumers. Successful class actions can run into the millions of $$$ and, with that much potential liability at stake, US businesses take this privacy compliance risk very seriously. But when was the last time you heard of a successful class action in the EU? For that matter, when was the last time you heard of ANY kind of award of meaningful damages to individuals for breaches of data protection law?
4. Regulatory bark vs. bite. So, in the absence of meaningful legal redress through the courts, what can EU citizens do to ensure their privacy rights are respected? The short answer is complain to their national data protection authorities, and EU data protection authorities tend to be very interested and very vocal. Bodies like the Article 29 Working Party, for example, pump out an enormous volume of regulatory guidance, as do certain national data protection authorities, like the UK Information Commissioner's Office or the French CNIL. Over in the US, American consumers also have their own heavyweight regulatory champion in the form of Federal Trade Commission which, by using its powers to take enforcement against "unfair and deceptive practices" under the FTC Act, is getting ever more active in the realm of data protection enforcement. And look at some of the settlements it has reached with high profile companies - settlements that, in some cases, have run in excess of US$20m and resulted in businesses having to subject themselves to 20 year compliance audits. By contrast, however vocal EU DPAs are, their powers of enforcement are typically much more limited, with some even lacking the ability to fine.
So those are just some of the big picture differences, but there are so many more points of detail a well-informed privacy professional ought to know - like how the US notion of "personally identifiable information" contrasts with EU "personal data", why the US model of relying on consent to legitimise data processing is less favoured in the EU, and what the similarities and differences are between US "fair information practice principles" and EU "data protection principles".
That's all for another time, but for now take away this: while they may go about it in different ways, the EU and US each share a common goal of protecting individuals' privacy rights. Is either regime perfect? No, but each could sure learn a lot from the other.