A few weeks ago, more than 1,000 academics, legal practitioners and government officials convened for one of Europe’s premier privacy law events: the Computers, Privacy and Data Protection (CPDP) conference in Brussels, Belgium. Europeans dominated this crowd but a significant number of participants from other countries, including the U.S., made this a truly international gathering. I was fortunate to attend the conference and be able to present on two panels: : “The EU-U.S. Interface: Is it Possible?” and “Privacy by Analogy.” This article provides an overview the conference, identifies the main themes that emerged from the three days of panels and discussions, and draws a few strategic conclusions for a U.S. audience.
Led by Professor Paul de Hert, faculty and graduate students from the Free University of Brussels (Vrije Universiteit Brussel) organized much of the CPDP conference. Leading companies, law firms and public interest groups — including Google, Microsoft, Deloitte, epic.org, HP, Intel and others — sponsor the event. An array of universities and other entities organize the 70 panel discussions that form the backbone of the conference (videos of many of these panels are available online). American universities and organizations are getting more involved. This year, Yale, Fordham, the University of Washington and the U.S.-based International Association of Privacy Professionals (IAPP) each sponsored a panel.
Viewed as a whole, the panel topics offer insight into the key themes that are of concern in European and international privacy law circles.
Cross-border data flows
Personal information flows globally, yet privacy laws are national or regional. This makes it difficult to protect personal data as it moves from country to country. It also makes it more difficult for companies to transmit such data across national or regional borders where different privacy law regimes prevail. Several panels focused on this issue. The EU-U.S. Interface: Is it Possible? considered the EU’s and U.S.’s very different approaches to privacy law, whether it may be possible to build a workable interface between them, and how best to do so.
Sounding a similar theme, Could the State of California Qualify for “Adequacy” Status examined whether a state such as California, whose privacy laws are more stringent than federal laws, could meet the EU standard, qualify as “adequate” and, thus, be able to receive and process the personal data of EU citizens.
Moving from the EU-U.S. interface to the world as a whole, Cross-Border Data Flow: Where Do We Stand? explored how regulatory systems around the world could work together to govern, and allow, global data flows. Cross-Border Flow of Personal Information for Financial Services, organized by Korea University, focused on particular facets of this broader issue.
Several panels focused more broadly on the perceived tensions between the EU and U.S. privacy law systems. In one of the conference’s most dramatic and talked-about panels, Between Two Commissions: The European Commission Meets the Federal Trade Commission, FTC Commissioner Julie Brill and European Commission Director for Fundamental Rights Paul Nemitz discussed points of cooperation and tension between their respective privacy and data protection law systems. A panel on The Right to be Forgotten: European and International Perspectives discussed the Court of Justice of the European Union’s Google Spain decision, the way that cultural background influences one’s perception of the right to be forgotten, and the differences between EU, U.S. and other perspectives on this emerging area of data protection law. In a panel about Reviewing Intelligence Services, Data Collection and EU/U.S. Relations, leading European and U.S. privacy law figures discussed the Snowden revelations’ international repercussions, how U.S. intelligence agencies should treat non-U.S. nationals and their post-Snowden reforms.
Quite a few other panels also focused on surveillance. Some covered government surveillance. For example, the Surveillance and Intelligence Agencies: After Snowdon, After Charlie panel considered whether the tragic Charlie Hebdo attack would reduce the gap between EU and U.S. positions on national security and surveillance. The Roundtable on (Privacy) Impact Assessments as a Response to (Smart) Surveillance considered how the increased use of privacy impact assessments might alter the public’s gradual, growing acceptance of contemporary government surveillance tactics. I Spy With My Fly, examined police use of miniaturized, wearable cameras and their effects both on police accountability and on privacy.
Other panels focused on commercial, rather than governmental, surveillance. For example, the panel Bentham Goes to School: Surveillance and Student Privacy in the Classroom looked at the ways in which personalized learning platforms, closed-circuit TVs in classrooms and playgrounds, and other technologies in schools impact student privacy.
The market for privacy
On a more optimistic note, several panels explored whether companies could gain a competitive advantage by improving their privacy performance and whether, over time, the market will provide greater privacy. The Price to be Left Alone: Can the Market Yield Privacy considered how market forces and privacy interact and whether the market is capable of producing more privacy.
Two panels, How Privacy Innovators are Trying to Seize the Business Opportunity of Personal Data Protection and The Emergence of Privacy Companies: Privacy as a Competitive Advantage identified a variety of new products whose main selling point is their ability to protect personal data and privacy. These panels also discussed the legal and practical barriers to such market developments, and how governments could better support and encourage them.
Big data and data analytics were “big” topics at the conference. The second morning featured a Big Data Breakfast that several dozen participants attended. That evening, an even larger group attended a standing-room-only debate about Big Data and Discrimination. Other panels also engaged with the topic.
Anonymity in the Age of Big and Open Data explained that although anonymity is an essential prerequisite for the use of big and open data, anonymity itself is difficult, perhaps even impossible, to achieve. Opportunities and Risks of Big Data in Disease Surveillance weighed big data’s ability to improve detection of and response to emerging infectious diseases against its potential privacy and social justice impacts. Governing Credit Scoring: Data Protection, Algorithms and Surveillance considered credit scoring practices in the EU and the U.S., and the legal frameworks that govern them.
Rethinking privacy law
Several panels explored new approaches to privacy regulation. For example, the University of Amsterdam’s Institute for Information Law (IViR) organized a panel on Privacy by Analogy that considered the ways in which copyright law, environmental law, consumer protection law and financial regulation are similar to privacy law, and the lessons that these other fields can provide for the emerging field of privacy regulation. Another panel on EU Data Protection Reform discussed the current state of the General Data Protection Regulation, the issues that remain to be resolved, and the likely future of this major re-boot of European data protection law.
U.S. companies and others can draw a number of useful conclusions from the conference proceedings:
- Cross-border transfers of personal data are becoming increasingly ubiquitous and essential to business, yet remain legally problematic. The largest companies have developed Binding Corporate Rules and other means to facilitate these global data flows. Fewer solutions have emerged for mid-sized companies. Such companies need to be aware if the various mechanisms that do exist and how they can best use them.
- The major revision to European data protection regulation — the General Data Protection Regulation (GDPR) — is coming and will likely arrive in 2016. As currently formulated, the GDPR includes both much larger penalties and extraterritorial jurisdiction that may reach U.S. companies. This is a potent combination. American companies that market to Europeans or otherwise use their personal information need to be fully aware of, and prepared for, this significant development. The Snowden revelations remain raw and unresolved. This, combined with the forthcoming GDPR, puts the U.S.-EU Safe Harbor Agreement on more tenuous footing. Companies that rely on the Safe Harbor must remain aware of these developments to plan wisely for the future.
- Big data promises tremendous benefits; however, conference speakers highlighted concerns about its potential privacy and discriminatory impacts. Companies that trigger such concerns could suffer damage to brand and consumer trust — a situation that Target has already experienced, and that other companies will not want to repeat. Businesses that want to achieve big data’s value will need to be aware of these risks and develop a proactive framework for mitigating them.
- Enhanced privacy performance can, in some instances, yield a competitive advantage. This is a new strategy that is only beginning to come into focus. The CPDP panels on this topic suggest that some businesses are successfully employing it. Innovative companies need to look for these opportunities and seize them where they exist.