On October 21, 2015, the EU-U.S. Privacy Bridge Initiative, a group of transatlantic privacy experts that was convened in April of 2014, released its report on Privacy Bridges – EU and US Privacy Experts in Search of Transatlantic Privacy Solutions.
The group of 19 data protection expert members included President of Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) Bojana Bellamy and CIPL’s Senior Policy Advisor Fred H. Cate.
The group’s report identifies ten “privacy bridges” that can serve as practical steps toward bridging the gap between the EU and U.S. approaches to privacy. The goal of these bridges is to create a high level of transatlantic privacy protection by “furthering the interests of individuals and increasing certainty for commercial organizations.” The bridges intend to accomplish this goal in a way that “respects the substantive and procedural differences between the two jurisdictions” and without requiring legislative changes on either side of the Atlantic.
The ten bridges are:
- Formalizing the Working Relationship between the Article 29 Working Party and the Federal Trade Commission. The Working Party and FTC should engage in ongoing public dialogue and policy development coordination concerning key privacy challenges and should institutionalize their collaboration through a Memorandum of Understanding.
- User Controls. Stakeholders should work together to develop user friendly mechanisms to express individual choice and consent concerning how their personal data is collected and used.
- New Approaches to Transparency. The Working Party and the FTC should coordinate recommendations on privacy notices and encourage an international standardization process to develop more definitive guidance on transparency, which will be a precondition for developing effective user controls.
- User Complaint Mechanisms: Redress of Violations Outside a User’s Region. Online services should provide contact information for filing consumer complaints and appropriate public agencies in the EU and U.S. should jointly create a public directory with information about how and where complaints can be filed.
- Government Access to Private Sector Personal Data. Communication and Internet services should establish uniform best practices for handling information requests from their own and foreign governments and report on government access requests on a regular basis.
- De-identification of Personal Data. EU and U.S. regulators should identify concrete and shared standards on de-identification.
- Best Practices for Security Breach Notification. Relevant authorities should cooperate in dealing with multi-national breaches in terms of enforcement and establishing a more harmonized reporting regime.
- Accountability. The Working Party and FTC should harmonize their approaches to accountability programs that improve data processing practices. The private sector should develop more effective means for external verification and scalability of such programs.
- Greater Government-to-Government Engagement. EU and U.S. executive agencies and decision-making bodies should engage in dialogue and, where appropriate, effective coordination of their regulatory activity.
- Collaborating on and Funding for Privacy Research Programs. To enable the growth of common perspectives on privacy, collaborative and multidisciplinary research should be fostered on both sides of the Atlantic.
The “Privacy Bridges” group was convened in 2014 on the initiative of Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, and jointly organized by the Massachusetts Institute of Technology Cybersecurity and Internet Policy Research Initiative and the University of Amsterdam’s Institute for International Law.
Bojana Bellamy welcomed the release of the report, saying “With the mounting legal uncertainty over transatlantic data flows and the increasing challenges of our digital society, there has never been a more pressing moment to collaborate on practical measures that can leverage our shared privacy values for the benefit of both our citizens and commercial organizations.”
Fred Cate, who also serves as Vice President for Research and a Distinguished Professor at Indiana University, stressed that “the key aspect of this initiative is that it is focused on practical, pragmatic steps that can actually be implemented even while countries on both sides of the Atlantic continue to debate data protection laws.”
“If U.S. and EU regulators, private sector leaders, academics, and others can work together to actually implement some or all of these ten bridges, the report will have done its job and nations, companies, and people on both sides of the Atlantic will benefit,” Cate said.
The report will be the one of the key topics for discussion at the upcoming 37th International Privacy Conference in Amsterdam in the week of October 26, 2015.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code