Legislators and witnesses agreed Thursday that the U.S. should not follow in lockstep the European Union's approach to protecting the collection and exchange of data online.
Bono Mack pointed at criticisms of the EU online privacy and data directives, which apply to the 27 member companies and how they handle the transfer of information. Those included "sporadic and inconsistent enforcement, with a seemingly disproportionate number of American companies targeted for compliance violations."
The directives "require all EU member states to enact national privacy legislation which satisfies certain baseline privacy principles, ranging from notice to consent to disclosure to security," she pointed out. "While these principles are the basis for the directive, each EU member state is responsible for incorporating these articles into its own national privacy laws."
She said she was not pointing fingers, but she wasn't pulling punches either, saying "EU directives at some point crossed paths with Murphy's Law. Anything that can possibly go wrong, does."
Before the hearing, consumer groups urged Bono Mack and ranking member G. K. Butterfield (D-N.C.) to look at the upside of the EU directives as well as the down. Butterfield gave the directives some props as "broad and strong privacy protections," but also pointed to problems.
"For businesses that have to navigate the laws of these 27 different countries, some regulations can feel pointless, some paperwork and recordkeeping burdensome, and some enforcement actions unfair," he said
The EU adopted a Data Privacy Directive in 1995 to "harmonize" privacy protection within EU and prevent personal information from flowing to other countries that EU believed lacked adequate protections, according to the memo. That was later updated to include E-privacy. The directive applies to affiliates of U.S. corporations and requires them to adhere to seven basic principles: Notice, purpose (data should be relevant to its use), consent, security, disclosure, access (ability to correct inaccuracies in data) and accountability.
The fact that each state is responsible for incorporating them into its own privacy laws has created problems for U.S. affiliates, legislators and witnesses agreed, even though the U.S. negotiated a safe harbor in 2000 that allows them to voluntarily adhere to data protection principles.
It was the second in a series of hearings on privacy the subcommittee has held as Congress and the administration kick the tires on how, and for some Republicans, whether, the U.S. adopts baseline privacy principles.
Witness Nicole Lamb-Hale, assistant secretary, International Trade Administration, which is under the Department of Commerce, said the U.S. was not looking to copy the EU model and its problems with enforcement, but that the U.S. needed baseline principles to give its trading partners more confidence in exchanging data with U.S. companies. She said that should include a flexible approach that will bring mobile apps not currently covered by privacy laws into that ambit to "protect consumers and promote international trade."
Stuart Pratt, president of the Consumer Data Industry Association, said the U.S. should stick with the current system and not adopt baseline privacy rules modeled on EU, while Peter Swire, Ohio State law professor and privacy scholar said that they were necessary, should be written into statue if possible, and would even help address the disparate enforcement issue because not having those U.S. guidelines could justify tougher enforcement by countries viewing the U.S. as insufficiently protecting their data, as some do today, he said.
Rep. Cliff Stearns (R-Fla.), said he was concerned about the EU's opt-in policy on data collection and sharing and the impact that would have on the behavioral advertising that allows for the targeted marketing model that helps sustain free net content.