My Presentations on the Obama Administration’s “Privacy Bill of Rights” and the Proposed Amendments to the EU Data Privacy Directive

By Eric Goldman

Many of you probably haven’t heard about the “CONSENT” project in Europe, but you probably will. The CONSENT project is a multi-year, multi-million dollar research project, funded by the European Union, to conduct empirical research on consumer privacy issues in Europe. Ultimately, the research findings should feed into the EU’s evaluation of proposed amendments to the 1995 EU Data Privacy Directive (more on that in a moment). I’m pretty sure the project’s empirical findings will spark some discussion when they are publicly released.

As part of the project, the various project participants recently met face-to-face in Cluj-Napoca, Romania to discuss their work and present some preliminary findings. The conference also had some related presentations, which is what got me to Romania. (See my recap of my trip to Romania and my photo gallery).

The organizers asked me to present about Obama Administration’s Privacy Bill of Rights. As I’m sure many of you can appreciate, this was not my first choice of topics (indeed, I took a pass on blogging the document when it was released). So after repeatedly confirming if the organizers really, really wanted to discuss the document and if I was the right person to do so, I gave a 30 minute talk describing the Obama administration’s report and providing some critiques. I’ve posted my slides and a recording of my talk (download–item 28 or stream).[FN1]

[FN1] After multiple requests from blog readers, I am trying to get better about doing self-recordings of my talks where the organizers aren’t posting their own recording. Thanks to the readers for encouraging me to do this.

Later in the conference, I participated in a panel discussion about the January 2012 proposed amendments to the EU Data Privacy Directive. I was confused by the interaction between these amendments and the CONSENT project. On the one hand, the EU is spending millions of Euros conducting empirical research to assist its policy-making; on the other hand, the EU is evaluating a proposed amendment before the completion of that research project. I’m a fan of empirical-based policy-making, but only if the empirical work in fact feeds back into the policy-making!

Among conference participants, there seemed to be consensus that (a) the Jan. 2012 proposed amendments will not succeed in their current form, and (b) most folks want data privacy handled as an EU regulation rather than as a directive, which would preempt the patchwork implementation of the directive across the 27 EU member states. Certainly American companies trying to enter the European market would prefer a harmonized regulation rather than having to wrangle 27 different implementations.

As part of my remarks on the panel, I made the following points:

1) Now is a perfect time to rigorously review the lessons learned from the 1995 Directive. It’s been 17 years—long enough to generate enough data to assess its efficacy, but a short enough time that many of the key players in 1995 are still around to get their historical perspectives. This is the same animating principle behind our 15 year retrospective of 47 USC 230 and our upcoming 15 year retrospective of the Digital Millennium Copyright Act. Certainly in the context of considering an amendment to the directive, it would make sense to figure out what went right in the initial directive so the EU can do more of that—and what didn’t work as expected so the EU can avoid making the same mistakes this time.

2) Harmonizing the privacy laws within the EU is a good idea because it helps create a larger common market (an all-EU-wide market), and larger common markets provide greater economic opportunities. Indeed, forming larger common markets is one of the single biggest benefits of the EU generally.

As big as the EU is, the Internet is a potentially bigger common market than the EU—in fact, it has the potential to become the largest common market the world has ever seen. However, I fear that geographic-based regulation is breaking apart the Internet as a common market. So even if the EU succeeds in harmonizing its own law, if the result is that it fragments the Internet into a US Internet and an EU Internet, I think we’ll have lost a major opportunity. The proposed amendment makes a number of points about trying to discipline Internet companies not located in the EU for violating EU law, which could lead to the kind of transborder blockades that we feared with SOPA. But even if we don’t go that far, the reality is that the proposed amendment—along with the current directive—force the larger Internet companies to create EU-specific services that differ from the service offerings in the United States. The result is that we do end up with multiple unconnected Internets, not a single Internet. I hope to write a Forbes blog post expanding this thought in the near future.

3) If I were to place a $100 wager on whether, over a 50 year time horizon, the US economy will outperform the EU economy, I’d confidently wager all $100 dollars on the US over the EU. We have many, many economic challenges in the United States, but we remain the best place to start new companies that have the best chance of growing into major global companies, while the layers of regulation in the EU make it hard for new companies to start and grow. The proposed amendments to the Data Privacy Directive are just one example of that phenomenon. Instead of trying to foster innovation by scaling back some of the already-onerous provisions of the existing directive, the proposed amendment doubles-down on regulation, adding new layers of costly and innovation-chilling regulation. When the EU does that, it enhances the advantages that American businesses have against their global competition (so we in the United States will reap the economic benefits), but it would still make me sad if we lost an opportunity to enhance the overall social welfare in the world due to overregulation. As you can imagine, this last point was especially unpopular in a crowd of pro-privacy Europeans.