RSA 2012: US Lobbying Hard To Alter EU Data Protection Law

The American government wants European data protection proposals changed, and is working with the US Chamber of Commerce to lobby the EU to alter them, TechWeekEurope understands.

The European Commission proposed a fresh directive and a new regulation on data protection last year, designed to update laws across member states, which have been following Brussels’ guidelines dating back to 1995.

Yet it came under fire for introducing a number of “overbearing” proposals, including fines of up to two per cent of the global annual turnover of a company for severe security events, a 24-hour data breach disclosure rule, a stipulation to make companies with more than 250 employees appoint a data protection officer, and the need to implement “privacy by design”.

Adam Schlosser, the US Chamber of Commerce’s senior manager for global regulatory cooperation, was open about how much effort was going into lobbying, telling TechWeekEurope the body has been engaged since March, and has a taskforce with around 50 members working on the issue.

It has submitted some proposed amendments to commission committees and is working alongside official government bodies, including the US Department of Commerce, on the issue. Schlosser said the Chamber of Commerce had made “incremental progress”.

“Some of the biggest concerns are providing flexibility for different business models, allowing for compliance with existing legal obligations (such as anti-fraud) both in the EU and in third countries, and actually creating a ‘one-stop shop’ that is predictable and consistent across member states,” he added.

“On the lobbying efforts – I think we are making some incremental progress with Parliament and also will continue to work with key allies at the member state level (in particular the UK is very engaged).  However, much more work is left to be done. The business community will need sustained and continued efforts to develop a pragmatic approach that considers how a final regulation can actually work in the real world.”

The American Chamber of Commerce to the European Union, a separate but affiliated group, is also working on the issue.

US unhappy with EU data protection?

The commission’s proposed rules will affect global companies, and the US is not happy about some of the ideas put forward by the Commission, Alfredo Della Monica (pictured), counsel at American Express and the man responsible for the company’s EMEA data protection issues, told TechWeekEurope today, during a discussion of privacy by design at RSA 2012.

“The US Chamber of Commerce in Brussels is lobbying quite hard on the regulation because there is input from the US government to do so and because the regulation was meant to solve problems, but it doesn’t really solve anything,” he said.

Last year, it was reported that the US government was involved in a widespread lobbying effort against the proposed legislation, but that was being led directly by the US Department of Commerce.

Vice-president and commissioner responsible for justice, fundamental rights and citizenship Viviane Reding (pictured) has been discussing data protection law with relevant parties this week as part of an interparliamentary committee.

She said that she is “willing to review the scope and number of delegated acts, and to limit them to what is necessary to keep the regulation sufficiently open to future technological developments”. “But allow me a word of warning: there are no easy alternatives,” Reding said yesterday.

Reding also said both public and private sectors would have to implement privacy by design. “These principles make sense both in the public and private sector, and it cannot be taken for granted that the public sector will always follow them if they are not clearly set out in law.”

Monica would rather see the privacy by design principle taken out of the law, as its definition would differ across nations if it was enshrined in legislation, making the job of global firm considerably more difficult. American Express recently set up an internal group to establish the potential impact of the laws on the company.

The chief problem with the EU directive and regulation is enforcement, Monica said, especially if businesses are punished for not deploying compliant technologies.

“Technology is changing every six weeks, so how can you really be state of the art? If you’re a small company, how can you be privacy compliant? It does not really make sense.”

Another contentious issue in the EU proposals is the “right to be forgotten”. Many believe it is technically infeasible, largely because of the way data is disseminated and stored today, but according to the BBC’s head of info policy and compliance James Leaton-Gray, it will remain in the legislation when it becomes law in or around 2015.

That’s because the right is one of Reding’s favourite parts of the legislation. As for the BBC’s view on the EU rules, Leaton-Gray said the organisation has already entrenched a privacy by design approach as it runs on the basis of trust with readers and viewers.

“Trust is fundamental to us, so for me, this is just building on one of our core values anyway,” he told TechWeekEurope.

Are you a security expert? Find out with our quiz!