Identifier
Created
Classification
Origin
09BRUSSELS1140
2009-08-17 12:06:00
UNCLASSIFIED//FOR OFFICIAL USE ONLY
USEU Brussels
Cable title:  

THE MANY SIDES OF DATA PRIVACY: MANAGING RISING TENSIONS

Tags:  ECON ECPS EINT BEXP KJUS KTFN TINT PREL ETTC EUN 
pdf how-to read a cable
VZCZCXRO4194
PP RUEHPOD RUEHRN
DE RUEHBS #1140/01 2291206
ZNR UUUUU ZZH
P 171206Z AUG 09
FM USEU BRUSSELS
TO RUEHC/SECSTATE WASHDC PRIORITY
RUCPDOC/USDOC WASHDC PRIORITY
RHMFIUU/DEPT OF HOMELAND SECURITY WASHINGTON DC PRIORITY
RUEAWJA/DEPT OF JUSTICE WASHDC PRIORITY
INFO RHEHNSC/NSC WASHDC
RHMFIUU/HOMELAND SECURITY CENTER WASHINGTON DC
RUEKJCS/DOD WASHDC
RUEAFCC/FCC WASHDC
RUCNMEU/EU INTEREST COLLECTIVE
RUEAORC/US CUSTOMS AND BORDER PROTECTION WASHINGTON DC
RUEADRO/HQ ICE DRO WASHINGTON DC
RUEATRS/DEPT OF TREASURY WASHDC
RHMFIUU/FBI WASHINGTON DC
RUEABND/DEA HQS WASHINGTON DC
RUEAIIA/CIA WASHINGTON DC
RUEHSS/OECD POSTS COLLECTIVE
UNCLAS SECTION 01 OF 08 BRUSSELS 001140 

SENSITIVE
SIPDIS

STATE FOR EEB/CIP, EUR/ERA, L, INL, S/CT
DEPT PLEASE PASS FTC AND FDA
USDOC FOR ITA ROBIN GAINES-DEATS, TA DOUG DEVEREAUX, NTIA CHRISTINA
SPECK
DOD FOR OSD SUPPLY CHAIN INTEGRATION KATHLEEN SMITH
FCC FOR TRACEY WEISLER
TREASURY FOR TFTP

E.O. 12958: N/A
TAGS: ECON ECPS EINT BEXP KJUS KTFN TINT PREL ETTC EUN
SUBJECT: THE MANY SIDES OF DATA PRIVACY: MANAGING RISING TENSIONS
WITH THE EU

REF: BRUSSELS 1073

UNCLAS SECTION 01 OF 08 BRUSSELS 001140

SENSITIVE
SIPDIS

STATE FOR EEB/CIP, EUR/ERA, L, INL, S/CT
DEPT PLEASE PASS FTC AND FDA
USDOC FOR ITA ROBIN GAINES-DEATS, TA DOUG DEVEREAUX, NTIA CHRISTINA
SPECK
DOD FOR OSD SUPPLY CHAIN INTEGRATION KATHLEEN SMITH
FCC FOR TRACEY WEISLER
TREASURY FOR TFTP

E.O. 12958: N/A
TAGS: ECON ECPS EINT BEXP KJUS KTFN TINT PREL ETTC EUN
SUBJECT: THE MANY SIDES OF DATA PRIVACY: MANAGING RISING TENSIONS
WITH THE EU

REF: BRUSSELS 1073


1. (SBU) SUMMARY: European privacy and data protection concerns
continue to jeopardize our commercial, law enforcement, intelligence
and foreign policy objectives. Data privacy is an area of growing
complexity and touches ever more U.S. interests, from the visa
waiver program to e-commerce. We should enhance and coordinate U.S.
outreach in the coming year to address the variance between U.S. and
EU approaches to privacy protections. The USG should develop an
interagency approach to the EU on both commercial and law
enforcement data protection/privacy issues. Such an approach should
aim to ensure that data privacy rules will not hinder economic
growth, endanger global economic recovery, or discourage greater law
enforcement cooperation. For now, we are already encountering
problems in these areas. END SUMMARY.

Overview
--------------


2. (SBU) The financial crisis has provided a potent reminder that
the global economy is increasingly interconnected and dependent on
information technology. Personal data exchange is an ever-larger
part of the digital economy. Trade and investment depending on the
transfer of personal data across the Atlantic reaches hundreds of
billions of dollars annually. Privacy is also a political issue,
connected in European minds with respect for fundamental democratic
values.


3. (SBU) The European Union has a strict regulatory regime in place
for the protection of personal data ("data protection") in the
economic and social sphere. Under current EU treaty structures,
this economic and social sphere falls within what is referred to
commonly as the "First Pillar," that is, EU powers that derive from

the original 1957 Rome Treaties and deal with economic and trade
issues, rather than the "Second Pillar (Common Foreign and Security
Policy) or "Third Pillar" (Justice and Home Affairs) that have
evolved over the last 15 years.


4. (SBU) The EU- and Member State-level institutions that play a
role in the data protection space have also been generating data
protection challenges and concerns in the "Third Pillar" context
that includes law enforcement. There are also proliferating data
protection issues related to the "Second Pillar" of Common Foreign
and Security Policy (CFSP),notably regarding implementation of
targeted economic sanctions. (Note: these EU treaty distinctions
would change after final ratification of the proposed "Lisbon
Treaty," which could occur by the end of 2009. End note.)


5. (SBU) Damage to U.S. political and commercial interests over EU
data protection and privacy issues has raised concerns in our law
enforcement community for some years. EU data protection
assumptions and dictates delayed more formal U.S.-EU judicial and
law enforcement cooperation over the past decade. For example, they
delayed U.S. entry into and full implementation of cooperation
agreements with Europol (EU police coordination unit) and Eurojust
(EU judicial coordination unit). The pending transfer out of the
United States of Society for Worldwide Interbank Financial
Telecommunication (SWIFT) financial transaction records is another
example. This action will make more difficult our ability to obtain
information to track terrorist financing. Also, U.S.-legislated 100
percent scanning of cargo shipments has already run into data
protection obstacles in a European test-run of container scanning.
Some fear that differences between European and U.S. data protection
regimes will perpetuate dangerous misperceptions of U.S. values in
Europe and beyond. Residual uncertainty about the "adequacy" of the
U.S. privacy regime might have a "chilling effect" in some quarters
on the exchange of vital law enforcement information.

BRUSSELS 00001140 002 OF 008



EU Legislation: First Pillar
--------------


6. (SBU) The EU's 1995 Directive on the Protection of Personal Data
(DPD) sets out principles for the protection of data that apply
across the whole of the EU's First Pillar. It requires that each
Member State set up an independent data protection authority (DPA)
charged with enforcement of these principles. Critically, the DPD
also bans the transfer of personal data to third countries that are
not deemed to have an "adequate" system for protecting personal
data. The United States does not enjoy a blanket "adequacy"
finding, largely because the United States does not have a single
independent DPA. Consequently, the vast amount of transatlantic
economic activity that implies the transfer of personal data from
the EU to the United States relies on a limited set of exceptions
set out in the DPD, as well as on sector-specific agreements: the
Safe Harbor agreement, the Passenger Name Record (PNR) agreement,
and Terrorist Finance Tracking Program/SWIFT. (Note: The SWIFT
pending tric
communicastroy trafficed for@DPD and
the ePrivacy Direciveof Privacy Impact Assessments (PIQs) by retailers in determining
whether RFID applications that retailers use could pose Q threat to
consumer privacy. In such cases, an opt-in is recommended - i.e.,
retailers ar encouraged to deactivate RFID tags a the point of
sale.

EU Legislation: Third Pillar
--------------


10. (U) The EU Council's November 2008 Framework Decision on the
Protection of Personal Data Processed in the Context of Police and
Judicial Co-operation in Criminal Matters (the "Framework Decision")
is the most recent EU development of data protection policy in the
Third Pillar. The Framework Decision must be fully implemented by
November 27th, 2010. Broadly speaking, the decision parallels the
DPD, while adapting it to the specific nature of the Third Pillar.
(Note: A mistaken belief in Europe is that the U.S. law enforcement
data privacy system does not provide judicial access for non-U.S.
persons to view their data or challenge its correctness. This
widely circulating "urban myth" is being used to generate skepticism
in Europe about U.S. efforts to collaborate with the EU on exchanges
of law enforcement information, for example. End note).


BRUSSELS 00001140 003 OF 008


EU Legislation: Next Steps
--------------


11. (U) At a May 19-20 data protection conference, the European
Commission announced it will run a public consultation from July
until the end of 2009 on the EU legislative framework for privacy.
The conference and consultation are widely seen as the first steps
in a process that may culminate in a proposed revision of the DPD.
The UK DPA recently published a study that called for wide-ranging
changes to the EU legislation. Commission officials have said that
they hope to unify the First and Third Pillar legislative frameworks
after the ratification of the Lisbon Treaty. Such an approach is
supported by many privacy advocates. (COMMENT: Full unification of
the First and Third Pillar frameworks may have implications for U.S.
commercial and law enforcement interests. For example, a European
individual's purchase over the Internet of materials used to
construct a terrorist bomb could be a key element in a U.S.
prosecution, but the information might be made more difficult for
U.S. law enforcement to detect and access because of European data
privacy protections. (END COMMENT)

EU Institutional Players
--------------


12. (U) Privacy-related responsibilities are spread across a range
of European Union institutions. The Commission lead on data
protection is the Directorate General for Justice, Freedom and
Security (JLS). (NOTE: JLS took this over from DG Internal Market
(MARKT) earlier this decade. END NOTE.) However, DG Information
Society and Media (INFSO) leads for the Commission on RFID issues
and on the ePrivacy Directive. DG Public Health and Consumer
Protection (SANCO) leads on policy development related to consumer
protection, such as behavioral advertising. Both DG SANCO and DG
MARKT play a role in policy development in eCommerce.


13. (U) The office of the European Data Protection Supervisor
(EDPS),established in 2001, is independent of the Commission and is
responsible for making "sure that the fundamental right to
protection of personal data is respected by the EU institutions and
bodies." (See http://ec.europa.eu/justice_home/fsj/privacy/
eusupervisor/index_en.htm. The EDPS, currently Peter Hustinx, also
has a role in advising EU institutions on data protection policy and
cooperating with the Member States' DPAs. Mr. Hustinx's profile and
role have grown considerably over the EDPS' eight-year existence.
He has sought to expand the scope of his activities from the First
to the Second and the Third Pillars.


14. (U) In addition, Member State DPAs meet together in a committee
set up by Article 29 of the DPD. This "Article 29 Working Party"
(A29WP, or WP) seeks common interpretations of EU data protection
law and shares information and best practice in its First Pillar
area of responsibility. It adopts non-binding but influential
opinions.


15. (U) Under current EU treaty structures, the European Parliament
(EP) has co-decision legislative powers on First Pillar data
protection, following a Commission proposal. This refers to the
process whereby a Commission proposal for an EU directive or
regulation (the two principal forms of EU legislation) is sent forth
for approval by the 27 Member States; after Member State approval,
the proposed directive or regulation can be modified by the EP.
Absent a Commission-proposed directive or regulation, the EP's
formal powers are limited. But politically, the media-savvy EP has
cultivated a high profile role on data protection policy through
public hearings, resolutions, non-binding statements, opinions, and
lobbying the Council and Commission for action in both the First and
Third Pillar arenas.

BRUSSELS 00001140 004 OF 008



Policy Development Efforts
--------------


16. (U) The European Commission is conducting a long-term review of
the legislative framework for data protection, and is working in
several areas related to privacy. The Commission is interested in
the concept of the "Internet of Things" (also known as the
"networked environment"). The Commission believes that future
proliferation of electronically networked objects will transform
society and the economy, with major governance implications,
including in the area of privacy.


17. (U) The Commission continues its Safer Internet work, aimed in
particular at protecting children from harmful content and
relationships on the Internet. It has also begun work on the
consumer protection aspects of privacy in social networking,
criticizing the broad use of personal data currently made by
Internet social networking and related services.


18. (U) The Commission is also looking at structural aspects of
personal data storage on the Internet. Cloud computing, in which the
geographical location of increasing amounts of consumer data is
dynamic or changing, raises questions of jurisdiction. Another
structural issue is the use made by service providers of data
collected on individuals in order to provide personalized, or
behavioral, advertising.


19. (U) The USG continues active engagement in the development of
the APEC Privacy Framework, which some see as a more flexible
alternative to wholesale adoption of the EU approach. The OECD and
the Council of Europe (CoE) have strong records of privacy policy
development and are likely to continue work in the area. In July
2008, the CoE announced the opening of its binding international
instrument, Convention 108, to non-member countries. However, USG
internal organization is a hurdle to full U.S. participation.

Political Tensions Linger and Grow
--------------


20. (SBU) It is generally understood in Brussels (with a few
exceptions) that U.S. privacy legislation long predates that of the
EU. The FTC is well respected in Europe as an effective and
experienced privacy regulator. European policymakers overwhelmingly
agree that cooperation with the United States on data protection is
essential. Much more importance is attached to the transatlantic
relationship in this regard than to EU relations with other
countries or regions. Adequacy findings do exist for the Safe
Harbor, and specific agreements have been reached for the U.S.-EU
Passenger Name Record (PNR) and SWIFT. These agreements have
survived heated debates in the public and private sectors. (NOTE:
Nevertheless, as mentioned previously, SWIFT is now moving its
U.S.-located data banks out of the United States to Europe due to
personal data protection concerns. END NOTE). Dialogue with the EU
is relatively strong in both the First and Third Pillar areas
(through the annual Safe Harbor conferences and the High Level
Contact Group "HLCG", respectively).


21. (SBU) Many privacy concerns have been surmounted through U.S.
Treasury's representations to the EU on the Terrorist Finance
Tracking Program (TFTP),which previously caused a major public
controversy involving Belgian company SWIFT. After receiving the
study report of the Commission-designated independent examiner, EU
Justice, Freedom and Security (JLS) Commissioner and Vice-President
Jacques Barrot was effusive in his public praise of the TFTP's
scrupulous attention to data privacy.


BRUSSELS 00001140 005 OF 008



22. (SBU) Nevertheless, there remains a lingering perception in EU
circles that the United States does not protect personal data as
well as the EU. This is manifested, for example, in public
criticism of the lack of cross-sectoral U.S. privacy legislation,
including the privacy rules and practices of the U.S. Government,
and a lingering misperception that the FTC as an agency and the
Privacy Officers of our various Departments lack political
independence.

HLCG on Third Pillar Data Privacy
--------------


23. (SBU) Following the above recent controversies and others, the
United States and EU agreed to establish an experts' forum in 2007
to address Third Pillar (law enforcement rather than commercial)
data privacy concerns. This group, the "High Level Contact Group
(HLCG)", with representatives from the U.S. Departments of State,
Justice and Homeland Security and from the EU Presidency, Council
Secretariat and Commission identified a set of 15 principles common
to all effective data protection and privacy systems. The
principles were developed to work across the very different EU and
U.S. systems; the EU system of a single Framework Decision to be
implemented by all 27 Member States, and the U.S. system that is a
combination of different laws, regulations, mechanisms and branches
of government.


24. (SBU) Under the HLCG, and as instructed by the U.S.-EU JHA
Ministerial, U.S. and European officials agreed to work toward a
binding international agreement codifying these principles. This
binding international agreement would be intended both to provide
the template of these identified data privacy principles for
insertion into any relevant U.S.-EU agreements to be negotiated in
the future and also to dispel any lingering uncertainties by
effectively declaring our mutual recognition of the "adequacy" of
the U.S. and EU data privacy regimes. The U.S. interagency is in
accord on what needs to be done through the HLCG.


25. (SBU) However, the EU refuses to negotiate formally until
uncertainty over the Lisbon Treaty is resolved. (NOTE: The issue
here is that when the Lisbon /Treaty is ratified by all Member
States and takes effect, the European Parliament will have some
decision-making authority that it does not now enjoy, over many JHA
issues. Accordingly, the Commission argues that it does not want to
alienate the Parliament by taking rapid, conclusive action on
sensitive issues that it would otherwise, a few months later, have
to submit to the Parliament for approval. END NOTE). Further, and
prior to any formal negotiation, the Commission argues that the U.S.
Administration must amend the 1974 Privacy Act to grant Europeans
formal redress rights equivalent to those of U.S. citizens. (NOTE:
The Safe Harbor program, though generally considered a successful
mechanism for allowing transfers of personal data to the United
States under the DPD, is criticized for similar reasons of perceived
asymmetry between Americans' rights in Europe and Europeans' rights
in the United States. END NOTE.)


26. (SBU) COMMENT: This insistence reflects a European public
misperception of the U.S. privacy regime for law enforcement
records. The misconception ignores the whole purpose of the HLCG -
that while our system differs from Europe's in not relying on a
single law, it is nonetheless very effective. U.S. officials have
repeatedly provided verbal and written explanations of the means of
judicial redress available to all persons in the U.S. system. Even
the most vocal challengers concede that their concern with the
distinction drawn in the 1974 Act is more symbolic than real. At
the same time, EU counterparts have not responded to the U.S.
request for an explanation of how the Third Pillar data protection
Framework Decision is being implemented in the Member States and

BRUSSELS 00001140 006 OF 008


what judicial redress is available. However, the Swedish EU
Presidency has proposed an experts' seminar this Fall to examine
what redress is available in both EU Member States and in the United
States, to finally dispel this misconception and uncertainty. END
COMMENT.

Economic and Other Impacts on U.S. Firms
-------------- 27. (SBU) Ongoing tensions protection and
privacpressure to a
the United States benmer base perceives
te of` eQpb``erns
(if other countries make similar requess for Yahoo! data based on
the same argumeQt) (REFTEL). In broader terms, the potential cost
to the public of impairment in the transalantic law enforcement
exchange of terrorismand international organized crime informationcould be enormous and/or tragic.

Underlyin Issues That Affect EU Policy Directins
-------------- --------------


29. (SBU) Many vocal critics arQ dissatisfied with the Commission DG
JLS policy lead on privacy, because JLS has no direct responsibility
for consumer protection, nor for economic or technological aspects
of data protection. JLS-developed policy reflects the internal
tension between civil liberties and law enforcement. Furthermore,
the multiplicity of DGs and Commissioners leading on different
aspects of privacy policy causes confusion internally and in the
stakeholder community.


30. (SBU) The Commission has failed to exercise a strong policy
leadership role vis-a-vis other EU institutions. In this vacuum,
the European Data Protection Supervisor and the Article 29 Working
Party have asserted expansive roles. These bodies regularly make
high-profile public statements on areas outside of their formal
competence (including the HLCG and Third Pillar issues). Their
interpretations of legislation tend to give primacy to civil
liberties-based approaches for the EU's Single Market, consumers, or
law enforcement, and have gone largely unchallenged by the
Commission.


31. (U) EU implementation of the DPD has seen significant
harmonization problems, such as the development of rules governing
the adoption and approval of "Binding Corporate Rules" (BCRs) by
multinational companies. Although nine Member States have agreed to
recognize each other's BCR approvals, no company has ever received
approval from all 27 Member States for its BCRs.

BRUSSELS 00001140 007 OF 008




32. (U) Also, enforcement of EU data protection laws has been
patchy, and processes lack transparency. DPAs' resource levels and
legal powers vary from country to country. Many stakeholders,
including Member State DPAs, recognize that too much effort has been
spent on bureaucratic aspects of enforcement, such as checking
contracts used for data transfers to third countries, rather than
systematic market surveillance.


33. (SBU) Also, many stakeholders question the concept of Third
Pillar "adequacy", because this currently includes only a small
number of jurisdictions (Switzerland, Argentina, Canada, and the
Channel Islands) and excludes many vital economic partners (such as
the United States) that enjoy strong traditions of democracy, civil
liberties, and the rule of law. Many regard the concept as a test
of similarity rather than adequacy.


34. (SBU) U.S. and European industry figures argue that the EU
legislative framework for data protection lacks coherence. For
example, the ePrivacy Directive requires Internet firms to delete
traffic data when it is no longer needed for billing purposes, in
apparent contradiction to the DRD's requirement that they retain the
data for up to two years.

Comment and Recommendations
--------------


35. (SBU) The Lisbon Treaty would significantly change EU "Pillar"
decision-making structures, increasing the EP's role and shifting
power bases in ways not yet fully understood. Lisbon will not
change, however, the fundamentally evangelical character of European
institutions' promotion of EU integration. EU institutions are
structured to facilitate the spread of EU norms beyond EU borders.
Across the full range of EU activities (from product safety, climate
change, and chemicals regulation to human rights and free and fair
elections),the EU actively pushes its methods for adoption by third
countries in a way designed to make the EU standard the global
standard. Not surprisingly, such standards in different fields tend
to favor EU economic and cultural norms, rather than U.S. or other
norms that may differ from those in Europe. Data protection, where
the EU promotes its data protection/privacy system internationally
as the "gold standard", is no exception. European DPAs are leading
work among international privacy regulators to adopt international
data protection standards.


36. (SBU) This structural dynamic presents a significant challenge
to the United States, but the coming year also offers a critical
opportunity. Political leadership has changed in the United States
and is changing in the EU (including this year a new Parliament and
Commission in Brussels),progress is being made on EU-led
international data protection standards, and discussions on the
legislative framework for privacy continue on both sides of the
Atlantic.


37. (SBU) The USG should take advantage of these developments to
define, organize, and implement a comprehensive interagency strategy
to engage the EU on both commercial and law enforcement privacy and
data protection issues as soon as possible. Such a strategy would
have two primary objectives: first, to correct mistaken perceptions
of U.S. privacy protection in both the public and private sectors;
and second, to secure major improvements in the reciprocal
understanding of both the U.S. and EU approaches to privacy and data
protection through political, regulatory, and experts' dialogues.
Such an approach could help minimize risks that new rules in this
area will hinder economic growth, endanger global economic recovery,
and discourage greater bilateral law enforcement cooperation. These
objectives would be best achieved with the committed support of an

BRUSSELS 00001140 008 OF 008


interagency group of senior Administration officials.

Key Opportunities for Engagement
--------------


38. (U) USEU recommends that a coordinated U.S. interagency approach
might best be served by focusing on upcoming opportunities for
potential U.S. stakeholder participation in EU policy discussions
and processes. These include:

-- Final Adoption of the EU telecoms package including data breach
amendments to the ePrivacy Directive (Brussels/Strasbourg): date
TBD

-- Swedish Presidency expert seminar on effective redress available
in the United States and in EU Member States (Brussels): date TBD

-- Meeting of the High-Level Contact Group (HLCG) (Brussels): date
TBD

-- JHA Ministerial (Washington, DC): October 27-28

-- International Conference of Data Protection Authorities (Madrid):
November 4-7

-- European Federation of Consumer Organizations conference on data
protection (Brussels): November 12

-- Annual U.S.-EU Safe Harbor Conference (Washington): November
16-18

-- European Commission consultation on the legislative framework for
data protection and possible associated events (Brussels): December
31

MURRAY