Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

US privacy law could learn from Europe, say consumer advocates


US privacy laws "lag woefully behind" the demands of current technology and the US should emulate EU data protection laws, a group of consumer groups including the UK's Which? and Consumer Focus has said.

EU-US umbrella group the Transatlantic Consumer Dialogue (TACD) has called on US law-makers to learn from the EU's approach to data protection and privacy.

TACD has written to the US' House Subcommittee on Commerce, Manufacturing and Trade expressing disappointment about the apparent tone of a Congress hearing entitled 'Internet Privacy: The Impact and Burden of EU Regulation', which is taking place today.

The group said consumer organisations across the EU and US had come to a "widespread agreement" that US privacy safeguards were lacking, and that the country's privacy laws "lag woefully behind current technology and business practices". It said it thought Congress should focus on what it can learn from the EU's "experience with data protection".

The TACD said it was "somewhat surprised by what appears to be an effort to call into question the purpose and 'burden' of the EU Data [Protection] Directive" and instead called for a "fair and balanced review" of the Directive instead. It said that EU data protection law "borrows much from the original formulation of privacy laws" the US had developed.

"We believe there is great urgency in the need for the US Congress to address meaningfully the new challenges to privacy. We see in the United States spiralling levels of identity theft and security breaches," the TACD said in its letter (3-page / 53KB PDF).

"The US generates more spam (unsolicited commercial email) than any other country in the world and spends more money monitoring its own citizens than any other country in the world. Certainly, there is much the United States could learn from other countries about how to address such challenges and the EU Data [Protection] Directive provides a very good starting point," TACD said.

A memo on the Congress hearing said that "industry observers argue EU enforcement is sporadic and inconsistent, with a seemingly disproportionate number of American companies targeted for compliance violations," according to a report by Media Post.

In Europe the EU's Data Protection Directive sets out rules that organisations that hold personal data must abide by. In the UK the EU laws are transposed in the UK Data Protection Act. The Act sets out rules on how organisations should process and secure personal data. EU privacy rules are also set out in the Privacy and Electronic Communications Directive.

Currently US watchdogs including the Federal Communications Commission and Federal Trade Commission can hand out punishment for organisations' breaches of privacy in their sector, but there is no single over-arching US data protection law to govern the use of personal information.

The TACD said that EU data protection laws "make clear to business and consumers what their rights and obligations are"; are easier to follow than US regulation, and have better "weathered" changes in technology that US legislation.

"Unlike the extraordinarily complicated regulatory process that the United States tends to follow, EU privacy law is reasonably straightforward relying on commonsense terms and not a lot of 'legalese'," the TACD said in its letter.

"The EU Data [Protection] Directive is technologically neutral, focusing on the collection and use of personal information and not the specific technologies involved. As such it has weathered [technological] change over the last two decades fairly well. By comparison, many of the US privacy laws, e.g. for 'video rental records,' seem very much out of date," the TACD said.

The TACD letter said that the US "position on consumer access to information stifles both markets and innovation", and said the EU's more "transparent" approach, which requires businesses to disclose what information they hold about customers, helped consumers to make "meaningful decisions" that help markets operate.

The TACD criticised the way the US had removed privacy safeguards in the housing sector and said EU data protection laws had helped build confidence in trade.

"The aim of the Directive is not to 'burden' businesses but rather to ensure that businesses comply with basic privacy obligations that help ensure trust and confidence in the marketplace and facilitate the cross-border flow of data," the TACD said.

"Without such baseline standards, the risk of consumer revolt and market collapse is very real, as the U.S. experienced over the last several years in housing markets when it chose to remove safeguards that protected both consumers and businesses," it said.

The US "does not appear" to have an equivalent oversight group to the European committee that is made up of national data protection watchdogs, the Article 29 Working Party, the TACD said.

"The United States does not appear to have any comparable agency to meaningfully assess such topics as geolocation services, the use of radio frequency identification in identity documents, cloud computing services, or data protection issues related to money laundering," the TACD said.

Proposals for reforms in EU data protection laws are expected to be announced later this year. The European Commission has previously said that new laws are required to reflect technological change. The existing Data Protection Directive came into effect in 1995.

The US Government is expected to announce proposals for updating federal laws that regulate the way organisations collect information about consumers later this autumn, a recent report by CNET said. A White House spokesperson said, however, that any new measures should not place "additional burdens" on companies that are "engaged in responsible privacy practices today".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.