Our risk-based maturity approach to privacy, uncommon in North America, actually has several characteristics in common with the European Union’s approach, as outlined in the European Commission’s proposed General Data Protection Regulation (2012). Privacy professionals in North America would do well to study the European Union’s (EU) more mature, integrated approach to the protection of personal information, including health data. In this newsletter, we offer a brief overview of the proposed EU regulation as it compares to North American privacy law.
The EU’s proposed regulation clarifies uncertainties in the existing Data Protection Directive (1995), and aims to harmonize privacy laws across EU member countries. One of the primary drivers behind the new law is the importance of strengthening trust as EU countries work towards integrating their digital markets. In contrast, while North American legislators may believe that privacy laws and provisions have been harmonized by the North American Free Trade Agreement (NAFTA), legislation and enforcement is often fragmented. Vague language used in North American laws has led to an ambiguity of interpretation and often, a void of enforcement. Moreover, while the EU regulation covers a range of public and private sector scenarios, North American legislation is sector-specific. With more data sharing across organizational boundaries, sector-specific laws are becoming increasingly difficult to apply, and many initiatives now require extensive consultation to establish relevant privacy obligations. Data sharing across jurisdictions raises further complications; in Canada, for instance, some provinces have similar privacy laws, both in the realms of commerce and healthcare, but others have very divergent legislation.
While unifying privacy legislation across sectors and jurisdictions is one of the main advantages of the EU regulation, EU legislation also reflects a more mature approach to privacy in the contexts of several common scenarios: data sharing between organizations and across jurisdictions, validation of legal compliance, data breaches, and collective action by citizens.
Data sharing between organizations
European Union and North American laws around data sharing reflect very different conceptualizations of responsibility for protecting privacy. At first glance, North American laws mandate that personal data shared with a third party be bound by a policy, the provisions of which ought to be equally or more stringent than the terms to which citizens agreed when they initially released their personal data. However, North American privacy laws only hold accountable the primary service provider which first collected the data; privacy breaches by data recipients are considered to be violations of contractual obligations, but not violations of privacy rights. The European Union’s proposed regulation, in contrast, adopts a shared responsibility model for data sharing: both service providers and data recipients or subcontractors are responsible for enforcing privacy provisions. Further, under this regulation, service providers are not permitted to share personal data with a third party unless it is possible to guarantee the enforcement of equal or stronger privacy provisions than those found in the original agreements with citizens. A shared responsibility model reflects greater privacy maturity by shifting from an exclusive focus on adequate policy and agreements to ensuring effective implementation through monitoring and governance of all data holders.
Data sharing across jurisdictions
European and North American legislation concerning data sharing across jurisdictions is equally divergent. The EU approach is based on territories, which means that foreign companies must comply with the laws of the countries in which their customers reside. In North America, however, the United States (US) Patriot Act declares that all information collected by American companies is subject to US government surveillance. Foreign citizens have little recourse to protect the privacy of their personal information held by American multinational companies, which include most cloud computing service providers.
For these multinational companies to operate in Europe, national regulators in each jurisdiction within the EU will have to assess the legal compliance of company codes of conduct. Codes of conduct will have to contain satisfactory privacy principles (e.g., transparency, data quality, security) and effective implementation tools (e.g., auditing, training, complaints management), and demonstrate that they are binding. Codes of conduct must apply to all entities involved in the business of the controller or the subcontractor group, including their employees, and all entities must ensure compliance. These requirements for codes of conduct – satisfactory policies, implementation tools, and effective risk management – are similar to aspects of a mature privacy program as described in the RPM model. They are also basically incompatible with current North American practice; under the EU regulation, cloud computing service providers will almost certainly have to locate servers outside of the US to prevent privacy violations due to American surveillance.
The European Union approach to validating compliance with privacy laws similarly reflects a higher level of maturity than North American law. While Canadian law, for example, requires privacy impact assessments for all initiatives handling personal information, the content of these assessments is defined only in terms of compliance with general principles. The EU regulation, on the other hand, defines specific criteria for privacy impact assessments based on the financial standing and location (e.g., physical security) of an organization, whether the organization uses video recording (e.g., security cameras, traffic cameras), and whether it handles genetic and biometric data or information pertaining to children. Any organization with 250 employees or more will be obligated to assign a delegate to report to the regulator on privacy. The delegate is to report on specific measures taken to manage all privacy risks, either upstream (e.g., security policy, incident identification, crisis management, privacy training) or downstream (e.g., response plan) of the potential violation.
Furthermore, as privacy specialists in North America have been advocating, the EU regulation mandates that companies implement risk mitigation plans presented to regulators; North American laws require only that organizations create risk mitigation plans. The EU regulation makes corporate rules and policies binding, including those related to incident management, and through auditing and monitoring actually holds organizations accountable for their publicly and internally published policies.
In line with a greater focus on privacy risk management and enforcement, the new proposed EU regulation requires that companies, inside or outside of the EU, that hold information pertaining to EU citizens notify citizens in the case of data breaches. Currently US laws do not necessarily have any rules to address breaches involving multiple jurisdictions, though since most internet service providers are in the US, there are fewer cases where foreign companies hold information pertaining to US citizens. The EU regulation requires that companies notify regulators of breaches within 24 hours, and affected individuals within 72 hours, particularly if the breach increases the risk of identity theft, humiliation, or damage to reputation. North American laws only mandate notifying local regulators of breaches at the company’s earliest convenience, which in practice means within two or three months, and notifying individuals within a similar time frame if there is a risk of harm to individuals as a result of the breach.
Penalties for breaches differ strikingly between Europe and North America as well. One of the most significant changes in the proposed EU regulation is that in the case of large data breaches, fines for privacy violations will be a proportion (currently 2%) of the company’s gross revenue. Most North American laws define a set amount for fines, averaging a few hundred thousand dollars, which is insignificant for large companies. Privacy advocates have been arguing that for companies to take privacy seriously, fines for violations must be set as a proportion of revenue. The EU regulation’s proposed consequences for data breaches give companies a powerful incentive to develop the capacity to manage privacy risks, rather than developing privacy policies to reassure stakeholders but not necessarily implementing them effectively.
The ability to take collective action
Finally, the proposed EU regulation allows individual citizens to exercise their right to protect their personal data, including the right to be removed from databases and the right to transfer their data elsewhere. Citizens can appeal individually or through any agency, organization or association that works to protect their rights and interests. The regulation also guarantees the right to compensation for damages in the case of a privacy breach involving a single or multiple data custodians. North American laws, on the other hand, do not describe any specific recourse for citizens to seek control of their personal data or compensation for privacy violation. Citizens in Canada and the US can only launch complaints through the provincial or state privacy commissioner, which makes it much more difficult to launch class action suits and otherwise advocate for privacy as a citizen collective.
North American legislators, public administrators, and privacy professionals can learn some valuable lessons from the European Union’s proposed privacy regulation. This regulation mandates mature privacy practices similar to those described in our RPM model: well-defined policies and processes, empirically-based risk management practices, and effective implementation tools. The regulation is particularly powerful in its focus on enforcing implementation. By unifying legislation across sectors and jurisdictions, it bridges legislative and enforcement gaps. It effectively holds companies accountable to their privacy obligations by clearly defining responsibility and accountability, enhancing auditing and monitoring, and creating serious consequences for violations. With the expansion of cloud computing and data sharing, similar provisions are needed to mitigate major privacy risks in North America as well.