by Daniel J. Solove
I recently had the opportunity to interview Christopher Kuner, Senior Of Counsel with Wilson Sonsini Goodrich & Rosati in Brussels. He is also an Honorary Professor at the University of Copenhagen, a visiting fellow at the London School of Economics, and teaches at the University of Cambridge. He is editor-in-chief of the law journal International Data Privacy Law, and has been active in international organizations such as the Council of Europe, the OECD, and UNCITRAL. His book entitled “Transborder Data Flows and Data Privacy Law” was published in 2013 by Oxford University Press. More information is available at his personal web site.
What is your prediction about the proposed EU Regulation? Will it pass? When? What will it likely look like?
In fact no one really knows, given that the major political players will change in the next few months (there are elections for the European Parliament in May, and a new European Commission will be chosen in the summer). However, I suspect that it will eventually pass, since governments and politicians won’t want to start from scratch and go through the entire legislative procedure again. I think that the main themes contained in the version of the Regulation approved by the European Parliament in March will remain, but some important details may well change. In terms of timing, my best guess is that it will take until the end of 2014 for the Council of the European Union to reach a common position, and most of 2015 for the Council to reach agreement with the Parliament, which means the Regulation could enter into force in 2017.
What do you think about the future of Safe Harbor? Will it be revised to have stronger protections?
Safe Harbor is a ground-breaking framework that attempts to bridge the EU and US conceptions of privacy protection, and has done a lot to introduce EU data privacy concepts into US business practices. At the same time, the current framework has some gaps, and I think it needs to be adapted to the way the Internet and data processing have evolved since it was enacted in 2000. I think it will survive, but that certain changes have to be made for it to regain some of the credibility it has lost in Europe. The big caveat is that this will require a degree of political will on behalf of the US government that I am not sure is present.
What have been the effects in Europe of the Snowden revelations about NSA spying?
The revelations have had a huge impact. While many of the practices that have come to light were already known, their size and extent was not. They have resulted in a “loss of innocence” with regard to the broad scope of surveillance by the US and the risks of online data processing. In particular, I think the revelations will lead to the enactment of more stringent data protection laws, and will spur the adoption of incentives for locating databases and data processing in Europe (this last development is something I regret).
Why do Europeans seem so upset about spying by the NSA, but less concerned about intelligence gathering by their own governments?
I think that Europeans are concerned about intelligence gathering by their own governments, but there is more tolerance of government data gathering in Europe than in the US. Also, having your data gathered by a foreign government in another region is a different matter from having your own government do so, particularly since the NSA has vastly greater resources than any European intelligence service. However, there is indeed a degree of hypocrisy involved, since many European intelligence services seem to engage in data exchange with the NSA.
You published a book in 2013 dealing with the regulation of data flows around the world; what main conclusions did you draw?
I found that, while the restrictions on transborder data flows in EU law are best known, there are now dozens of countries in all regions of the world that use data protection and privacy law to regulate the transfer of personal data outside their borders. I also found that such legislation is often enacted without clearly understanding the purposes it is meant to serve, or the effects it has. In my book, I argue for governments to take more of a cooperative and less of a confrontational approach to regulating transborder data flows, both to better protect privacy, and to avoid fragmentation of the Internet.
What advice would you give to a global company trying to deal with the variety of privacy laws around the world?
Global companies are often surprised that they have to adapt their data processing practices when they do business abroad. This is not only because of differences in the law, but because customers and individuals increasingly demand that companies offer them the protection of their national laws. There are several strategies for coping with global fragmentation of privacy law. One is to tailor compliance to the requirements of each local market; this is the safest course legally, but it is expensive, lengthy, and difficult to achieve. A second option is to adopt the strictest regulation and apply it globally, but this has its own disadvantages. A third option can be to combine the first two approaches. The approach a company takes will often be determined by the level of legal risk it is willing to accept.
Do you think there is any chance of harmonizing the different approaches to privacy taken around the world?
In terms of enacting a global treaty or binding legal instrument, I think this is highly unlikely any time soon. At the same time, there has been a growing appreciation over the past few years of the need for greater coordination between the different national and regional approaches to data privacy, and I hope that this can help bridge the gaps between them. We can’t expect that countries will give up their own national privacy frameworks, but I think that much can be achieved through international cooperation, private-sector mechanisms, and technological solutions.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter