The timing of US-side focus on these issues is critical. On April 1, the Office of the U.S. Trade Representative published a Federal Register notice requesting comments about how “relevant electronic commerce and cross-border data flow issues that should be addressed in the negotiations” on the U.S.-EU “Transatlantic Trade and Investment Partnership. TTIP is the first step toward an eventual free trade agreement with the EU. Significantly, in contrast with USTR’s “free trade” notification to Congress on March 20, highlighted the desire to use TTIP to facilitate electronic commerce and the movement of cross-border data flows, the EU’s draft negotiating mandate (that was leaked to the press) notably omits these U.S. priorities.
The U.S. and EU have had their conflicts on cyberlaw and policy to say the least. European regulators have been considerably more comfortable imposing bureaucratic rules on Internet businesses, social networks, and multinational employers about how they can collect and use consumer and worker data. Indeed, despite the plethora of privacy laws and regulations at the federal and state levels, and the significantly larger (multi-million dollar) privacy fines, penalties and settlements obtained by the Federal Trade Commission and the private class action bar, the EU still does not deem the U.S. to provide "adequate" privacy protection. Given that substantive privacy protection in the U.S. is as robust as in Europe – as distinct from privacy rules – and enforcement is much greater in the U.S., the EU's determination that our privacy laws are inadequate is misguided. The effect of this bilateral disagreement is the erection of a non-tariff trade barrier that impede digital commerce across the Atlantic. The EU's lack of recognition for U.S. privacy standards inhibits the ability of U.S. Cloud service providers, social networks, and other online businesses to offer their services in the European marketplace. Even a company's H.R. data about its own employees is often blocked.
To overcome this digital barrier, the U.S. needs to move privacy, data protection and cyberlaw front and center in the current round of free trade and regulatory harmonization negotiations underway with the EU. The U.S. negotiators have plenty of ammunition to argue that the American system for enforcing privacy and data security through various statutes protecting financial, medical and communications data, together with general consumer protection laws enforced by the FTC, state attorneys general and private plaintiffs is more than "adequate." Indeed, when it comes to disclosing and deterring data breaches, and promoting data security, the U.S. is indisputably far ahead of Europe.
Finally, the key to ensuring a level trans-Atlantic playing field is concerted U.S. leadership on privacy and cyber-policy. At present, there is a policy chasm. No agency or senior official is charged with speaking for the administration on these matters, and the vacuum has allowed trade competitors in Europe and elsewhere to perpetuate the myth or misunderstanding of U.S. inadequacy -- to the detriment of American multinationals and European consumers. To remedy this, President Obama should designate a senior officer of the Office of Management and Budget -- perhaps one of the two deputy directors -- to serve as the lead domestic coordinator of U.S. privacy, data security and Internet policymaking.
This senior presidential delegate could convene the various agencies with responsibilities in this area, such as the FTC, Commerce Department, Consumer Financial Protection Bureau, other banking agencies, Health and Human Services, Federal Communications Commission, Department of Homeland Security, etc., to clarify, harmonize and streamline rules and policies to the greatest extent possible consistent with existing statutory authority and the important objective of continuing to promote innovation and consumer choice on the Internet. The other federal agencies, state attorneys general, and private plaintiffs would, of course, continue to hold all authority over enforcement and litigation. And, with this lead role for cyber-policy, OMB (working with the U.S. Trade Representative, its sister White House agency, and the State and Commerce Departments) could serve as a more effective international proponent of U.S. positions on privacy, cybersecurity and digital commerce.
Coordinating and articulating policy is what OMB does well on numerous fronts. Moreover, OMB is specifically responsible under various laws and presidential directives for developing information policy, including on privacy and data security, throughout the federal government. In fact, in the Clinton Administration, a government privacy czar was appointed as a senior official within OMB's Office of Information and Regulatory Affairs. Today, about twenty years later, the role of privacy issues and cyber-policy is vastly greater than it was even then, and the level of federal attention should be commensurately higher. The U.S. needs more concerted cyber-leadership to protect our national interests, and the pending free trade talks with Europe provide just the opportunity for the administration to step up its digital game.
Raul is global coordinator of Sidley Austin LLP's Privacy, Data Security and Information Law Practice; previously served as vice chairman of the White House Privacy and Civil Liberties Oversight Board and General Counsel of the Office of Management and Budget.