Report: US & Europe need “privacy bridges” for personal data

CSAIL-driven effort convenes technology, privacy law experts to recommend practical steps to improve protections for EU and US web users

Just two weeks after Europe’s highest court struck down the “safe-harbor” agreement that let companies move digital information between the EU and the US, researchers from CSAIL and the University of Amsterdam published a report delivering ten practical proposals to increase the level of privacy protection in Trans-Atlantic web environments.

Written by a group of nineteen privacy law and technology experts from the European Union and the United States, the report is aimed at bridging gaps between the existing approaches to data privacy of the EU and the US, in a way that produces a high level of privacy protection, furthering the rights of individuals and increasing certainty for commercial organizations.

“Privacy Bridges,” as described in the group’s report, will increase user control over personal data online, foster shared norms on new privacy challenges such as big data analytics and Internet of things, and develop common approaches to shared privacy obligations such as data breach notification and de-identification standards.

The report was co-chaired by CSAIL principal investigator Daniel Weitzner, Director of the MIT Internet Policy Research Initiative.

“Our study over the last two years shows that the EU and the US share common democratic values, from which much of our privacy law and practice has developed,” Weitzner says. “However, each legal system has made very different choices in how we implement those values. With Internet services that operate across the US-EU border in real time, we believe that increased practical engagement between civil society, industry, academia and governments is vital to develop shared privacy practices.”

A turning point for trans-Atlantic privacy
The Privacy Bridges report is being released at a sensitive moment in EU-US privacy relations, with the Court of Justice of the European Union (CJEU) declaring the Safe Harbor agreement invalid for failure to protect the fundamental rights of EU citizens.

Prof. Nico van Eijk, co-convenor of the Bridges group from the University of Amsterdam explains, “Our goal with Privacy Bridges is to encourage a set of common set of privacy practices that treat all users equally, regardless of where they live. The recent ruling from the Court of Justice of the European Union demonstrates how urgent this task is today.”

The Privacy Bridges project has been invited to present the results of our work as the centerpiece of the 37th International Privacy Conference, the annual gathering of data protection and privacy regulators from around the world, held this year in Amsterdam on 27-28 October.

The report is the result of a 1-½ year long study process convened by the University of Amsterdam Institute for Information Law and the Massachusetts Institute of Technology Internet Policy Research Initiative.

The bridges
These ten privacy bridges are all practical steps that require no change to the law yet will result in better-informed, more consistent regulatory cooperation, policy guidance, and enforcement activity. While many members of the expert group that produced these recommendations have strong views about the future direction of US and EU privacy laws, here we seek to contribute to privacy challenges facing the information society, without entering into debates on changes to underlying constitutional or statutory frameworks. Privacy Bridges mission has never sought to define the legal relationships between the US and the European Union. We believe that is a matter for democratic debate and government leadership. There is urgency for governments to take on these questions, but we believe we cannot wait to undertake these practical steps in parallel.

Bridge 1: Deepen the Article 29 Working Party/Federal Trade Commission relationship
Bridge 2: Promote widespread implementation of  user control technologies
Bridge 3: Develop new approaches to transparency
Bridge 4: Implement user-complaint mechanisms to ease redress of violations outside a user’s region
Bridge 5: Develop best practices for handling government access to private sector personal data
Bridge 6: Develop best practices for de-identification of personal data
Bridge 7: Share best practices for security breach notification
Bridge 8: Enhancing Accountability
Bridge 9: Greater government-to-government engagement among executive branch policymakers
Bridge 10: Collaborating on privacy research programs