alerts & publications
Privacy Reforms on the Horizon: A Primer on Pending E.U. and U.S. Privacy ProposalsDecember 16, 2010
For global companies that collect, broker, or use consumer data, the first several months of 2011 may prove critical. Both the European Union and the United States have announced plans to revise their data-protection laws or policies and those changes could, of course, require alterations in current business practices. Thus, the potential implications of new privacy requirements are great—both jurisdictions contemplate reforms that will affect broad categories of entities and that could affect companies around the world. To take one example, the FTC’s discussion of a new “Do Not Track” mechanism has already sparked debate over its potential impact on advertising-supported business models.
Moreover, the EU and the US approaches to privacy reform appear to be different in important respects, thus increasing the risk of business disruption. Accordingly, rapidly-approaching comment periods offer companies a critical opportunity to advocate for data-protection policies that will work best in a global economy, while creating a record for further governmental action or review.
As a starting point, this Client Alert notes several key similarities and differences between the proposals.
• Balancing Priorities: All three proposals balance increased consumer protection against the benefits of data collection, such as innovation, job creation, and economic growth.
• Increased Transparency: All three issuing bodies agree that companies should increase transparency with regard to the ways in which they collect and use consumer data, part of what the Commerce Department referred to as a “Privacy Bill of Rights”. To improve transparency, the proposals recommend:
o shorter, clearer, and more standardized privacy policies;
o increased consumer access to the information held about them;
o increased efforts to educate consumers about data collection and use; and
o simplified consumer choice mechanisms.
• Legislation vs. Self-Regulation: The proposals all recommend different levels of legislative involvement in privacy reforms:
o The European Commission will seek proposed privacy legislation in 2011, although it also notes the potential for certification schemes to help prove individual data controllers’ fulfillment of privacy obligations.
o The FTC has publicly declared that “self-regulation of privacy has not worked adequately and is not working adequately for American consumers.” And, while it does not actively recommend legislative action, the FTC seeks comment on whether it should recommend legislation requiring an “effective uniform choice mechanism” such as a “Do Not Track” program if the private sector does not do implement one voluntarily.
• Enforcement: The proposals also differ in the way that privacy policies will be enforced:
o The European Commission expresses a continued support for the Data Protection Authorities (DPAs) as the primary enforcers of data protection principles, and the Article 29 Working Party as the entity to ensure “the uniform application of EU data protection rules at a national level.” The White Paper advocates for a stronger role for the DPAs and increased cooperation between DPAs where cross-border transactions are involved.
o The FTC report suggests that the Commission will continue to rely on its existing authority under Section 5 of the Federal Trade Commission Act to continue its privacy enforcement efforts.
o The Commerce Department concedes that the FTC “should remain the lead consumer privacy enforcement agency for the U.S. Government,” but asks whether the FTC should be given any additional rulemaking authority if voluntary enforceable codes are not developed. Moreover, the Department asks whether state attorneys general should be given authority to enforce national privacy legislation.
The proposals also all contemplate that domestic privacy policies will have extraterritorial impact, in various ways. The European Commission notes that “the fact that the processing of personal data is carried out by a data controller established in a third country should not deprive individuals of the protection to which they are entitled.” The Commission addresses this concern in part by suggesting the adoption of uniform rules for assessing the level of data protection in a third country, and the “development and promotion of international legal and technical standards for the protection of personal data.” The FTC proposal does not make any direct recommendations regarding international privacy policies, but notes the FTC’s participation in international initiatives, including the Global Privacy Enforcement Network (GPEN). And the Commerce Department calls for “global interoperability” of privacy laws and policies, recognizing that “[w]hile the privacy laws across the globe have substantive differences, these laws are frequently based on the same fundamentals.” The Department thus recommends that the U.S. look to the Asia-Pacific Economic Cooperation (APEC) Data Privacy Pathfinder project as a model for identifying common privacy principles among countries with diverging legal frameworks. The Secretary of Commerce’s statement today expressly called for “steps to bridge the different privacy approaches among countries, which can help us increase the export of U.S. services and strengthen the American economy.”
The proposals explicitly cover fairly broad categories of entities, but their potential impact is even more far-reaching. The European Commission notes that the EU Data Protection Directive “applies to all personal data processing activities in Member States in both the public and private sectors,” and proposes that data protection rules be extended further to cover police and judicial cooperation in criminal matters. The FTC proposal limits its coverage to “online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer or device.” The Commerce Department report does not identify the scope of its coverage, but emphasizes its focus on a “comprehensive national framework for commercial data privacy.” Regardless of the scope of any of the proposals’ direct coverage, however, it is clear that any entity that collects, brokers, or uses consumer data may be affected by the upcoming privacy reforms.
Still, much remains to be decided. All three reports represent only proposed frameworks, guidelines and recommendations. The FTC proposal, for example, “is intended to inform policy makers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective practices and self-regulatory guidelines.”
The timeframe for public input and comment, however, is short and the deadlines are fast approaching. The EU has a January 15, 2011 deadline in place. Similarly, the FTC seeks comments on each component of its proposed framework by January 31, 2011 and plans on releasing a final report later next year. And today’s Commerce Department report requires that comments be submitted by January 28, 2011.
Accordingly, and in light of the approaching deadlines for comment, companies in every sector should consider whether they will be affected by any of the proposed privacy reforms and whether such potential impact warrants direct participation in the public comment process.
 Commission Proposal for a Comprehensive Approach on Personal Data Protection in the European Union, COM (2010), 609/3 (Nov. 11, 2010), at p. 5, available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf(hereinafter “EC Proposal”).
 Preliminary FTC Staff Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers” (Dec. 1, 2010), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf (hereinafter “FTC Report”).
 Report of the Department of Commerce Internet Policy Task Force, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” (Dec. 16, 2010), available at http://www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf(hereinafter “Commerce Dept. Report”).
 FTC Report at iv; EC Proposal at 2; Commerce Dept. Report at 3.
 FTC Report at 44.
 FTC Report at 44-48.
 EC Proposal at 2.2.4.
 See Commerce Dept. Report at 45-47.
 Press Release, US Department of Commerce, Commerce Department Unveils Policy Framework for Protecting Consumer Privacy Online While Supporting Innovation: Calls for consideration a new set of principles—A “Privacy Bill of Rights,” (Dec. 16, 2010) available at http://www.commerce.gov/news/press-releases/2010/12/16/commerce-department-unveils-policy-framework-protecting-consumer-priv(hereinafter “Commerce Dept. Press Release”).
 See EC Proposal at 2.1.2; FTC Report at 70-72; Commerce Dept. Report at 31-34.
 FTC Report at 72-76; EC Proposal at 2.1.3.
 FTC Report at 78-79; EC Proposal at 2.1.4.
 FTC Report at 69; Commerce Dept. Report at 31-32.
 EC Proposal at 3.
 EC Proposal at 2.2.5.
 Jon Leibowitz, Chairman, Fed. Trade Comm’n, Preliminary FTC Staff Privacy Report: Remarks of Chairman Jon Leibowitz as Prepared for Delivery (Dec. 1, 2010), available at http://www.ftc.gov/speech
 FTC Report at 69.
 Commerce Dept. Report at iv, 4.
 Commerce Dept. Report at 29.
 Commerce Dept. Report at 41.
 Commerce Dept Report at 5.
 Commerce Dept. Press Release
 Commerce Dept. Report at 63.
 EC Report at 2.5.
 EC Report at 2.5.
 FTC Report at viii.
 Commerce Dept. Report at 72-73.
 Commerce Dept. Report at 74.
 EC Report at 2.2.3.
 EC Report at 2.4.1-2.4.2.
 FTC Report at 18.
 Commerce Dept. Report at 6-7.
 Commerce Dept. Report at 56-57.
 Commerce Dept. Press Release
 EC Report at 2.3.
 FTC Report at v (emphasis added).
 Commerce Dept. Report at 22.
 See FTC Report Appendix C at C-1.
 FTC Report at i.
Thank you for your interest. Before you communicate with one of our attorneys, please note: Any comments our attorneys share with you are general information and not legal advice. No attorney-client relationship will exist between you or your business and O’Melveny or any of its attorneys unless conflicts have been cleared, our management has given its approval, and an engagement letter has been signed. Meanwhile, you agree: we have no duty to advise you or provide you with legal assistance; you will not divulge any confidences or send any confidential or sensitive information to our attorneys (we are not in a position to keep it confidential and might be required to convey it to our clients); and, you may not use this contact to attempt to disqualify O’Melveny from representing other clients adverse to you or your business. By clicking "accept" you acknowledge receipt and agree to all of the terms of this paragraph and our Disclaimer.