Comment: A Cultural Spat? Data Protection and Privacy Issues between the EU and US

Andy Green examines trans-Atlantic differences between views on privacy and data protection
Andy Green examines trans-Atlantic differences between views on privacy and data protection

Passed in 1995 when the internet had far fewer routers, the European Union’s Data Protection Directive, or DPD, went largely unnoticed in the US. The DPD was a groundbreaking piece of data security and consumer privacy legislation, preceding equivalent US efforts (HIPAA, Gramm-Leach-Bliley) by several years. 

Times have changed. Early last year, proposed updates to the DPD – let’s call it DPD 2.0 – have become news in the mainstream press.

The difference between then and now is that US social media companies entered the scene and have been openly expressing their concerns with certain aspects of the new rules. For example, there’s a major social media player with a European HQ in Ireland that’s been publicly critical. They object to DPD 2.0 rules for allowing customers to permanently delete their online data (the “right to be forgotten”) and obligating service providers to alert authorities within 24 hours of a breach.

It hasn’t only been internet companies that have voiced their objections to DPD 2.0. An economic officer in the US Foreign Service, for example, hinted that a trade war would break out unless differences over DPD 2.0 are settled.

The American Chamber of Commerce is a good baseline for US business sentiment. In looking at its public response to the EU Commission’s announcement to change the DPD’s rules, it too had a critical opinion. Though not as strongly opposed as the internet companies or as ominous sounding as the US diplomat’s prediction, the Chamber’s comments still called for clarification on the right to be forgotten and suggested that a workable solution should distinguish between “data directly inputted by the user (e.g., photos or names of friends) and data created by the service provider”. In addition, on breach notification, the Chamber was concerned about the burdens placed on businesses and possible confusion for consumers if the threshold for breach notification was too low.

My first instincts were to attribute this clash to different political ideas on privacy. The EU’s approach – some say – emphasizes privacy at the expense of free speech and free exchange of ideas. In the US, regulators are less willing to view privacy as a fundamental right. These differences on privacy expectations are unquestionably based on culture and, for several EU nations, direct historical experiences with the dark side of privacy abuses.

That is not to say EU notions of privacy and data transparency are unknown in the US. Most notably, healthcare organizations have had strict EU-style privacy and security requirements under HIPAA’s regulatory rules. And just last year, the FTC issued an important set of data security guidelines that would be familiar to EU regulators: minimize collection of consumer personal identifiers, retain data only as is long is necessary for business purposes, and provide consumers access to their data. Whereas these are best-practices and purely voluntary, the FTC’s policy approach may close the gap between the US and EU even further as some of these ideas work their way into general data privacy laws.

To better understand the differences between US companies and the EU Commission over DPD 2.0, I took a closer look at early public comments that were posted by relevant stakeholders back in 2011. It turns out there was more variance in opinion than I initially thought from reading the business headlines.

A few American computer hardware manufacturers wrote approvingly of the EU’s plan for simplification and “harmonisation”. They were referring to DPD 2.0’s goal of a single EU data protection authority making binding decisions – which is not now the case because member nations have their own separate rulemaking capabilities. A major trade group representing US airlines, which collectively has detailed information on millions of travelers, made no mention of the right-to-be-forgotten rule in its response. And a key American financial services firm also was on board with the simpler breach notification goals in the new DPD.

What’s going on here? Of course, I understand that in the business model of the pure social media players, data is an asset, and allowing their customers to press the erase button is like burning cash. However, for airlines, software and hardware companies, and some major consumer goods companies whose comments I also reviewed, consumer data is clearly central to their business, yet they simply did not share the same level of criticism.

What I would like to propose is that differences in opinion over the EU’s updated DPD is partially about companies where an IT point-of-view has worked its way out of the server room and into the board room, and those in which this IT culture is segregated away from business decisions. In other words, companies that connect IT best-practices to the bottom line understand that good security policy means keeping the collection of personally identifiable information (PIIs) to a minimum, that sensible data retention strategies assign less value to stale and outdated data, and that giving consumers access to their data ultimately makes it more accurate and therefore more valuable for decision-making purposes – up-to-date consumer data leads to better marketing and more reliable analytics for planning exercises.

I think we’re watching history unfold as this view of consumer data becomes more accepted. US companies in financial services, medical, and banking, which have historically had more regulatory overview, perhaps evolved more quickly toward this approach, but they’re not the only ones. There’s a good chance that the FTC guidelines I mentioned earlier, which are based heavily on an IT security principle of “privacy by design”, will likely become rules-of-the-road initially for the data broker industry and then possibly other sectors.

Some changes in behavior toward consumer data have already started. That social media company I mentioned earlier? They did an about-face on the DPD 2.0’s proposed requirement for letting users view their data. Facebook now permits account holders to download their entire personal data profile – no matter which side of the Atlantic they live on.

Andy Green is a technical content specialist at Varonis, a provider of data governance software. Green is a veteran technology journalist with over 12 years of experience writing about high-tech topics for B2B publications, market research firms, as well as several software companies. At Varonis, he focuses on drawing connections between data security, compliance regulations and real-world IT solutions. Besides developing research reports and other critical content, he actively contributes to the Varonis blog. In his limited free time, Green also covers the local NYC startup scene for the Technoverse Blog (TvB), which he founded.

What’s hot on Infosecurity Magazine?