The EU’s proposed General Data Protection Regulation “raises the stakes in the ongoing privacy-versus-security debate between the EU and the US,” says Feiler.
“The EU’s draft proposal of a General Data Protection Regulation would make clear that so-called National Security Letters (NSL) issued by the FBI pursuant to USA Patriot Act Section 505 are not to be recognised in the EU,” he adds.
“For any US company to disclose personal data of EU residents pursuant to a NSL, an approval by the data protection authority of an EU member state would have to be obtained first. Companies that fail to do so would be subject to fines of up to two per cent of their annual worldwide turnover.”
The proposed US Consumer Privacy Bill of Rights is one of four elements of a report, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (PDF), announced by the White House in February.
The other elements include a stakeholder-driven process to specify how these rights apply in particular business contexts; enforcement by the Federal Trade Commission (FTC); and greater privacy interoperability between the US and international partners.
“The [Bill] recognises that privacy is not a ‘one size fits all’ proposition as its central feature is the call for multiple-stakeholder groups to establish industry-specific or technology-specific codes of conduct,” Chris Wolf, Washington partner of Hogan Lovells, told Computing.
Indeed, the US and EU measures show a fundamentally different approach to privacy, say legal experts.
“The rules in the US might be more flexible, especially in relation to issues like consent,” says Wilmot. “The US may allow more data processing without explicit consent, provided that the processing is consistent with the context in which the data was collected.”
The Bill says that at the time of collection, companies should present choices about data sharing, collection, use, and disclosure that are “appropriate for the scale, scope, and sensitivity of personal data in question”, irrespective of whether the company uses the data itself or discloses it to third parties.
So the regulations will be more stringent for search engines and social networks that build detailed profiles of individual behaviour which may contain sensitive information, such as personal health or financial data.