On the Importance of Cross-Border Privacy Regulation

Hi, Jules Cohen here, from Microsoft's corporate privacy team.

Last Monday, I had the pleasure of attending the Data Privacy Day conference at Duke University in Durham, North Carolina. The event, one of many planned to commemorate Data Privacy Day 2008 in the U.S. and Data Protection Day in the EU, brought academics, regulators from the EU and the U.S. and industry representatives together to discuss some of the pressing issues in privacy today.

To put a finer point on it, the underlying theme of the event centered on the challenges that we collectively face in our attempts to share and use data across the Atlantic in ways that are equally privacy-centric and compliant with the different sets of laws that exist in the U.S. and EU.

As a group, we had a day of fruitful exchanges discussing these issues and focusing on our shared goal of protecting and improving privacy.

Why is this kind of dialogue so vital?

To begin, allow me to set the scene for those who may not be quite as close to the issues. Of utmost importance is an understanding of the differences in the ways in which the U.S. and the EU approach privacy regulations.

The U.S. has deployed a variety of different laws and regulations at both the national and state level that seek to provide consumer protection in a number of sectors where privacy issues have emerged. (Microsoft was a founding member of the Consumer Privacy Legislative Forum (CPL), and one of the companies that led the call for federal privacy legislation with the intent of unifying and harmonizing the U.S. state and federal approaches so that they form a single set of national rules.) Data uses that fall within the scope of one of these laws or regulations are regulated. However, many uses of data fall outside the scope of the existing regulatory structure, and as such, are less strictly regulated.

In contrast with the U.S., the EU directive was designed to enable the free flow of information within Europe in a manner that accords a level of common protection of the data. With this purpose as its foundation, the EU strives to regulate uses of personal data across the entire spectrum of industry and public sector uses rather than limiting such regulation to the specific industries where issues have emerged.

So, why is this distinction so important?

The answer lies in the globalized nature of data flows and our interdependent economies. If data in the U.S. simply stayed in the U.S. and data in the EU simply stayed in the EU, the two systems would be able to co-exist without having to interact with one another.

As soon as data passes from one environment to the other, however, a relationship is created in which we need to have good ways to make sure that the level of data protection for both parties is adequate to meet the requirements of different sets of regulations.

An event like last week’s Privacy Day conference in Durham is but one example of the many forums where stakeholders from both sides of the Atlantic work together to address these complex yet fundamental issues.

Most notably, this event represents an important part of the complicated but essential process of making sure that data that flows between the two jurisdictions continue to be compliant with all the relevant laws.

Thanks again to our hosts at Duke. If you would like to watch any of the conference sessions you can stream them from the Duke Website.