Senate Commerce Communications Subcommittee Chairman John Kerry, D-Mass., warned on Thursday that unless the United State implements its own privacy rules, it will find itself stuck with standards that have been developed by other countries, and a White House official warned of a "very serious" trade problem -- but Congress appears nowhere near to acting.
Kerry said legislation he introduced last year with Sen. John McCain, R-Ariz., was designed to give companies the flexibility they need to do business and improve protections for consumers while also ensuring U.S. firms can comply with privacy laws in other countries.
“We need to design our program before, frankly, we're frozen into a place where everybody else has designed it for us, where the international community may come up with a set of standards and we're kind of locked in because that’s the way the world is operating,” Kerry said during an event sponsored by the Joint Center for Political and Economic Studies.
The issue is particularly important for U.S. companies that operate abroad. The European Union, one of the United States' biggest trading partners, proposed changes to its privacy rules in January. The E.U. proposal would tighten its rules by requiring companies to obtain express consent from users before collecting some personal data. The proposed changes also would make clear that the E.U. rules apply even to U.S.-based websites as long as those sites are used by European citizens.
The Obama administration unveiled its own privacy proposal last month. It calls for a privacy “bill of rights,” which includes seven principles aimed at giving Americans more control over their personal data. The administration is urging Congress to write the privacy bill of rights into law. At the same time, it called on industry to develop voluntary codes of conduct based on this "bill of rights". The Commerce Department has begun soliciting input on how those codes should be developed. The initial round of comments is due March 26.
Danny Weitzner, the White House deputy chief technology officer for Internet policy, said this industry self-regulatory effort is aimed at trying to get immediate action on the administration’s privacy proposals and is not meant as a substitute for legislation.
“I think it’s no secret to anyone the political challenges of achieving passage of privacy legislation are substantial,” Weitzner said. “We wanted to be able to have a very clear articulation of what we think the important principles behind [legislation should be].… We think we can get started right away in using these principles, but we don’t think that should slow down the process of legislation.”
Despite this, industry representatives and privacy advocates say it’s highly unlikely Congress will move broad consumer-privacy legislation this year. And even Kerry acknowledged that his bill isn’t ready to move. Weitzner, however, echoed Kerry’s concerns about the need for the United States to reassert leadership internationally on privacy.
The United States does not have a broad privacy law that would ensure U.S. companies comply with the E.U. rules, which bar the transfer of personal data from Europe to other countries that lack “adequate” privacy protections. Given this, the United States negotiated a “safe harbor” agreement with the E.U. in the late 1990s to provide U.S. companies a way to comply with its privacy rules.
U.S. officials say they believe the agreement will remain in place after the changes to the E.U. privacy rules go into effect, but some privacy advocates disagree.