Mission: Interoperability

This article was first published in Data Protection Law & Policy in March 2012.

Obama gets it. Viviane Reding gets it. This is indeed a defining moment to get our public policies right in terms of global data protection and privacy. Ignore the human and social implications of the exploitation of personal data and we will lose forever the right to privacy and possibly our freedom. Be too overprotective with one of our greatest assets of our time and we will definitely block progress and prosperity. The stakes are really that high. That was the key underlying message of the recent EU-U.S. Conference on Privacy and Protection of Personal Data held simultaneously in Brussels and Washington.

The EU and the US are by no means the only players in this field, but they have been very active protagonists in relation to the development of policies aimed at addressing the future protection of personal information. The recent conference is therefore a testimony to the commitment by these two parties to achieving that perfect balance between protecting rights and promoting innovation. As mentioned in the jointly released memo, stronger transatlantic cooperation in the field of data protection will enhance consumer trust and promote the continued growth of the global internet economy and the evolving digital transatlantic common market.

So what is being proposed on either side of the Atlantic to achieve that? In Europe, the Commission's draft Regulation published at the end of January will be the obvious point of reference over the next couple of years. The proposed draft is a far reaching document which still needs to be fully understood and debated by all stakeholders involved. But at its core, it is entirely consistent with the strict, prescriptive and traditional approach that has prevailed in European data protection since its origins several decades ago.

In the US, in February the White House released its privacy blueprint, including the Consumer Privacy Bill of Rights. As part of this initiative, President Obama emphasised his Administration's commitment to privacy in the US and called for two very concrete actions. First, Congress was invited to pass legislation applying the Consumer Privacy Bill of Rights to commercial sectors not subject to existing federal data privacy laws. Secondly, the White House encouraged the development of enforceable codes of conduct through the collaboration of industry leaders and civil society. Overall, this is a simple but clever attempt to get data privacy on the US legislative agenda, but in a typically flexible and pragmatic way.

Style-wise, the two camps could not be more apart. One has the wonderful stiffness of Downton Abbey whilst the other exhibits the vibrant notes of Homeland. Yet, both parties are adamant that consensus can be reached. They even go as far as saying that working together is possible to create mutual recognition frameworks that protect privacy. Their joint memo goes on to say that both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders. Crucially, they recognise that while regulatory regimes may differ between the US and Europe, there are common principles at the heart of both systems, now re-affirmed by the developments in the US.

The immediate outcome is quite predictable. The US and the EU have reaffirmed once again their loyalty to the USEU Safe Harbor Framework. So if anyone had any concerns about the long term survival of Safe Harbor as an adequacy mechanism, these can be put to rest. Beyond that, what should we expect? The magic word is interoperability. What we don't know is whether both sides share the same understanding of that concept. For the US, interoperability is an ambitious aim which equates to mutual recognition of their respective data protection frameworks. For Europe, this could well be a soul searching exercise in which we either discover that there is little room for manoeuvre or that we can live with a truly progressive approach to protecting personal information.

Eduardo Ustaran is head of our Privacy and Information Law Group.