Privacy InterestsEditor: Fred H. Cate, fcate@indiana.edu

76 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 1540-7993/11/$26.00 2011 IEEE JANUARY/FEBRUARY 2011

A Transatlantic Convergence on Privacy?

Union.1 The following month, two US agencies released privacy reports. The US Federal Trade Commissions report, Protect-ing Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,2 appeared on 1 De-cember. Two weeks later, the US Department of Commerce released its green paper on Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.3

These three significant and long-awaited government reports provide new insights into how regulators on both sides of the At-lantic view privacy challenges and the extent to which those views are converging.

The European Commissions ReportThe European Commissions report is an important step in the process of reviewing and ultimately revising the EUs 1995 data protection di-rective. Issued as a draft, the report opens with an acknowledgment that rapid technological develop-ments and globalization have pro-foundly changed the world around us, and brought new challenges for the protection of personal data.1

Among those challenges is a marked increase in the risks to privacy and the protection of personal data associated with on-line activity and the reality that ways of collecting personal data have become increasingly elabo-rated and less easily detectable. In addition, the European Com-mission report notes that pub-lic authorities also use more and more personal data for various purposes, such as tracing individ-uals in the event of an outbreak of a communicable disease, for preventing and fighting terror-ism and crime more effectively, to administer social security schemes or for taxation purposes, as part of their e-government ap-plications. These observations prompt the Commission to con-sider whether existing EU data protection legislation can still fully and effectively cope with these challenges.

The reports answer is mixed. On one hand, the core principles of the Directive are still valid and its technologically neutral character should be preserved. On the other, the report identifies a series of problematic issues likely to require updating European data protection:

Fred H. CateIndiana University

As 2010 wore to a close, both the European

Union and US released major reports on pri-

vacy. The first, published on 4 November,

came from the European Commission, A

Comprehensive Approach on Personal Data in the European

the need to clarify and specify the application of data protec-tion principles to new tech-nologies to effectively protect individuals personal data;

the lack of sufficient harmoni-zation between Member States legislation on data protection, in spite of a common EU legal framework;

the need to review and streamline the European ap-proach to international data transfers to make transfers sim-pler and less burdensome;

the need to ensure better en-forcement of data protection rules; and

the need to improve the coher-ence of the data protection legal framework.

The report identifies numerous objectives to pursue in addressing these challenges, including

ensuring a coherent application of data protection rules while considering how new technolo-gies impact individuals rights and freedoms and ensuring the free circulation of personal data within the internal market;

enhancing transparency by en-suring that information about data practices is easily accessible and easy to understand;

improving individual control over ones own data through data minimization and by fa-cilitating exercise of the rights of access, rectification, erasure or blocking of data;

raising awareness of data protec-tion issues;

Privacy Interests

www.computer.org/security 77

promoting informed and free consent, especially in the on-line environment;

better protecting sensitive data;making remedies and sanctions

more effective by possibly ex-plicitly including criminal sanc-tions [for] serious data protection violations or by extending to data protection authorities and civil society associations the power to bring an action before the national courts;

working to eliminate diver-gences between the national laws implementing the Directive, which run counter to one of its main objectivesensuring the free flow of personal data within the internal market;

reducing the administrative burden of the current registra-tion system for data controllers;

clarifying rules regarding which countrys laws apply to which data processing activities;

ensuring that data controllers develop effective policies and mechanisms to ensure compli-ance with data protection rules, focusing more on accountabil-ity and privacy by design;

encouraging self-regulatory initiatives and exploring EU certification schemes;

possibly extending general data protection rules to involve police and judicial cooperation in criminal matters;

clarifying and simplifying the rules for international data transfers; and

continuing to develop high legal and technical standards of data protection in third coun-tries and at [the] international level, strive for the principle of reciprocity of protection in the international actions of the Union, [and enhance coopera-tion with] third countries and international organizations.

This is a long and ambitious list of initiatives, to be sure, but it

reflects a broadening of the dia-logue about the EU directive. The Commission has stressed that the report is a draft and invites com-ments from stakeholders and the public by 15 January 2011.

The Federal Trade Commissions ReportThe report from the US FTC was released on 1 December 2010 and concludes a year-long process involving staff research, exten-sive interviews, and three public roundtables. The purpose was to examine ways of moving beyond the Commissions current ap-proaches to privacy protection, which have focused largely on privacy notices and choice op-portunities, and efforts to prevent economic and physical harm.

The report provides an il-luminating survey of the FTCs involvement in privacy, its policy-making efforts, and its enforce-ment actions. It then turns to the challenges associated with 21st century technology and busi-ness practices that existing ap-proaches to privacy dont address. These challenges will require a reexamination of the balance be-tween how best to protect con-sumer privacy while supporting beneficial uses of information and technological innovation.2 In re-sponse, the Commission staff pro-poses a three-prong framework for industry and regulators.

First, companies should adopt a privacy by design ap-proach by building privacy pro-tections into their everyday business practices. Such protec-tions include providing reason-able security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to pro-mote data accuracy. In short,

the Commission staff is resusci-tating a range of Fair Informa-tion Practice Principles, moving beyond the narrower focus of notice and choice, security, and (to some degree) access, reflected in its earlier policy statements and enforcement actions.

Second, the FTC report stress-es that the notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone under-stand. Instead, the Commission staff recommends that compa-nies provide choices to consum-ers about their data practices in a simpler, more streamlined way. Specifically, the report proposes that consumer choice would not be necessary for a limited set of commonly accepted data prac-tices, thus allowing clearer, more meaningful choice with respect to practices of greater concern. In situations in which notice and choice are appropriate, choices should be clearly and concisely described and offered whenand in a context in whichthe con-sumer is making a decision about his or her data.

For the collection and use of data regarding online searching and browsing activitiesirrespec-tive of whether the information is linked to a name or other unique personal identifierCommis-sion staff recommends a do not track option.

Finally, the FTC proposes measures for companies to make their data practices more transpar-ent to consumers:

clear, concise, and easy-to-read privacy notices to promote transparency, accountability, and competition among compa-nies on privacy issues;

reasonable access to data that companies maintain about them, including access to data collected by third parties that

Privacy Interests

78 IEEE SECURITY & PRIVACY JANUARY/FEBRUARY 2011

do not interact with consumers directly, such as data brokers;

robust notice of and affirma-tive consent for material, retroac-

tive changes to data policies; and broad-based efforts by all stake-

holders to educate consumers about commercial data practices and the choices available to them.

The Commission is seeking comments on its draft report until 31 January 2011.

The Department of Commerces ReportThe US Department of Com-merce report was prepared as a green paper by the departments Internet Policy Task Force. It out-lines a policy framework for the Obama administration to balance innovation and robust information flows with the need for better pri-vacy protection and greater cer-tainty about the forms it will take.

The result is what the report calls a Dynamic Privacy Frame-work, designed to protect pri-vacy, transparency, and informed choice while also recognizing the importance of improving custom-er service, recognizing the dynam-ic nature of both technologies and markets, and encouraging contin-ued innovation over time. The framework includes four broad sets of policy recommendations:

Enhance consumer trust online through recognition of revi-talized Fair Information Prac-tice Principles [that] emphasize substantive privacy protection rather than simply creating pro-cedural hurdles. The report recommends that FIPPs re-garding enhancing transparency,

encouraging greater detail in purpose specifications and use limita-tions, and fostering the develop-ment of verifiable evaluation and

accountability programs should receive high priority.

Encourage the development of voluntary, enforceable privacy codes of conduct in specific in-dustries through the collabora-tive efforts of multi-stakeholder groups, the Federal Trade Com-mission, and a Privacy Policy Office within the Department of Commerce.

Encourage global interoper-ability by working to eliminate disparities between national pri-vacy laws that have a growing impact on global competition.

Ensure nationally consistent se-curity breach notification rules.

The report relies more heavily on the role of self-regulation than the other two reports, which isnt too surprising given the departments long involvement in self-regula-tory or co-regulatory efforts such as the Safe Harbor for exporting personal data from Europe to the US, and the fact that the depart-ment generally lacks regulatory or enforcement authority concern-ing privacy.

Somewhat more surprising was the fact that the report rec-ommends that the Adminis-tration review the Electronic Communications Privacy Act (ECPA), with a view to address-ing privacy protection in cloud computing and location-based services. Commerce has no ju-risdiction over government sur-veillance, yet the report notes that numerous commenters have raised questions about whether

ECPA continues to appro-priately protect individuals expectations of privacy and effec-tively punish unlawful access to and disclosure of consumer data.

Comments on the green paper are due by 28 January 2011.

Policymaker Convergence?These brief summaries fail to do justice to any of the reports, but they do show some importantand, to many observers, surpris-ingoverlaps. For example, all three reports are prompted by similar issues and address similar problemsmainly, that current approaches to data protection have become ineffective, if not obsolete.

All three reports explicitly recognize the tension between innovation and intrusion and ac-knowledge both the value and risks of information flow. Notice and choicehallmarks of US pri-vacy protection, but also found in European lawscome in for spe-cial (and well-deserved) criticism, especially in the EU and FTC re-ports. All three reports stress the importance of not over-focusing on notice and choice and ensur-ing that, when presented, theyre clear, concise, and simple to use.

They also recognize the im-portance of industry responsibil-ity, self-regulation, accountability, and international cooperation in enforcement. Furthermore, all three were issued in draft form to provide an opportunity for public comment, reflecting the funda-mental importance of individual and industry participation in for-mulating privacy policy.

These and other similarities appear to reflect growing con-vergence in transatlantic think-ing about data protection issues. The European Commissions re-port reflects concerns about the burden of complying with data protection laws, the tension be-tween protecting privacy and not

All three reports explicitly recognize the tension between

innovation and intrusion and acknowledge both the value and

risks of information flow.

Privacy Interests

www.computer.org/security 79

stifling innovation, inconsistency among member state laws, and the protection of multinational flows of dataconcerns that long-time observers might find more reminiscent of US regula-tors. Furthermore, the FTC and Department of Commerce re-ports expand the range of privacy principles to which companies might be held accountable, the data that might raise privacy is-sues (even if no unique identifiers are involved), and interests that should be protectedall points traditionally expected from Eu-ropean regulators.

The reports are, of course, not the only sign of convergence. The FTC joined with 12 Eu-ropean and other regulators in March 2010 to launch the Global Privacy Enforcement Network to facilitate multinational co-operation in enforcing privacy laws. In October, the FTC was officially admitted to the annual conference of data protection and privacy commissioners. And De-partment of Commerce officials have been increasingly visible in Europe and in discussions with European regulators.

To be sure, neither the re-ports, nor the perspectives they reflect, are identical. The most obvious example is that the Eu-ropean Commission report fo-cuses considerable attention on bringing national government law enforcement and national security activities within the practical scope of data protection law. The FTC report is silent on this subject, reflecting the fact that the FTC has no jurisdiction over government activities, but its interesting to note that the Commerce report did address government surveillance and its likely impact on privacy in cloud computing, even though the de-partment also has no jurisdiction in this area.

Regardless, theres consider-

able convergence between the is-sues the three documents address andalbeit to a somewhat lesser degreethe solutions they pro-pose. This is good news for every-one who cares about privacy on both sides of the Atlantic.

References1. A Comprehensive Approach on

Personal Data in the European Union, Comm. from the Com-mission to the European Parlia-ment, the Council, the Economic and Social Committee and the Committee of the Regions, COM(2010) 609/3, draft, Nov. 2010; http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.

2. Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Busi-nesses and Policymakers, US Federal Trade Commission, Pre-

liminary FTC Staff Report, Dec. 2010; www.ftc.gov/os/2010/12/ 101201privacyreport.pdf.

3. Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, US Department of Commerce, Green Paper, Dec. 2010; www.ntia.doc.gov/repor t s/2010/IPTF_Pr ivacy _GreenPaper_12162010.pdf.

Fred H. Cate is a distinguished profes-sor, C. Ben Dutton Professor of Law,

and adjunct professor of informatics

and computing at Indiana University.

He also directs the universitys Center

for Applied Cybersecurity Research and

Center for Law, Ethics, and Applied Re-

search in Health Information. Contact

him at fcate@indiana.edu.

Selected CS articles and columns are also available for free at

http://ComputingNow.computer.org.

PURPOSE: The IEEE Computer Society is the worlds largest association of computing professionals and is the

leading provider of technical information in the field. Visit our website at www.computer.org.

OMBUDSMAN: Email help@computer.org.

Next Board Meeting: 24 Feb. 2011, Long Beach, Calif., USA

EXECUTIVE COMMITTEEPresident: Sorel Reisman*President-Elect: John W. Walz;* Past President: James D. Isaak;* VP, Standards Activities: Roger U. Fujii; Secretary: Jon Rokne (2nd VP);* VP, Educational Activities: Elizabeth L. Burd;* VP, Member & Geographic Activities: Rangachar Kasturi; VP, Publications: David Alan Grier (1st VP);* VP, Professional Activities: Paul K. Joannou;* VP, Technical & Conference Activities: Paul R. Croll; Treasurer: James W. Moore, CSDP;* 20112012 IEEE Division VIII Director: Susan K. (Kathy) Land, CSDP; 20102011 IEEE Division V Director: Michael R. Williams; 2011 IEEE Division Director V Director-Elect: James W. Moore, CSDP;* Computer Editor in Chief: Carl K. Chang

*voting member, nonvoting member of the Board of Governors

BOARD OF GOVERNORSTerm Expiring 2011: Elisa Bertino, Jose Castillo-Velzquez, George V. Cybenko, Ann DeMarle, David S. Ebert, Hironori Kasahara, Steven L. TanimotoTerm Expiring 2012: Elizabeth L. Burd, Thomas M. Conte, Frank E. Ferrante, Jean-Luc Gaudiot, Paul K. Joannou, Luis Kun, James W. MooreTerm Expiring 2013: Pierre Bourque, Dennis J. Frailey, Atsuhiro Goto, Andr Ivanov, Dejan S. Milojicic, Jane Chu Prey, Charlene (Chuck) Walrad

EXECUTIVE STAFFExecutive Director: Angela R. Burgess; Associate Executive Director, Director, Governance: Anne Marie Kelly; Director, Finance & Accounting: John Miller; Director, Information Technology & Services:

Ray Kahn; Director, Membership Development: Violet S. Doan; Director, Products & Services: Evan Butterfield; Director, Sales & Marketing: Dick Price

COMPUTER SOCIETY OFFICESWashington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036Phone: +1 202 371 0101 Fax: +1 202 728 9614Email: hq.ofc@computer.orgLos Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720-1314 Phone: +1 714 821 8380 Email: help@computer.orgMembership & Publication OrdersPhone: +1 800 272 6657 Fax: +1 714 821 4641 Email: help@computer.orgAsia/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo 107-0062, Japan Phone: +81 3 3408 3118 Fax: +81 3 3408 3553 Email: tokyo.ofc@computer.org

IEEE OFFICERSPresident: Moshe Kam; President-Elect: Gordon W. Day; Past President: Pedro A. Ray; Secretary: Roger D. Pollard; Treasurer: Harold L. Flescher; President, Standards Association Board of Governors: Steven M. Mills; VP, Educational Activities: Tariq S. Durrani; VP, Membership & Geographic Activities: Howard E. Michel; VP, Publication Services & Products: David A. Hodges; VP, Technical Activities: Donna L. Hudson; IEEE Division V Director: Michael R. Williams; IEEE Division VIII Director: Susan K. (Kathy) Land, CSDP; President, IEEE-USA: Ronald G. Jensen

revised 18 Jan. 2011