International privacy law and technology scholars recommend practical steps in improving protection for EU and US Internet Users

October 21, 2015

Just two weeks after Europe’s highest court struck down the “safe-harbor” agreement that let companies move digital information between the EU and the US, a group of nineteen privacy law and technology experts from the European Union and the United States released ten practical proposals  to increase the level of privacy protection in Trans-Atlantic Internet environment. The goal of this report is to bridge gaps between the existing approaches to data privacy of the European Union (EU) and the United States (US), in a way that produces a high level of privacy protection, furthering the rights of individuals and increasing certainty for commercial organizations.

“Privacy Bridges,” as described in the group’s report, will increase user control over personal data online, foster shared norms on new privacy challenges such as big data analytics and Internet of things, and develop common approaches to shared privacy obligations such as data breach notification and de-identification standards.

Describing the work of the group, co-chair Daniel Weitzner, Director of the MIT Internet Policy Research Initiative explains, “our study over the last two years shows that the European Union and the United States share common democratic values, from which much of our privacy law and practice has developed. However, each legal system has made very different choices in how we implement those values. With Internet services that operate across the US-EU border in real time, we believe  that increased practical engagement between civil society, industry, academia and governments is vital to develop shared privacy practices. Respecting existing law, these shared practices can advance the practical privacy rights of Internet users whether they are in Europe, the United States or elsewhere.”

The Privacy Bridges report is being released at a sensitive moment in EU-US privacy relations, with the Court of Justice of the European Union (CJEU) declaring the Safe Harbor agreement invalid for failure to protect the fundamental rights of EU citizens.

Prof. Nico van Eijk, co-convenor of the Bridges group from the University of Amsterdam explains, “Our goal with Privacy Bridges is to encourage a set of common set of privacy practices that treat all users equally, regardless of where they live. The recent ruling from the Court of Justice of the European Union demonstrates how urgent this task is today.”

The Privacy Bridges project has been invited to present the results of our work as the centerpiece of the 37th International Privacy Conference, the annual gathering of data protection and privacy regulators from around the world, held this year in Amsterdam on 27-28 October. The report is the result of a 1½ year long study process convened by the University of Amsterdam Institute for Information Law and the Massachusetts Institute of Technology Internet Policy Research Initiative. The Privacy Bridges project began nearly 2 years ago with strong encouragement from Dutch Data Protection Commission Chair Jacob Kohnstamm so we are pleased to have the chance to present this work at the International Conference which he is chairing this year.

The bridges

These ten privacy bridges are all practical steps that require no change to the law yet will result in better-informed, more consistent regulatory cooperation, policy guidance, and enforcement activity. While many members of the expert group that produced these recommendations have strong views about the future direction of US and EU privacy laws, here we seek to contribute to privacy challenges facing the information society, without entering into debates on changes to underlying constitutional or statutory frameworks. Privacy Bridges mission has never sought to define the legal relationships between the US and the European Union. We believe that is a matter for democratic debate and government leadership. There is urgency for governments to take on these questions, but we believe we cannot wait to undertake these practical steps in parallel.

• Bridge 1: Deepen the Article 29 Working Party/Federal Trade Commission relationship
• Bridge 2: Promote widespread implementation of  user control technologies
• Bridge 3: Develop new approaches to transparency
• Bridge 4: Implement user-complaint mechanisms to ease redress of violations outside a user’s region
• Bridge 5: Develop best practices for handling government access to private sector personal data
• Bridge 6: Develop best practices for de-identification of personal data
• Bridge 7: Share best practices for security breach notification
• Bridge 8: Enhancing Accountability
• Bridge 9: Greater government-to-government engagement among executive branch policymakers
• Bridge 10: Collaborating on privacy research programs

The participants

• Jean-François Abramatic, French National Institute for Computer Science and Applied Mathematics (INRIA)
• Bojana Bellamy, Centre for Information Policy Leadership at Hunton & Williams
• Mary Ellen Callahan, Jenner & Block
• Fred Cate, Indiana University Maurer School of Law
• Patrick van Eecke, University of Antwerp
• Nico van Eijk, Institute for Information Law (IViR) University of Amsterdam (UvA) [Co- chair]
• Elspeth Guild, Centre for European Policy Studies
• Paul de Hert, Vrije Universiteit Brussel (VuB) and Tilburg University
• Peter Hustinx, European Data Protection Supervisor (EDPS) (retired)
• Christopher Kuner, Vrije Universiteit Brussel (VuB)
• Deirdre Mulligan, University of California Berkeley
• Nuala O’Connor, Center for Democracy and Technology
• Joel Reidenberg, Fordham University School of Law
• Ira Rubinstein, Information Law Institute, New York University School of Law [Rapporteur]
• Peter Schaar, European Academy for Freedom of Information and Data Protection
• Nigel Shadbolt, Oxford University
• Sarah Spiekermann, Vienna University of Economics and Business (WU Vienna)
• David Vladeck, Georgetown University Law Center
• Daniel J. Weitzner, Massachusetts Institute of Technology [Co-chair]

The report can be found at: http://privacybridges.org/research/amsterdamreport
Contact MIT: Adam Conner-Simons, aconner@csail.mit.edu, +1 617-324-9135
Contact IViR: Nico van Eijk, n.a.n.m.vaneijk@uva.nl, +31205253931/3406

Media coverage:

• As U.S. Tech Companies Scramble, Group Sees Opportunity in Safe Harbor Decision, New York Times, 20 October 2015.

In Dutch:

• Prof. Nico van Eijk is cited in the article VS en EU naderen elkaar over privacybescherming in Trouw on 21 October 2015.
• Interview with Prof. Nico van Eijk on 21 October 2015 at NOS.nl: Experts: privacybescherming internetter kan veel beter
• BNR Radio: http://www.bnr.nl/?service=player&type=fragment&articleId=2691586&audioId=2691665 (BLT from 15.50 min).