Hobbled by Murphy’s Law?

“There has been no shortage of unintended consequences,” said Congresswoman Mary Bono Mack (R-CA-45 ). “In a way, you could say the EU Directive at some point crossed paths with Murphy’s Law. Anything that can possibly go wrong does.”

That was how the chairwoman of the House of Representatives’ Commerce, Manufacturing and Trade Subcommittee opened her hearing on the impact of European Union privacy regulation on the digital economy. Discussions focused mostly on the EU’s Data Directive and the challenges faced by American companies doing business in or with European countries.

The Subcommittee has been the center of numerous debates on privacy this year, most recently as it approved sweeping data security legislation in July containing important protections for survey research.

Asked why the US should consider hampering its economy by following the privacy regulation example set by the EU, witness Nicole Lamb-Hale, assistant secretary for the International Trade Administration (ITA), emphasised that the American data privacy law framework is outdated and needs to be expanded to make international partners feel secure. “Certainly we should not work towards an approach that’s exactly like the EU’s,” she said, emphasizing that US businesses need baseline privacy protections in order to effectively engage in international trade.

Congressmen Pete Olson (R-TX-22 ), Cliff Stearns (R-FL-06 ) and Mike Pompeo (R-KS-04 ) pressed Lamb-Hale on the cost of complying with EU privacy regulations, particularly questioning its impact on small business. Although she explained several times that studies by the ITA had found that companies face greater costs in not complying, Members retorted that the higher cost of non-compliance relates to not being able to do business in the EU. Congressman Stearns went even further, declaring that EU privacy laws are just a subterfuge to provide anti-competitive protections for EU businesses.

MIT professor Catherine Tucker, who has researched the impact of EU law on advertisers, cited projections from a NetChoice analysis of her work demonstrating that if the US were to adopt an EU-style opt-in regime for behavioral tracking, it would cost US businesses $33bn over the next five years. Citing the risks of “unfettered access to consumers’ data” by companies, she stressed the need to balance that against the risks that “strict regulations could damage the ability of internet firms to support free services through advertising.”

The Centre for Information Policy Leadership’s Paula Bruening pointed out that fewer than 10 countries have been found to provide “adequate” data protection by EU standards. Emphasising that, “there are no simple solutions”, she told the panel that EU law is based on the right kinds of principles but is too primitive and inflexible to adapt to changes in technology and society – particularly, a global data economy.

Peter Swire, a professor at Ohio State University and privacy expert, stated that giving companies maximum data access also presents maximum risk. More importantly, he focused on the competitive impact of a cross-Atlantic privacy imbalance, commenting that, “Foreign competitors could use the lack of US privacy protections as a excuse for protectionism, and insist that information processing happen in their country, and not in the United States.”

Subcommittee Ranking Member G K Butterfield (D-NC-01 ) cited a RAND report on the EU Directive which cheered the harmonisation of personal data regulation across 27 disparate states and asked if this convergence has benefited US companies. Swire responded that the goal of a common market was the real driver behind the Directive and it has in practice not always been achieved. Pressed further by Butterfield on how US companies are actually treated in the EU, Swire responded that although the EU originally went heavy on enforcement against U.S. companies it has over time focused much more on enforcement against EU companies.

Swire concluded that, “If we just say we don’t care about privacy in the US, then yes, US companies will be weakened in doing business in the EU”. Congressman Stearns said that was true, in that, if the US doesn’t adopt EU-style privacy regulations, its companies will be shut out of the European marketplace – and those of any country that imitates such laws. However, he continued, “if we adopt the EU model,” US innovation, which benefits the consumer, could disappear.

Chairwoman Bono Mack returned to concerns about the complex system of EU law, which varies by state and is inconsistently enforced in practice. Professor Tucker replied that, when laws are written in a vague or indecipherable manner, there will always be a gap in compliance, but that most companies will err towards a conservative response, doing more than is likely needed, just in case.

Summing up the hurdles faced by US companies under the EU privacy regime and how a similar regime could harm the US, Stuart Pratt, president of the Consumer Data Industry Association, said that you don’t innovate first under such rules, “you go to your lawyer first.”

Howard Fienberg, PLC, is the director of government affairs for the Marketing Research Association (MRA). He is MRA’s lobbyist for the survey and opinion research profession in the US, based in Washington, DC.