There is no uniform system of laws regarding the protection of personal data that covers the United States. That is what can make it a challenge for Dutch companies to do business there: except for certain narrow exceptions, Dutch companies are not allowed to have their personal data processed in the US.
The problem is that US privacy policies – if they exist at all – differ from company to company, branch organisations to branch organisation, and even among the various states. In all, it’s a patchwork quilt of different privacy rules and regulations. While it’s true that some US companies get a green light from the EU for having pledged to treat personal data that they process with the same level of security afforded similar types of data in the Netherlands (the so-called “Safe Harbor “-certified companies), studies have uncovered that even that Safe Harbor list is not 100% accurate or reliable.
Therefore the announcement last week of a first draft of proposed legislation from the US Congress of a comprehensive law covering privacy and internet use was considered a big deal. It was met in the US with great fanfare by the general and trade press. A New York Times article, for instance, reported on 4 May 2010 that “a long-awaited draft of a Congressional bill would push American privacy legislation closer to the strict rules that the European Union uses…”.
Does this mean that EU countries and companies should begin to reconsider their privacy policies regarding personal data being sent to and from the US? In short: no. The bill doesn’t offer much ‘push’ to speak of, and it can hardly be compared to the privacy laws of the Netherlands and the EU.
The bill has many limitations, and I will only touch on the main ones here. First, it is not yet even a “bill”. It’s just a draft. The draft was issued by two key members of the House of Representatives: the Democrat and Republican leaders of the House subcommittee on communications, technology and the Internet. This underlines the importance of this draft, because when a bill finally emerges from the House, it will come from that subcommittee. But the draft only represents the first stage of a long winding road: it was released only to get comments from interested parties before the legislators begin in earnest to enact a privacy law. A formal bill is not expected for another couple of months.
Second, it only covers privacy in the internet. Specifically, it focuses on on-line tracking of internet users’ personal data, and even in that attempt, it carves out the entire advertising sector as an exception: for instance, so-called “behavioural targeting advertising” – by which advertisers track a consumer’s web surfing history without any notice or request for the consumer’s consent and then send the consumer targeted ads based on that history – is not covered by the draft bill.
Yet this behavioural targeting is literally in the eye of the privacy storm as far as the internet is concerned. Internet penetration in the US has long passed 70% of the population, and online advertising in general is an industry worth many billions of Euros. Behavioural targeting is one of the fastest growing segments of that industry , and one of the most controversial. Last August, the US Government’ s top consumer watchdog (the US Federal Trade Commission chairman) declared that he wanted to terminate (or at least control) this assault on consumer’s privacy . But money talks, apparently, and the two congressmen essentially declared to their fellow legislators that this kind of intrusive advertising is off limits.
Third, for the most part, enactment of the draft bill would mean that a consumer would have to read the fine print of a website’s privacy policy statement and then opt-out of any data collection system that website used before the consumer could be certain that his or her data were indeed being kept private. Who can read and actually understand those privacy statements besides the lawyers who wrote them? And how easy will the companies make it to opt out?
A few companies allow this already, including Google. As an experiment, I decided to opt out of Google’s targeted ads, and it took me about a quarter of an hour to puzzle out how to do it. How many consumers will have that kind of patience? The decision to adopt an ‘opt-out’ system as the default choice instead of the EU’s default ‘opt-in’ approach means that the legislators have chosen to take the side of the businesses at the expense of the consumers.
There are some similarities in the US and EU approaches: the draft bill, for instance, adopts the EU’s distinction between types of personal data, recognising that some data (e.g., medical records, race, religious beliefs, sexual orientation and the like) is “sensitive” and requiring that a consumer give express consent before such data are collected or disclosed.
In general, however, this draft bill reflects the power of the advertising lobby in Washington, and the country has a long way to go (even assuming it gets enacted) before the US can be considered a true “safe harbour” for personal data.