The Federal Trade Commission released its report on consumer privacy on Monday to provide policy recommendations for American businesses and legislators. Combined with the recently released Privacy Bill of Rights, the report helps lay out a path for the emerging comprehensive US data privacy framework.
As the EU also advances a revision of its data privacy regime through its new draft regulation a key factor to examine is how the two continents’ modified approaches will interact. Put another way, considering the need for data collection and processing, are the two distinct privacy regimes becoming more interoperable or are they diverging?
For example, the three documents consider when consumer choice (known as consent in the EU) should be offered before personal data can be collected or further processed. While the FTC report and Privacy Bill of Rights may result in a simplification of consumer choice principles, the EU draft regulation aims to toughen the concept by requiring “explicit consent”.
The major difference is in the two continents’ approach to individual control, i.e. when and to what degree must choice and transparency be provided to the data subject before the controller is able to collect data. The US’s proposed approach relies on the concept of “context”, meaning that processing should only be carried out in the context of the services requested by the consumer. The EU’s draft regulation, by contrast, calls for controllers to demonstrate a “legitimate basis” for data processing.
In both cases, companies are limited to processing data for purposes that are compatible with the original collection of data. Furthermore, both concepts have been proposed in an effort to allow companies to fulfill their contractual obligations to data subjects without having to solicit permission for each required data operation.
However, While the EU’s “legitimate basis” is exclusively intended to be a derogation from a process which otherwise relies on strict (explicit) consent, the US provides a framework in which companies need only provide choice and heightened transparency when data is used in a manner diverging from “commonly accepted principles”, i.e. when processing is outside the context of why a particular set of data was collected.
The ability for data collection to lead innovation has propelled the debates on choice and explicit consent to become a key issue in today’s global privacy debate. Forthcoming legislation will determine whether data privacy regulation is compatible with innovation and therefore provides policy-makers on both sides of the Atlantic with the opportunity to bridge the gap between their distinct privacy approaches.