The U.S. is having a very public debate about online privacy, and the EU is watching.
During a July 12 hearing,members of the Senate Committee on Commerce, Science and Transportation, along witha panel of experts, discussed the pros and cons of the FCC's current privacy proposal,which seeks to impose new privacy regulations on broadband service providers.
One major concern raised by Sen. Jerry Moran, R-Kan., was thatthe FCC proposal might undermine the newly adoptedEU-U.S. Privacy Shield, which establishes a transatlantic framework for commercialexchanges of personal data.
The new framework is designed to protect the privacy rights ofanyone in the EU whose personal data is transferred to the U.S., providing clearlimits and safeguards with respect to how U.S. companies and the U.S. governmentcan use that data.
Moran noted that in building the framework, American officialshad touted standards based on the Federal Trade Commission's long-standing guidelinesfor privacy. After the Privacy Shield was adopted by the EU, FTC Chairwoman EdithRamirez said in a statement,"The FTC has a strong track record of protecting consumer privacy, and we willremain vigilant as we enforce the new framework."
The problem, according to multiple witnesses at the hearing,is that the FCC's proposal creates a new, alternative set of guidelines distinctfrom those utilized by the FTC.
In his prepared testimonyfor the hearing, former FTC Chairman and current co-Chairman of the 21st CenturyPrivacy Coalition Jon Leibowitz wrote, "Because the United States has highlightedthe FTC's approach to privacy in its negotiations with the European Union regardingcross-border data transfers, including the so-called Privacy Shield, there are concernson both sides of the Atlantic that FCC divergence from the FTC privacy frameworkcould undermine the Privacy Shield in the European Court of Justice as well as otherUS international privacy negotiations."
Dean Garfield, president and CEO of the Information TechnologyIndustry Council, agreed, noting that while the Privacy Shield recognizes some distinctionsbetween the current U.S. and European privacy regimes, it also recognizes that theFTC's framework and principles are well established.
"It would be highly ironic and certainly unhelpful if becauseof another regulatory agency, that agreement that has just been put in place wouldbe called in question because we're now questioning whether the privacy regime inthe U.S. is one that's workable," Garfield said.
There are certainly questions being raised domestically aboutthe adequacy of the FTC's existing privacy protections, mostly by proponents ofthe FCC proposal.
Paul Ohm, professor of law at Georgetown University Law Center,wrote in his prepared testimonythat while the FCC's proposal is a "modest, sensible, and legally authorized"step in the right direction, "there remains a significant need to strengthenprivacy rules for online actors other than [broadband internet access service] providers."
Ohm added that the FTC does not currently have the authorityor resources required to solve all online privacy problems. "We ought to increasethe resources we provide to the FTC and enhance its power to police deceptive andunfair privacy practices," Ohm said.
This echoes similar remarks recently made by the Electronic PrivacyInformation Center, which in a July 6 filingwith the FCC criticized the FTC's record of protecting consumer privacy.
"The reality is that the FTC lacks the statutory authority,the competence, and the political will to protect the online privacy of Americanconsumers," EPIC said in its filing, adding that "consumer privacy violationshave proliferated under the FTC's watch."
The group pointed to the FTC's decision to allow to consolidate users' personalinformation across more than 60 Google services — including search, email, browsingand YouTube — to create comprehensive user profiles. "Thus, virtually all Internetactivity now comes under the purview of one company," EPIC said. "Thispermissive approach is clearly the wrong model for those who seek to protect Americanconsumers from privacy invasions by ISPs."
Putting these remarks in context, EPIC was trying to justifywhy the FCC's privacy proposal needs to go above and beyond the FTC's current privacyregime. But Garfield suggested that European opponents to the Privacy Shield mightuse these remarks to challenge the new framework in court.
Notably, the Privacy Shield was only made necessary after theCourt of Justice of the European Union declaredthe previous Safe Harbor accord invalid.