Privacy & Information Security Law Blog

On October 21, 2015, the EU-U.S. Privacy Bridge Initiative, a group of transatlantic privacy experts that was convened in April of 2014, released its report on Privacy Bridges – EU and US Privacy Experts in Search of Transatlantic Privacy Solutions.

The group of 19 data protection expert members included President of Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) Bojana Bellamy and CIPL’s Senior Policy Advisor Fred H. Cate.

The group’s report identifies ten “privacy bridges” that can serve as practical steps toward bridging the gap between the EU and U.S. approaches to privacy. The goal of these bridges is to create a high level of transatlantic privacy protection by “furthering the interests of individuals and increasing certainty for commercial organizations.” The bridges intend to accomplish this goal in a way that “respects the substantive and procedural differences between the two jurisdictions” and without requiring legislative changes on either side of the Atlantic.

The ten bridges are:

• Formalizing the Working Relationship between the Article 29 Working Party and the Federal Trade Commission. The Working Party and FTC should engage in ongoing public dialogue and policy development coordination concerning key privacy challenges and should institutionalize their collaboration through a Memorandum of Understanding.
• User Controls. Stakeholders should work together to develop user friendly mechanisms to express individual choice and consent concerning how their personal data is collected and used.
• New Approaches to Transparency. The Working Party and the FTC should coordinate recommendations on privacy notices and encourage an international standardization process to develop more definitive guidance on transparency, which will be a precondition for developing effective user controls.
• User Complaint Mechanisms: Redress of Violations Outside a User’s Region. Online services should provide contact information for filing consumer complaints and appropriate public agencies in the EU and U.S. should jointly create a public directory with information about how and where complaints can be filed.
• Government Access to Private Sector Personal Data. Communication and Internet services should establish uniform best practices for handling information requests from their own and foreign governments and report on government access requests on a regular basis.
• De-identification of Personal Data. EU and U.S. regulators should identify concrete and shared standards on de-identification.
• Best Practices for Security Breach Notification. Relevant authorities should cooperate in dealing with multi-national breaches in terms of enforcement and establishing a more harmonized reporting regime.
• Accountability. The Working Party and FTC should harmonize their approaches to accountability programs that improve data processing practices. The private sector should develop more effective means for external verification and scalability of such programs.
• Greater Government-to-Government Engagement. EU and U.S. executive agencies and decision-making bodies should engage in dialogue and, where appropriate, effective coordination of their regulatory activity.
• Collaborating on and Funding for Privacy Research Programs. To enable the growth of common perspectives on privacy, collaborative and multidisciplinary research should be fostered on both sides of the Atlantic.

The “Privacy Bridges” group was convened in 2014 on the initiative of Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, and jointly organized by the Massachusetts Institute of Technology Cybersecurity and Internet Policy Research Initiative and the University of Amsterdam’s Institute for International Law.

Bojana Bellamy welcomed the release of the report, saying “With the mounting legal uncertainty over transatlantic data flows and the increasing challenges of our digital society, there has never been a more pressing moment to collaborate on practical measures that can leverage our shared privacy values for the benefit of both our citizens and commercial organizations.”

Fred Cate, who also serves as Vice President for Research and a Distinguished Professor at Indiana University, stressed that “the key aspect of this initiative is that it is focused on practical, pragmatic steps that can actually be implemented even while countries on both sides of the Atlantic continue to debate data protection laws.”

“If U.S. and EU regulators, private sector leaders, academics, and others can work together to actually implement some or all of these ten bridges, the report will have done its job and nations, companies, and people on both sides of the Atlantic will benefit,” Cate said.

The report will be the one of the key topics for discussion at the upcoming 37th International Privacy Conference in Amsterdam in the week of October 26, 2015.