Privacy regulators: US and EU will take different approaches

Both governments push for new online privacy standards, but EU officials question US enforcement efforts

The development of online privacy protections is at a critical moment as policy makers in both the U.S. and European Union push for changes to their privacy rules, but coordination of enforcement across the Atlantic Ocean may be tricky, several privacy experts said Monday.

The U.S. and the E.U. have very different approaches to privacy enforcement, with the U.S. focused on enforcing privacy promises that companies make and the E.U. enforcing privacy rights even when companies make no promises, said Paul Nemitz, director of fundamental rights and citizenship at the European Commission. The E.U. sees privacy as a basic right, and "our citizens expect that these rights are enforced," he said at an E.U. conference on privacy and data protection at the U.S. Institute for Peace in Washington, D.C.

At a panel discussion about privacy enforcement, Nemitz and U.S. officials seemed to disagree whether the E.U. or U.S. takes a stronger role in privacy enforcement. Nemitz questioned an assertion by Cameron Kerry, general counsel at the U.S. Department of Commerce, that sister agency the U.S. Federal Trade Commission was a global leader in enforcing privacy protections.

The FTC is a global leader, "perhaps in PR," Nemitz said.

Several European privacy agencies have been at least as active as the FTC, but their efforts aren't as publicized because they don't release information in English, Nemitz said. In addition, with 27 separate privacy protection agencies in the E.U., sometimes actions by individual countries don't get much attention, added Jacob Kohnstamm, chairman of the E.U.'s Article 29 Working Party and the Dutch Data Protection Authority.

The FTC takes Nemitz's comment about public relations as a "compliment," said Maneesha Mithal, associate director at the FTC's Division of Privacy and Identity Protection. The agency makes an effort to publicize its enforcement efforts as a deterrence to other companies, she said.

Some participants in the conference questioned whether E.U. privacy agencies are now effective against big companies such as Facebook and Google. In some cases, U.S. Internet companies appear to be breaking E.U. data protection rules with no consequences, said Austrian law student Max Schrems, a frequent critic of Facebook.

It shouldn't be up to students to highlight bad privacy practices, Schrems said. "What does [the law] actually need to make at least the big shots compliant with the most basic principles we have in the law right now?" he said.

The E.U.'s proposed data protection rules, announced in January, should elevate the profile of E.U.'s data protection and privacy efforts and make company boards pay attention to privacy rules, Kohnstamm said. The proposed rules include fines of up to 2 percent of a company's global revenue.

As the E.U. pushes for a single privacy law, U.S. President Barack Obama's administration has called for privacy codes of conduct to be developed at the Department of Commerce with input from companies, privacy advocates and other groups.

Privacy protection is at a "pivotal moment" as both processes move forward and as the FTC continues to look at privacy protections, said Julie Brill, a commissioner at the FTC. While the details may differ in the U.S. and E.U. approaches, both governments are working toward a baseline set of privacy goals, including more transparency for consumers about how their data is used and more access to their data held by companies, she said.

Privacy enforcement agencies from the U.S., the E.U. and other countries are needed to provide adequate protections for consumers, Brill added.

Nemitz, and privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, both questioned the Obama administration's so-called multistakeholder approach of allowing companies to help write privacy codes of conduct. Even with privacy advocates in the room, Internet companies could get their way because of vastly superior resources, Chester said.

A multistakeholder approach does not "carry the legitimacy" of privacy rules made by elected legislators, Nemitz added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

More about EUEuropean CommissionFacebookFederal Trade CommissionFTCGoogleIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts