I have just co-authored a study with Priscilla Regan and Robin Bayley on the effectiveness of privacy redress mechanisms in Canada and the United States. In our view, too much comparative privacy research is based on the abstract comparison of the ‘black letter of the law.’ So we decided to examine some real cases involving real individuals who have suffered real privacy harms. In this way, we analyzed neither abstract risks nor hypothetical individuals.
We investigated six cases from different sectors involving complaints to the Office of the Privacy Commissioner of Canada (OPC) under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). We then asked the question, if these same individuals lived in the United States how would they protect their privacy? What laws would protect them? How would they complain? To whom would they complain? And what would be their chances of success?
We looked at cases in the areas of online marketing, online dating, credit reporting, insurance, hotel records and cellular telephone services. In each of the cases, the individual gained some redress under PIPEDA and the company altered its practices. No monetary compensation was involved. And the investigations often took some considerable time. The PIPEDA complaints process has a number of shortcomings. Nevertheless, the system seemed to ‘work’ for the individual in each case.
How would similar disputes be handled in the US? Our analysis made for sorry reading. In only case, credit-reporting, was a US federal statute clearly relevant. In all the others, the ability to get redress was highly contingent upon: 1) whether unfair or deceptive trade practices could be proven (thus triggering possible action by the Federal Trade Commission); 2) the state in which the individual lived (offering possible action by the state attorney-general); 3) the relevance of a confusing array of company and sectoral self-regulatory initiatives; and 4) the overall persistence, knowledge and financial resources of the individual concerned.
Our cases were not ‘representative’ of all sectors. Nevertheless, we doubt whether the choice of cases in other sectors would have significantly improved the results. One obvious weakness of a “patchwork” regime of private sector privacy protection based on ‘sectoral’ regulation is to figure out where one sector ends, and another begins. The more comprehensive system in Canada at least provides a single and harmonized standard and one point of contact (the OPC) for the vast majority of privacy complaints.
In the context of the highly politicized transatlantic disputes over data privacy, there has been a tendency among US commentators to claim that the US system, while different, is in fact functionally equivalent. Although there is no over-arching data protection statute for the private sector, nor any one data protection authority (DPA), the sum total of all federal and state, statutory, tort and constitutional law constitutes an overall privacy regime that offers much the same combination of individual rights and organizational obligations as exists elsewhere. A “networked and layered” approach to protecting personal information has evolved organically, consistent with the separation of powers, the Bill of Rights and American federalism. This sectoral approach is different from that in other countries, but it is “essentially equivalent.”
There has clearly been some significant progress in privacy enforcement by the FTC against a range of companies, sometimes involving huge fines. But when you look at the most central component of any privacy protection regime, the ability of any individual to control the circulation of his or her personal information, the US system provides no clear paths of redress for the average consumer.
This, of course, is one of the principal concerns of the Europeans over the years. The ability to provide “support and help to data subjects in the exercise of their rights” rapidly, effectively and without prohibitive cost has been an essential condition for the assessment of an “adequate data protection” for the transfer of personal data outside the EU under the 1995 Data Protection Directive and one chief reason why they have refused to designate the US as an ‘adequate’ jurisdiction.
Does the new “Privacy Shield” negotiated between the US and Europe improve the situation for the average American consumer? Despite misgivings by the Article 29 Working Party, the European Data Protection Supervisor (EDPS) and the European Parliament, the Commission has now given its final approval, and the Privacy Shield is now in effect. Companies will be able to certify their compliance as of August 1st and be able to import data on European citizens for processing in the US. “The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business,” stated Commissioner Jourova. “It is fundamentally different from the old Safe Harbour.” But which individuals, exactly?
U.S. companies wishing to import personal data from Europe will need to commit to somewhat more robust obligations than under Safe Harbor on how personal data is processed and how data subject rights are guaranteed. These include more detailed notice obligations, data retention limits, access rights, and tightened conditions for onward transfers. There are also some more stringent data integrity and purpose limitation principles, and security requirements.
The Department of Commerce is supposed to monitor compliance more diligently, than it did under the Safe Harbor agreement. Companies that fail to meet their obligations will face sanctions or will lose their eligibility to use the Privacy Shield to legitimize their cross-border data transfers.
The US Department of Justice and the Office of the Director of National Intelligence have given written assurances that the access of U.S. intelligence to EU personal data will be subject to clear limitations, safeguards and oversight mechanisms. U.S. authorities have also, reportedly, ruled out indiscriminate mass surveillance on the personal data transferred to the United States under the new arrangement, although there is inevitable confusion about what this means in practice. The European Commission and the Department of Commerce will conduct annual joint reviews and invite national intelligence experts from the United States and the European DPAs to participate.
What about redress? Europeans will be able to complain: 1) directly to companies, which will have 45 days to resolve the complaint; 2) through Alternative Dispute resolution; or 3) directly to EU DPAs, which will be able to refer unresolved complaints to the FTC or the Department of Commerce.
As a last resort, a new Privacy Shield panel has the authority to impose individual-specific, non-monetary relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles. But no damages, costs, fees, or other remedies are available. For complaints on possible access by national intelligence agencies, a new special Ombudsman will be created in the U.S. State Department.
On paper, it seems that the Privacy Shield now establishes a quite elaborate set of redress possibilities for any European who wants to complain against a Privacy Shield registered company — if they have the time, expertise and resources.
But what of American consumers? Does it actually strengthen US privacy protection in any way? It is quite obvious from the various letters of agreement that the elaborate redress mechanisms are directed entirely to the European consumer. One could argue that the Privacy Shield agreement would force a stronger set of commitments from US companies than Safe Harbor, and that there would be increased potential for US consumers and privacy advocacy groups to complain about “unfair and deceptive” trade practices to the FTC. Some of the obvious weaknesses of the self-certification process under Safe Harbor seem to have been improved. But the potential for enforcement is linked to the nature of the claim. And if a company only claims that it adheres to these principles with respect to data flowing from Europe, then presumably the US consumer is out of luck.
Returning to our paper, our research indicates that real problems raised by ordinary individuals are at the heart of the philosophy and politics of privacy protection. Some of our cases may seem mundane, and none resulted in the award of monetary damages. However, they were significant to the Canadians who took the trouble to complain to the OPC. These individuals were exercising their basic rights to control the circulation of their personal information.
The Privacy Shield arrangement has already come in for a lot of criticism from international civil liberties and privacy advocates. ‘New Shield, Old Problems’ declared Privacy International. And there is already talk of further legal challenges from Max Schrems, and predictions that it does not provide the kind of legal certainty that businesses require.
Whether or not the Privacy Shield goes far enough in addressing EU data protection concerns, and whether it will be able to stand up to future legal challenges that may be brought before the European Court of Justice, the essential problem will remain. The US privacy protection regime is not functionally equivalent to those in Europe, or to that in Canada for that matter. For all the transatlantic negotiations and high-level litigation, the central problem remains in US privacy protection – the individual consumer is marginalized, and will remain so. For all the laws, there really is not much “protection” — either for Europeans or Americans.