Is It Time for EU-U.S. Consensus on Online Privacy?

Lora Bentley
Slide Show

Highlights from Lora's poll of industry experts on online security.

Officials in the UK are calling on the U.S. government and the European Commission to collaborate on a single set of online privacy and data protection laws that would apply in both places.


According to, Ed Vaizey, minister of culture, communications and the Internet, called for lawmakers to reach a consensus on privacy and data protection because the Internet is a global platform.



He explained:

When we place information on the Internet, we are sharing it with the world. The rules governing online privacy need to reflect that. For the sake of web users and businesses we need a unified and consistent approach to online privacy.

An international standard will ensure that businesses have a "level playing field" no matter where they are, he said. A standard approach will also become more important as cloud computing becomes the norm.


This isn't the first time a U.S.- EU data protection pact has been suggested. But reaching a consensus has been difficult up to this point. As has been pointed out several times in the past, the EU's ideas of data protection and privacy don't exactly mesh with the approach taken by the United States. According to EU standards, U.S. protections are inadequate.


Obviously, that has made compliance in the cloud quite an interesting endeavor. Back in 2009, then-Proskauer Rose partner Tanya Forsheit told me:

There just isn't yet a practical solution for protecting data in the cloud, so the law has to kind of catch up with the way the world works.

So maybe now is the time the law begins to catch up with the technology.

Add Comment      Leave a comment on this blog post
Mar 29, 2011 9:09 AM Tanya L. Forsheit Tanya L. Forsheit  says:

Hi Lora-hard to believe so little in the law (and yet so much in the world of cloud computing) has changed in two years! It would be wonderful if we had a "unified and consistent approach to online privacy" across jurisdictions. Unfortunately, as you note, we are not there yet and are still far away. Compliance for multinational organizations continues to be challenging, and those organizations must consider additional risks when placing sensitive data of any kind in the cloud. I doubt the law will ever "catch up" with technology. That being said, there is some good news - today there are some practical solutions available to organizations (but no panacea). It is all about risk assessment and management.  Organizations can put in place information security policies and negotiate contracts with cloud service providers and other third party vendors that help mitigate the risks and address the compliance issues facing them in the many jurisdictions where they operate. (And it helps to get all stakeholders involved in the discussion as early as possible.) For more on the EU-US issues and practical approaches to compliance and risk mitigation, check out my partner Scott Blackmer's post here,, and my article on Contracting for Cloud Computing Services, here,  Best, Tanya Forsheit, Founding Partner, InfoLawGroup LLP

Mar 30, 2011 8:00 AM Scott Blackmer Scott Blackmer  says:

Privacy online shouldn't be an impossible challenge -- it's an interactive environment where disclosures and options can be given right at the point where consumers are asked for information, or at the point where consumers enter sites that will automatically collect information about them.  Notice and consent are touchstones of fair information practices on both sides of the Atlantic. 

Of course, there are often questions about exactly what information must be divulged to achieve "fair" notice and "informed" consent.  As Tanya says, that is a risk management issue for individual website operators, as requirements and expectations change over time. 

Recently, there has been some convergence of legal requirements and public expectations for online privacy.  This is driven in part by the the FTC's approach to fair trade practices online and also by California's Online Privacy Protection Act, which requires a website privacy notice disclosing the categories of personal information collected through the site and the categories of third parties that receive the information.  (What commercial website operator in the US can afford to ignore California?)  Similar obligations arise under Canada's PIPEDA privacy law, so there is an emerging practice of website privacy statements and options in North America.

Overseas, national laws based on the EU Data Protection Directive still require more, however, such as disclosure of all the actual parties who will use the data, limitations on data retention, rights of subject access and objection, and an opt-out for any marketing uses of personal information.  Unless and until US laws address those issues across the board, we will probably continue to see commercial websites featuring little US and EU flag icons linking to separate sites and separate privacy policies. 

But the more controversial practices online involve the covert collection and use of personal information, as in some forms of undisclosed behavioral marketing.  That's become a popular concern in Europe as well as in the US and Canada, and it is possible to conceive of an international agreement on standards for disclosure, as well as for cooperation in enforcement across borders, where there is automated data collection across websites or based on search history.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.