[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
INTERNET PRIVACY: THE IMPACT AND BURDEN OF EU REGULATION
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 15, 2011
__________
Serial No. 112-86
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
73-961 PDF WASHINGTON : 2012
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana JIM MATHESON, Utah
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin
BILL CASSIDY, Louisiana Islands
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
_____
Subcommittee on Commerce, Manufacturing, and Trade
MARY BONO MACK, California
Chairman
MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina
Vice Chairman Ranking Member
CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire JIM MATHESON, Utah
GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas MIKE ROSS, Arkansas
DAVID B. McKINLEY, West Virginia HENRY A. WAXMAN, California (ex
MIKE POMPEO, Kansas officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement............................... 1
Prepared statement........................................... 4
Hon. G.K. Butterfield, a Representative in Congress from the
State of North Carolina, opening statement..................... 6
Hon. Pete Olson, a Representative in Congress from the State of
Texas, opening statement....................................... 7
Witnesses
Nicole Y. Lamb-Hale, Assistant Secretary for Manufacturing and
Services, International Trade Administration, Department of
Commerce....................................................... 7
Prepared statement........................................... 10
Catherine Tucker, Douglas Drane Career Development Professor in
IT and Management and Associate Professor of Marketing, MIT
Sloan School of Management..................................... 22
Prepared statement........................................... 24
Stuart K. Pratt, President, Consumer Data Industry Association... 34
Prepared statement........................................... 36
Paula J. Bruening, Vice President, Global Policy, Center for
Information Policy Leadership, Hunton & Williams, LLP.......... 52
Prepared statement........................................... 54
Peter P. Swire, C. William O'Neill Professor in Law and Judicial
Administration, Moritz College of Law, The Ohio State
University..................................................... 65
Prepared statement........................................... 67
Submitted Material
Article, ``Companies in confusion over `cookie' laws,'' by Maija
Palmer for Financial Times, May 25, 2011, submitted by Mrs.
Blackburn...................................................... 81
Article, ``Dutch cookie law may lead to online exodus,'' by Matt
Steinglass for Financial Times, June 21, 2011, submitted by
Mrs. Blackburn................................................. 83
Letter, dated September 14, 2011, from Julian Knott, Head of
Secretariat, Trans Atlantic Consumer Dialogue, to subcommittee
leadership, submitted by Mr. Butterfield....................... 87
INTERNET PRIVACY: THE IMPACT AND BURDEN OF EU REGULATION
----------
THURSDAY, SEPTEMBER 15, 2011
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 11:18 a.m., in
room 2322, Rayburn House Office Building, Hon. Mary Bono Mack
(chairman of the subcommittee) presiding.
Members present: Representatives Bono Mack, Blackburn,
Stearns, Bass, Harper, Lance, Olson, McKinley, Pompeo,
Kinzinger, and Butterfield.
Staff present: Charlotte Baker, Press Secretary; Andy
Duberstein, Special Assistant to Chairman Upton; Brian
McCullough, Senior Professional Staff Member, CMT; Jeff
Mortier, Professional Staff Member; Gib Mullan, Chief Counsel,
CMT; Shannon Weinberg, Counsel, CMT; Tom Wilbur, Staff
Assistant; Alex Yergin, Legislative Clerk; Michelle Ash,
Minority Chief Counsel; Felipe Mendoza, Minority Counsel; and
William Wallace, Minority Policy Analyst.
Mrs. Bono Mack. The subcommittee will now come to order.
Good morning. Few things today have impacted more people than
the Internet. Over the past decade, there has been a huge
explosion in the use of the Internet. It has changed the way we
work, shop, bank and live. But it has also resulted in a new
dangerous contagion of sorts involving piracy threats such as
malware, spyware, phishing, pfarming, and a long list of
assorted computer cookies. The time has come for Congress to
take these growing threats more seriously.
The chair now recognizes herself for an opening statement.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Today, as we continue our series of hearings on Internet
privacy, we are going to take a close look at the impact of
regulations on commerce, consumers and businesses. As chairman
of the subcommittee, I am guided by one critically important
question: When it comes to the Internet, how do we balance the
need to remain innovative with the need to protect privacy?
As someone who has followed this issue very closely over
the years and someone who, frankly, remains skeptical right now
of both industry and government, I will continue to keep an
open mind as to whether new legislation or regulations are
warranted. But let me be clear about one thing. To date, I do
not believe industry has proven that it is doing enough to
protect American consumers while government, unfortunately,
tends to overreach every time it gets involved in the
marketplace. From my perspective, there is a sweet spot between
too much regulation and no regulation at all. My goal is to
find that sweet spot.
Today, the Internet pretty much remains a work in progress,
even though it serves billions of users worldwide and while e-
commerce in the United States will top $200 billion this year
for the first time, there is still a Wild, Wild West feel to
cyberspace, leaving many consumers wondering whether there is a
sheriff in town or whether they are completely on their own
when it comes to protecting themselves and their families.
In just 25 years, the Internet has spurred sweeping
transformative innovations. It has became embedded in our daily
lives, and it has unlimited potential to effect positive social
and political change. Yet every single day, millions of
Americans are subject to privacy threats. Most of them by and
large are seemingly innocent, such as the collection of
information about consumer buying habits, but some of them are
malicious and criminal, often involving online theft and fraud.
This subcommittee has a responsibility and a unique
opportunity as well to ferret out those differences and to do
everything we can to keep the Internet free while keeping
consumers free, to the extent possible, from widespread private
abuses.
I for one do not subscribe to the theory that privacy is
dead, get over it. There are smart ways to protect consumers
and to allow e-commerce to continue to flourish. That is the
sweet spot we should be searching for in all of our hearings.
Additionally I will continue to work with Members on both
sides of the aisle to secure passage this year of the SAFE Data
Act, which will provide American consumers with important new
privacy safeguards.
Today we are taking a close look at the EU's Data Privacy
Directive, first adopted on October 24, 1995. The EU model is
one of the largest regulatory regimes in the world. I believe
this hearing will be instructive, allowing us to better
understand some of the lessons learned over the past 15-plus
years. Clearly there have been some unintended consequences as
a result of the directive which have proven problematic for
both consumers and businesses.
The purpose of the directive is to harmonize differing
national legislation and data and privacy protections within
the EU while preventing the flow of personal information to
countries that, in the opinion of EU regulators, lack
sufficient privacy protections. But as we will learn today,
there has been no shortage of unintended consequences. In a way
you could say that the EU directive at some point crossed paths
with Murphy's law--anything that can possibly go wrong, does.
Unfortunately, in all too many cases it has gone wrong for
American businesses trying to navigate these tricky
regulations. The directive requires all EU member states to
enact national privacy legislation which satisfies certain
baseline privacy principles ranging from notice, to consent, to
disclosure, to security. And while these principles are the
basis for the directive, each EU member state is responsible
for incorporating these articles into its own national privacy
laws. This in turn has led to inconsistent regulatory regimes
throughout the EU and has created serious problems for American
multinational firms.
Making matters worse, compliance within the EU remains
fractured, with several member states not fully complying with
the directive. This has led to sporadic and inconsistent
enforcement, with a seemingly disproportionate number of
American companies targeted for compliance violations.
Let me be clear. My purpose in holding this hearing is not
to point fingers. Instead, my goal is to point to a better way
to promote privacy online and to promote e-commerce. In the end
this will benefit both American consumers and American
businesses and send a strongly held belief all across America
that the Internet should remain free.
[The prepared statement of Mrs. Bono Mack follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. And with that, the gentleman from North
Carolina, Mr. Butterfield, the ranking member on the
Subcommittee on Commerce, Manufacturing, and Trade, is now
recognized for 5 minutes for his opening statement.
OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NORTH CAROLINA
Mr. Butterfield. Thank you, Chairman Bono Mack. Thank you
for holding today's hearing on the European Union's efforts to
protect consumer data. And I especially want to thank the
witnesses from the two panels, starting with the Assistant
Secretary and the four witnesses on Panel 2. Thank you very
much for your testimony today.
The genesis of EU-wide data protection regulation is the
Data Protection Directive. And the directive requires the
enactment of several principles into the laws of each EU member
country. Those principles included granting people access to
their personal information, disclosure of which actors are
collecting personal data, affirmative consent prior to personal
data being shared with a third party and personal data held by
an actor be protected through reasonable security safeguards
among other things. This directive along with the subsequent e-
privacy directive have provided broad and strong privacy
protections for citizens of the European Union member
countries.
I commend the EU for recognizing the need to provide
baseline privacy policies. Nonetheless, the EU is essentially
an association of 27 countries. The point of any EU directive
is to standardize the laws of all member countries so they can
function as one economic market. The point is not to burden
business. It is just the opposite. It is to create a unified
and smooth running market across Europe by bringing the laws of
each member country closer together.
But enactment, administration and enforcement of those laws
remain the responsibility of each individual country. For
business that have to navigate the laws of these 27 different
countries, some regulations can feel pointless, some paperwork
and record keeping burdensome, and some enforcement actions
unfair.
I am hopeful that this hearing this morning which reviews
the European model will explore both the negatives and the
positives of that system. Studying the privacy regimes of other
countries can provide valuable lessons for us. Then we must
come together to develop a national privacy policy that both
protects consumers while promoting economic growth and
innovation. That is why it is imperative that we work in a
bipartisan fashion to make that happen.
Madam Chairman, I am confident that we can and will do this
together.
I know that this hearing is the second of a series that we
will have regarding privacy. I look forward to continuing this
important conversation, so we can move forward on crafting a
long overdue and well-considered national privacy policy.
Again, thank you to the witnesses. Thank you, Madam
Chairman. I yield back.
Mrs. Bono Mack. I thank the gentleman.
And under the rules of the committee Chairman Upton has
yielded his 5 minutes to me, and at this time I would like to
yield 1\1/2\ minutes to the gentleman from Texas, Mr. Olson,
for his opening statement.
OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Olson. I thank the chairman for holding another
important hearing on Internet privacy. America and Europe have
very differing viewpoints toward the protection of personal
data on the Internet. Our friends in the European Union believe
that privacy is a fundamental human right and that government
should be tasked with protecting and regulating personal data.
By contrast, the U.S. approach to privacy is a sector-by-sector
combination of legislation and industry self-regulation.
We favor a more balanced approach, recognizing personal use
of data and sharing while maintaining reasonable safeguards to
prevent abuses. With millions of Americans out of work and our
economy struggling, the last thing we need to do is to look
toward Europe for guidance for new privacy regulations.
Instead, we should use today's hearing to look at how the EU's
overburdensome privacy laws have negatively affected the
European Union economy and how we can avoid similar pitfalls
here at home as we continue to explore whether privacy
legislation is needed in Congress.
I thank the chairman. I yield back the balance of my time.
Mrs. Bono Mack. I thank the gentleman and seeing there are
no other members present to make an opening statement, we will
move to the panels. So we do have two panels of witnesses today
joining us. On our first panel we have the Honorable Nicole
Lamb-Hale, Assistant Secretary for the International Trade
Administration.
Assistant Secretary Lamb-Hale, good morning. Again, thank
you very much for coming. You will be recognized for 5 minutes,
and to help you keep track of time there are lights and timers.
And as you will suspect, the yellow light means either hurry up
and hit the gas or slam on the brakes. But either way, you may
begin your statement for 5 minutes. Thank you.
STATEMENT OF NICOLE Y. LAMB-HALE, ASSISTANT SECRETARY FOR
MANUFACTURING AND SERVICES, INTERNATIONAL TRADE ADMINISTRATION,
DEPARTMENT OF COMMERCE
Ms. Lamb-Hale. Madam Chair Bono Mack, Ranking Member
Butterfield, and distinguished committee members, thank you for
the opportunity to testify about online privacy and the impact
the European Union's legal framework for data protection has on
U.S. companies doing business in one or more of the EU member
states.
In my capacity as Assistant Secretary for Manufacturing and
Services in the International Trade Administration, I will
outline the approaches taken by the EU and the United States
with respect to commercial data protection, describe the impact
that the EU framework has on U.S. companies and explain what
the U.S. Department of Commerce is doing to facilitate
unencumbered transatlantic trade.
The EU and the U.S. share common goals in desiring to
protect individuals' privacy while pursuing economic growth to
increase trade and investment and by supporting Internet
innovation. The EU directive on the protection of individuals
regarding the processing of personal data and the free movement
of such data was issued by the European Parliament and the EU
Council in 1995 and is currently under review.
The EU directive functions as a baseline for EU member
states and allows them to adopt more stringent national
protections. In the U.S., the protection of individual privacy
is deeply embedded in law and policy.
In addition, voluntary multi-stakeholder policy development
complements this framework. This framework has encouraged
innovation and provided many effective privacy protections. But
certain key American players in the Internet, including online
advertisers, cloud computing service providers, providers of
location-based services and social networking sites, operate in
sectors without specific statutory obligations to protect
information about individuals. Because of this, the Obama
administration is advocating for stronger consumer protection
in the online environment.
In the international context, the EU directive imposes
limitation on cross border data flows to countries whose legal
frameworks do not meet the adequacy requirements of the
directive as determined by the European Commission, or the EC,
which is the executive arm of the EU.
In 1998, the Department embarked on a 2-year negotiation
with EC aimed at devising ways for U.S. companies to continue
doing business with firms in the EU without unnecessarily
burdensome obligations being imposed on their activities. The
result was the U.S.-EU Safe Harbor Framework, which the EC
deemed adequate in a July 26, 2000, finding.
The framework remains in force today and is administered by
the International Trade Administration on behalf of the United
States. It is a voluntary arrangement that allows U.S.
commercial entities to comply with the framework principles and
publicly declare that they will do so.
When the Safe Harbor Framework was launched, four companies
self-certified their compliance to the program. Today nearly
3,000 companies of all sizes belong, and more than 60 new
members are added each month. This service has enabled small-
and medium-size enterprises to provide a range of value-added
products and services to EU clients and citizens without the
expense of hiring European legal counsel to comply with the
EU's legal framework. An estimated half-trillion dollars in
transatlantic trade is facilitated by the Safe Harbor
Framework.
Some large U.S. multinational corporations have chosen
alternative means of complying with the directive, but these
have proven to be costly and time consuming.
For example, large, U.S.-based multinational corporations
have chosen to use binding corporate rules, or BCRs, which
permit global intracorporate data if the corporation's
practices for collecting, using and protecting that data are
approved by the data protection authorities in the EU.
Despite recent efforts to streamline the approval process,
the cost and time associated with obtaining approval of BCRs
are substantial. While the Safe Harbor Framework has proved
itself to be valuable in facilitating transatlantic trade, it
is not a perfect solution for all U.S. entities. Sectors not
regulated by the FTC, such as financial services,
telecommunications and insurance, are not covered by the
framework because their regulators were not part of the
negotiations.
Generally speaking, the biggest problems U.S. companies
face with regard to navigating the privacy landscape in Europe
include, one, the significant resources that must be allocated
to comply with these regulations that they are not in the Safe
Harbor; two, several EU member states implement the EU
directive differently so U.S. firms must comply with a variety
of requirements in as many as 27 member states, and; three,
different EU member state regulations create legal uncertainty,
which complicate U.S. companies' efforts to plan for the
future.
The Department continues to engage with the EU and its
member states in discussions on how we can allow unimpeded data
flows while at the same time respect each other's laws and
values. The Department has been engaged in extensive
conversation with EU data protection officials at all levels
during the more than 10 years since the EU directive entered
into force. These interactions have been designed to convey to
the EU that the U.S. legal framework, while structured
differently, is as robust as the EU's framework for protecting
individuals' privacy.
Thank you for the opportunity to explain how the EU's
privacy and data privacy framework relates to the commercial
interests of the U.S. and to explain what the Department of
Commerce is doing to help U.S. companies navigate the
regulations in the EU.
I look forward to any questions you may have.
[The prepared statement of Ms. Lamb-Hale follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much, Dr. Lamb-Hale, for
your statement as well as for your insight into the issue of
Internet privacy. And I would like to now recognize myself for
the first 5 minutes of questions.
And you testified that our current approach to privacy has
encouraged innovation and provided many effective privacy
protections. Conversely, a number of studies have suggested
that EU's approach has actually stifled its Internet economy.
Why should we move toward a regulatory approach that has proved
to hold back the Internet sector in that particular region?
Ms. Lamb-Hale. Well, certainly we should not work towards
an approach that is exactly like the EU's approach. I think it
is important to recognize that we need to have a regime that
really is flexible enough to take into account changes in
technology advancement. The privacy framework that we have in
the United States is really about 40 years old, and it doesn't
really take into account from a general standpoint principles
that can be readily applied to changing technology. And so what
we need to do, I think, is to look at the EU example and really
work to develop a baseline privacy policy that really provides
principles that, again, are flexible, that don't supersede or
override existing privacy policy frameworks that are sector by
sector, so that we can facilitate trade and we are in a better
position to ensure that as we negotiate with our allies and
trading partners around the world that we have a basic
framework to work from.
Mrs. Bono Mack. Well, in what ways are Europe's complex
privacy regimes discouraging U.S. companies from entering
European markets or affecting their success in those markets
and do those privacy rules amount to a type of trade barrier?
Ms. Lamb-Hale. Certainly, I want to talk a little bit about
our Safe Harbor program, which has helped companies in the
U.S., almost 30,000 of them, to successfully navigate the EU
directive by, quite frankly, allowing them to avoid having to
obtain approval from individual data protection authorities and
through the Safe Harbor Framework engage in the free flow of
information across various countries.
So I think that it is important to look at that as a tool
that is something that I think has worked very effectively for
our companies, and as we look at what we can do in the U.S. in
terms of basic privacy principles, we really need to be sure
that we are flexible in our approach, that we aren't looking to
promote certain technological innovations, that we really look
at principles that can be malleable, quite frankly, so that we
can ensure that as new applications come on board like mobile
applications that are not covered by our privacy laws that we
are able to address those and protect our consumers here and
really help to promote international trade with our U.S.
companies.
Mrs. Bono Mack. Thank you. Professor Swire will testify in
the next panel that the Safe Harbor, which worked well for many
years enabling cross border information flow, is not recognized
by a number of countries that have adopted privacy regimes in
recent years; for example, India, Latin America, Japan, South
Korea. Is the ITA working with these countries to have a Safe
Harbor recognized or to ensure its permanence should the EU
update a directive? And if so, what has been the reaction of
your foreign counterparts?
Ms. Lamb-Hale. Well, certainly, the U.S. Government is
engaged in multiple discussions with trading partners around
the world, including during the APEC conference that is going
on now, looking at how we can work together with our trading
partners to come up with a regime that really facilitates
international trade and does not impede it.
The Safe Harbor--companies who take advantage of the Safe
Harbor rule or regime are able to take advantage of what are
called onward transfer principles, which allow them to contract
with European companies and then instead of just being
restricted to transferring privacy data between the EU
countries and the U.S. to also transfer that data to other
countries.
People who take advantage of the onward transfer principles
under the Safe Harbor do have that advantage. They do have to
meet certain requirements, and the Department is certainly
happy to help companies understand those principles so they can
take advantage of them in other countries beyond the EU
framework.
Mrs. Bono Mack. Thank you very much. I am going to yield
back my remaining time, and I now recognize the gentleman from
North Carolina for 5 minutes for his questions.
Mr. Butterfield. Thank you, Madam Chairman. Let me begin
with this, and again, thank you very much for coming in and
thank you for your testimony and, more importantly, thank you
for your service to the Department and to the country.
One issue we are exploring is how privacy legislation would
affect U.S. firms globally. We have heard from some
multinational companies that baseline privacy protections in
the U.S. would help them abroad. In your testimony you
mentioned the Commerce Department has received comments from
industry who say that an enhanced U.S. privacy framework could
reduce barriers and compliance costs for U.S. companies in
international markets.
Can you briefly describe some of these comments and discuss
whether you agree that U.S. firms could see a benefit abroad if
we enacted legislation here?
Ms. Lamb-Hale. Yes. Thank you very much, Mr. Butterfield.
It is important as we look at our global competitiveness
that we have a framework, a set of basic principles that can be
found in one place, that really speak to the value that the
United States places on privacy protection. We certainly place
a lot of value on that, and I think that the world knows that.
But in order to really discover our principles you have to
parse through a number of different pieces of legislation by
sector to really get the sense of what the privacy protection
regime is like in the United States.
And so as a result, as we enter into negotiations with our
trading partners, it would be helpful, and I think it would
help the competitiveness of our businesses, if we had baseline
consumer privacy protections, principles that are flexible and
that take into account really the changing economy, the
changing technologies, so that when we go in we don't have to
have a situation where our service providers who are engaging
in trade with the EU and with other countries are impeded
because those countries are concerned about our data privacy
regime.
Mr. Butterfield. So you are saying that this baseline
legislation could address or alleviate some of the concerns
that EU countries have raised regarding our firms?
Ms. Lamb-Hale. I think so. I think so, Mr. Butterfield. I
mean certainly through the Safe Harbor Framework we have been
able to help our businesses navigate very successfully the EU
directive. But I think going forward and as we look at our
negotiations with multiple countries, including through our
APEC negotiations and our work with the OECD and others, I
think it is important that if we have our privacy principles in
one place, just as the EU does, quite frankly, through their
directive, if we have one document as opposed to multiple
documents that you have to parse through to really get the
sense of what our basic principles are, I think that our
companies will be more competitive globally.
Mr. Butterfield. Well, let me ask you to speak to your
agency specifically. Would a baseline U.S. privacy law help
your agency as it negotiates with non-European countries?
For example, we have heard fears that some Asian countries
are looking to the EU as they draft their first privacy laws.
Would having a U.S. law in place change that dynamic in any
way?
Ms. Lamb-Hale. I think so. I think that often around the
world because the EU directive is in a single document, so to
speak, that people look to that as the standard. And I think
that certainly as we have seen, there are some difficulties
with the implementation of that directive. It really increases
the compliance cost of our companies as they trade with the EU
countries. And so I think to have another model to use in our
negotiations around the world that really could demonstrate the
U.S.'s leadership in this regard would be very helpful to the
global competitiveness of our companies.
Mr. Butterfield. Thank you. Finally, in your testimony, you
state that U.S. companies face three major problems with regard
to navigating the EU privacy landscape. The first one on your
list is the significant resources that must be allocated to
comply with these regulations. I understand that companies that
aren't regulated by the FTC aren't eligible for the Safe
Harbor. This universe includes financial services,
telecommunications and insurance companies.
Help me with that. I don't fully understand it. Can you
clarify for me, are these companies you refer to as not in the
Safe Harbor and that have to allocate significant resources to
comply?
Ms. Lamb-Hale. Yes. As was mentioned earlier, the Safe
Harbor is only applicable to companies that are regulated by
the FTC and also the Department of Transportation. And so to
the extent that companies are not regulated by those entities,
they have to look to other methods, including in some cases
binding corporate rules that they institute that only apply to
intracompany transfers of data.
And so to the extent that we have a baseline set of
principles that would apply across the board that would not
supersede existing regulatory frameworks that would cover
financial services and other sectors, but if we have a set of
baseline principles, I think that it will reduce the compliance
costs, quite frankly, of our companies around the world as they
do business, and it is something that we should certainly
consider. The Obama administration is very supportive of it. We
have certainly through our green paper--and we are working on a
white paper that sets forth the framework that we think would
be helpful to protect both U.S. companies and our citizens.
I think that as we look to that, it will really help our
companies to be competitive globally.
Mr. Butterfield. Thank you. I yield back.
Mrs. Bono Mack. I thank the gentleman.
The chair now recognizes Mr. Olson for 5 minutes.
Mr. Olson. I thank the chair and I want to thank the
Assistant Secretary for coming today to give your time and your
expertise. Welcome.
Ms. Lamb-Hale. Thank you.
Mr. Olson. I have a couple of questions for you, ma'am.
According to the Interactive Advertising Bureau,
advertisement revenues in the United States hit $7.3 billion
for the first quarter of 2011, a 23 percent increase--23
percent--over the same period last year. Further, ad revenues
increased from under $1 billion in 1999 to its current total of
$7 billion.
Do you think this type of economic growth could be achieved
if the U.S. were operating under a EU type privacy regime?
Ms. Lamb-Hale. No. And we are certainly not advocating that
the U.S. operate under that kind of a regime. I think the issue
with the EU privacy regime is that it is applied inconsistently
across the U.S. or the EU member states, the 27 member states.
And the goal would be not to do that in the United States. The
goal would be to come up with basic principles that include
input from the multiple stakeholders that are concerned about
these issues and to develop something that is applied uniformly
and, quite frankly, does not supersede existing regimes. We are
really, our effort is to plug gaps, gaps that exist in the
privacy regime that quite frankly could not be anticipated at
the time that those various laws were enacted because, of
course, we have had innovation through the Internet and
generally in the economy.
So the goal is to have a set of principles that are basic
principles that, quite frankly, can then be used to assist in
the development of further innovation and protect our citizens
and create competitiveness for our companies around the world.
Mr. Olson. Thank you. And switching gears a little bit just
talking about the Safe Harbor issue, the FTC recently brought
its first case alleging that a company did not satisfy the
requirements of the U.S.-EU Safe Harbor. The Safe Harbor is
supposed to help U.S. companies compete in Europe, not let the
European Parliament write our laws for us. What is this
administration doing to make sure that Safe Harbor is
protecting U.S. companies?
Ms. Lamb-Hale. Well, we certainly work with our U.S.
companies who are a part of the Safe Harbor very closely when
they have situations within the EU where there are alleged
violations. We certainly work in a low key fashion because
often the companies don't want a lot of publicity in this
regard. So we really do it on a case-by-case basis.
We feel that the services that we provide companies, the
education that we provide about the ins and outs of the Safe
Harbor are helpful to them and we work with them as they come
to us with situations that they have faced in the EU
notwithstanding the Safe Harbor Framework.
Mr. Olson. One final question for you, Assistant Secretary.
Has the administration performed any type of compliance cost
analysis for the privacy directive, and if not, do you plan to
do so?
Ms. Lamb-Hale. Yes, we do have some general information on
compliance costs. And I can say to you that it is certainly
more expensive not to comply than it is to comply. And so what
we encourage our companies to do is to be engaged and be
educated about the various regimes. To the extent that they are
in the Safe Harbor, I think they have a leg up because they are
able to operate without having to obtain approval from various
data protection authorities around the EU.
But we certainly work with the companies to ensure that
they are educated and that we have their costs--while there
will always be costs associated with operating in other
countries and in the EU, but their costs are limited.
Mr. Olson. Thank you for those answers. I yield back the
balance of my time.
Mrs. Bono Mack. I thank the gentleman and now recognize the
gentleman from West Virginia for 5 minutes, Mr. McKinley. And
he waives. So next we will go to Mr. Harper for 5 minutes.
Mr. Harper. I will waive.
Mrs. Bono Mack. And he waives.
Mr. Stearns for 5 minutes. Mr. Stearns.
Mr. Stearns. Thank you, Madam Secretary. How are you?
Ms. Lamb-Hale. I am fine, thank you.
Mr. Stearns. I think one thing that a lot of us are
concerned about is that the EU has set up these privacy laws as
sort of a subterfuge to provide anti-competitive protection for
the EU, to sort of favor their own businesses.
Do you sense any sense of that, not overtly but covertly,
that some of these foreign countries because the U.S. lacks a
formal privacy law, is using this as a way to protect
themselves?
Ms. Lamb-Hale. Well, Mr. Stearns, I don't want to speculate
on the intent of the EU in their directive.
Mr. Stearns. Well, maybe instead of speculate, have you
found that it has sort of been true?
Ms. Lamb-Hale. I don't know that it is true. I think that
certainly the problem and the lesson to be learned from the EU
experience is that having individual member states create their
own regimes and as they interpret the requirements of the
directives has increased costs for our companies. It has
created regulatory uncertainty for our companies who are doing
trade with the EU.
So certainly our goal is to work very closely with the EU.
We have done it over the 10 years since the Safe Harbor was put
in place, to really work together to come up with an approach
that really helps both of our interests.
Mr. Stearns. Do you have any idea what the costs, economic
impact, any studies that show the dollars that it would cost
Americans more? I think we have here studies that show the
economic impact to U.S. companies if such regulations at the EU
are implemented what it would cost American companies. Do you
have any studies like that?
Ms. Lamb-Hale. What I can tell you, sir, that our findings,
there are findings that have indicated that the average
compliance costs were $3.5 million but the costs for
noncompliance were nearly three times higher at $9.4 million.
And so certainly noncompliance is more expensive.
Mr. Stearns. Because if they don't comply, their market is
shut down is what you are saying?
Ms. Lamb-Hale. Well, I would imagine in the various member
states there are penalties that are I would imagine would need
to be paid. There are costs to deal with the, whatever the
allegations would be in terms of not complying, noncompliance
with the EU directive as interpreted by the individual member
states.
So I don't have an exact number that I could give you per
year. But I can tell you this, that we do see that there are
significant compliance costs. It does, it has impacted trade,
but because of our kind of knowing that back in 2000, when the
directive was really, when the Safe Harbor Framework was
accepted by the EC as being adequate and 30,000 of our
companies now today are part of that framework, it has helped
those companies to navigate some of these costs.
Mr. Stearns. When I pick up a magazine and I look at the
ads and I give it to my son or I give it to other family, they
all see the same ads. But in the United States if I pick up, if
I go on the Washington Post Web site, they are often behavioral
because they have maybe a record of things about me, they have
some behavioral advertising. They can really selectively decide
when I pull up the Washington Post that these ads would be more
interesting to me. So that the advertisers have an incentive to
have this behavioral advertising. But it is not true in the
European Union, is that correct?
Ms. Lamb-Hale. Well, the----
Mr. Stearns. In other words, the behavioral advertising
that we allow our companies to selectively accumulate, the
Googles, the Amazon dot-coms, books and things like Barnes and
Noble, all of that goes into the mix and gives a behavioral
opportunity for advertisers to narrow down who they are going
to advertise. But you can't do that in the European Union, is
that correct?
Ms. Lamb-Hale. Well, I can't speak to the various states--
--
Mr. Stearns. If you don't know, just say yes or no.
Ms. Lamb-Hale. I don't know the answer with respect to the
various states because all of the various states have their own
national laws that interpret the requirements under the
directives.
Mr. Stearns. As I understand, the majority of the EU
states, the 27 of them, you have to opt in to get this
behavioral advertising? Do you know if that is true?
Ms. Lamb-Hale. I don't know the answer to that. I can
certainly get back to you.
Mr. Stearns. That would be interesting to the chairlady and
to others to see the 27 States, what they do.
Now, who is the controlling authority in the European
Union, or does the data privacy agency of each of the 27
function independently of the EU? There is no FTC.
Ms. Lamb-Hale. There is a European Commission, which is the
entity that has the overarching authority----
Mr. Stearns. Is that equivalent to the FTC?
Ms. Lamb-Hale. Roughly. I guess that would be a good
analogy to draw.
Mr. Stearns. But you also indicated that each of the 27
countries do their own thing and so it doesn't seem to be----
Ms. Lamb-Hale. And that is the problem, that is the lessons
learned.
Mr. Stearns. A European preemption here, they can't preempt
these other 27?
Ms. Lamb-Hale. Well, it is certain there is a baseline that
is established by the directive, and each of the member states
can then enact their own laws. And that is where some of the
problem comes in and that is a lesson to be learned. That is
something that we wouldn't want to have in the United States.
Mr. Stearns. Thank you.
Mrs. Bono Mack. And the gentleman's time has expired, and
the chair now recognizes Mr. Pompeo for 5 minutes.
Mr. Pompeo. Thank you, Madam Chair. Do you have any data,
Madam Secretary, on how the costs and benefits you describe
impact different businesses; that is, small business or larger
U.S.-based businesses or U.S.-based multinational business? Do
you have any data that suggest how those costs and benefits
fall for those different types of businesses?
Ms. Lamb-Hale. I don't have specific data for you. I can
tell you that we have found that for companies that don't
participate in the Safe Harbor, there are significant costs
associated with that. The Safe Harbor is a wonderful program
because really it is very cost-effective once you establish
the--show that you have satisfied the requirements to join, it
is a $200 initial fee and $100 to maintain it each year.
Companies who don't take advantage of that, both large and
small, do have more significant costs.
We can certainly get some information to you, though, to
kind of break it down by company size if we have that.
Mr. Pompeo. Thank you very much. Madam Chair, I yield back
my time.
Mrs. Bono Mack. I thank the gentleman. And seeing no other
members present, I again want to thank the Secretary very much
for being with us today. You have been very gracious with your
time. I look forward to working with you on this in the future
and going forward. And again it has been a very insightful
discussion and thank you for your time.
Ms. Lamb-Hale. Thank you, Madam Chair.
Mrs. Bono Mack. Now we will quickly move into the second
panel. If the second panel could begin taking their seats we
would like to move along as quickly as possible in hopes of not
having to run into a series of votes on the floor.
Thank you all very much. So we have four witnesses joining
us today in the second panel, our first which is Catherine
Tucker, Douglas Drane Career Development Professor in IT and
Management and Associate Professor of Marketing at MIT Sloan
School of Management. Our second witness is Stuart Pratt,
President, Consumer Data Industry Association. Our third
witness is Paula Bruening, Deputy Executive Director and Senior
Policy Adviser at the Centre for Information Policy Leadership.
And the final witness this morning is Peter Swire, Professor of
Law atS Moritz College of Law at the Ohio State University.
Good morning, still, everyone and thank you very much for
coming. You will each be recognized for 5 minutes, as you know,
and I think you know how the lights work. Make sure you
remember to turn the microphone on before you begin. And I
would like to begin with Ms. Tucker for 5 minutes--Dr. Tucker--
excuse me--for 5 minutes.
STATEMENTS OF CATHERINE TUCKER, DOUGLAS DRANE CAREER
DEVELOPMENT PROFESSOR IN IT AND MANAGEMENT AND ASSOCIATE
PROFESSOR OF MARKETING, MIT SLOAN SCHOOL OF MANAGEMENT; STUART
K. PRATT, PRESIDENT, CONSUMER DATA INDUSTRY ASSOCIATION; PAULA
J. BRUENING, VICE PRESIDENT, GLOBAL POLICY, CENTRE FOR
INFORMATION POLICY LEADERSHIP, HUNTON & WILLIAMS, LLP; AND
PETER P. SWIRE, C. WILLIAM O'NEILL PROFESSOR IN LAW AND
JUDICIAL ADMINISTRATION, MORITZ COLLEGE OF LAW, THE OHIO STATE
UNIVERSITY
STATEMENT OF CATHERINE TUCKER
Ms. Tucker. Good morning. I want to thank the committee for
inviting me to speak. I was truly honored. My testimony is
going to describe research I have done into how European
privacy regulation has affected the performance of online
advertising.
Now, the motivation behind this research is you may have
many good reasons to want to protect consumer privacy online,
we also may have many reasons to want to harmonize with our
European trading partners. However, there is a risk that strict
regulations can damage the ability of Internet firms that
support it through advertising and the advertising industry can
tend to be hurt. Why is this? It is because the business model
for nonsearch advertising online is really based around the
usage of data. And so an example of that is say I am a Cadillac
dealer, it means that I can only, I can choose to just show ads
to people who have been recently searching car review Web
sites. And this means I save money because I am not actually
showing ads to people who are not going to be in the market for
a car.
So therefore understanding how limiting data can hurt
advertisers, I think it makes sense to try and understand what
is happening in the EU.
So in my paper, I actually examined the effect of the
European Privacy and Electronics Communications Directive of
2002, sometimes known as the e-Privacy Directive. And what this
e-Privacy Directive did was it clarified how the more general
principles of 1995 were applied to the Internet and
communications sector.
Now several provisions of this e-Privacy Directive limited
the ability of companies to track user behavior online and then
use the data for the kind of behavioral targeting that was
inherent in my Cadillac dealership example.
The data I used in my study was collected by a marketing
research company over a decade and it is based around the gold
standard of social science research, which is a randomized
trial, much like used in medicine where some people see an ad
and some people do not, and to compare how the ad performance
implied by these randomized trials changed in Europe relative
to the rest of the world after the implementation of the e-
Privacy Directive.
This is a large scale study. I used data from 3.3 million
consumers and over 10,000 online advertising campaigns.
The first key finding is that the e-Privacy Directive was
associated with a 65 percent decrease in online advertising
performance, the advertisers that I studied. This is a sizeable
decrease, and I think the best way of understanding it is that
if an ad is not targeted appropriately, consumers online are
really very good at ignoring it.
Now I think this is coming up in the questioning earlier,
what does this 65 percent mean in real terms for American
businesses? Well, the public policy group NetChoice took the
estimates of my study to project that EU star regulation could
cost U.S. businesses $33 billion over the next 5 years. So this
is obviously a large negative effect.
But I also want to emphasize the second set of findings.
And this was how the regulation affected different ads
differently. And what I saw was that ads on Web sites that had
content that is not easily matched to a product category, think
of a news Web site, think of an Internet service site such as
dictionary.COM, ads on those Web sites, they were the ones that
were really hurt. And why is that? Well, you really need
external data in order to target advertising. On the other hand
ads on travel Web sites, baby Web sites, they kept on working
as well before and after regulation because you are just going
to keep on advertising diapers and hotels on these types of Web
sites.
The other kinds of ads that were really affected were small
and unobtrusive banner ads, the kind of ads that I would
describe as being annoying, the ones that float over your Web
site when you are trying to read it, those weren't affected. It
was really the ads that were designed to be informative. And so
I think this leads to a second set of concerns which means that
privacy regulation can lead to a set of incentives which means
that advertisers switch to more intrusive and annoying
advertising because they can't actually target ads in a
relevant way, and also that Web site developers might switch to
more commercial shall we say content in order to target
advertising by means of the category.
So thank you, and I look forward very much to your
questions.
[The prepared statement of Ms. Tucker follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much, Dr. Tucker.
Mr. Pratt, you are now recognized for 5 minutes.
STATEMENT OF STUART K. PRATT
Mr. Pratt. Chairwoman Bono Mack and Ranking Member
Butterfield and members of the committee, thank you for this
opportunity to testify. I am going to work through a few key
points. Obviously you have the written testimony for the
record. And first and most importantly, we must preserve what
is best about the U.S. marketplace for data flows that we have
today.
CDIA members' data and technologies protect consumers and
they help U.S. businesses to manage risks and empower economic
opportunity. Whether it is counter-terrorism efforts, locating
a child who has been kidnapped, preventing a violent criminal
from taking a job with access to children or the elderly or
ensuring the safety and soundness of lending decisions, our
members' innovative databases, software and the analytical
tools are critical to how we manage risk in this country and
ensure fairness and, most importantly, how we protect
consumers.
The U.S. has a long and successful track record of
protecting consumers and fostering commerce at the same time. I
think it is an important balance that we have to continue to
maintain as we go forward. And, in fact, the United States is
really at the forefront of establishing sector specific
enforceable laws regulating uses of personal information of
many types, and the list is extensive and includes for example
the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the
Health Insurance Portability and Accountability Act, the
Drivers Privacy Protection Act, and many more. CDIA believes
this sector-by-sector approach has not just worked well but has
ensured that the United States has both a marketplace that puts
consumers first and one that is the most robust, innovative and
efficient.
CDIA's members, however, are global companies and they do
understand the importance of international engagement and
dialogue. Our members are the most successful companies in the
world when it comes to producing data that protects consumers
and allows for effective risk management which facilitates
competition. Historical experiences, cultural mores and much
more drive the individual countries' deliberations about how to
protect their citizens' data, and this is no less true for us
here in the United States. Our members respect these
differences. We engage in regional discussions with
organizations such as the Asia Pacific Economic Cooperation and
the European Union.
Our members have successfully encouraged countries to adopt
practices that have made the U.S. successful. Just look at the
last 18 months, for example. Both Brazil and Australia have
shifted their laws to permit the development of full file
credit recording systems which will inure benefits to their
citizens much as the U.S. credit reporting industry has done
for the last 100 years. This type of constructive engagement
will continue. It is likely the best approach to managing
global data flows even as we choose different approaches to how
we may regulate data flows domestically.
We must protect our domestic success and weigh consequences
carefully. Like every other global commerce issue, there is no
dearth of opinion about how consumer data should be used and
protected. Because of this one cannot turn to Europe with the
assumption that their work is a reflection of world opinion.
There have been many different approaches to establishing
basic principles for the protection of data, and we list a
number of examples in our written testimony. Even in Europe the
Data Protection Directive has been transposed into country
specific laws which while determined as adequate by the
European Union are still different.
A real world example of how this affects commerce can be
drawn from the credit reporting industry. The credit reporting
industry in Europe is balkanized. It impinges on data flows
across countries. It has impinged on the ability for Europe to
develop a true continental financial services marketplace where
banks in Germany would compete with banks in France, for
example.
So the EU is a less than perfect solution in many different
ways.
It isn't new news that Europe and the U.S. differ when it
comes to data protection. Even our fundamental system of
enforcement for consumer protection differs. It is our view
that bringing a European Union style law to the U.S. would
result in significant increases in private litigation,
something that Europe doesn't face but which we have as a
tradition in this country. It is one of the reasons why we take
it so seriously when somebody says we should look to Europe,
for example, for the type of structure that we should have here
in the U.S.
We have privately enforced laws. We have a tort system that
encourages private enforcement by individual consumers and
through class actions. That does not exist in Europe and that
is a radical difference between how Europe and its legal
regimes work and how ours work here in the United States.
It is our view that the U.S. model has worked exceptionally
well for our citizens and for our economy. We continue to
support international engagement, regional data flow
agreements, but also the preservation of our U.S. sector
specific approach to law because laws resulting from this
approach are far more likely to respect free speech rights in
our Constitution. Laws are more likely to be focused and not
overreaching in a manner that would impinge on innovation.
Laws are subject to the deliberations and oversight of
Congress, which is obligated to represent the interests of
citizens of this country and because decisions about data
protection will not be an abrogation of congressional authority
through the establishment of a new Federal regulator with
regulatory powers that overshadow the legislative authority of
the Congress itself. History has proven that our approach works
well.
I thank you for this opportunity to testify, and I am happy
to answer your questions.
[The prepared statement of Mr. Pratt follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much, Mr. Pratt.
And Ms. Bruening, you are now recognized for 5 minutes.
STATEMENT OF PAULA J. BRUENING
Ms. Bruening. Thank you, Chairman Bono Mack, Ranking Member
Butterfield, members of the committee. Thank you for the
opportunity to testify today about the EU directive.
Privacy and protection of data are values shared by the
United States and our friends in Europe. Both the EU and U.S.
guidance about the responsible collection, use, storage and
sharing of information about individuals is based on trusted,
relevant, long-established principles of fair information
practices.
But the European directive enacted in 1995 has challenged
in many respects the rapid rate of technological change, the
emergence of new business models, and the exponential growth of
the rate in which data is generated and shared around the
world.
This dynamic marketplace requires a responsible yet
flexible approach to data protection. Instead, the directive
imposes administrative notification requirements on companies
that often do little to advance privacy protections but that
place significant burdens on companies.
It obligates persons responsible for data to notify EU
member state data protection authorities of the processing of
personal data. Such notification is required when information
systems are created and modified and when personal data is
transferred outside the European Union.
It requires companies transferring personal data to
countries outside the EU not considered to have adequate data
protection to notify the data protection authorities of the
member states of the transfer and in some cases obtain a prior
approval. Such approval can take easily 6 months to obtain and
at the cost of significant resources for the company and the
data protection authorities.
This lack of harmonization between 27 member states adds to
this burden, as each may impose requirements that differ to
some extent from others, sometimes in contradictory ways, and
companies must comply with each.
In many cases, the directive does not take into account the
global nature of data and the way in which data is collected,
used, stored and shared. It requires that data only be
transferred to countries found by the Commission to provide
adequate protections for personal data. Fewer than 10 countries
have been found to be adequate. While other legal mechanisms
are available to support the transfer of data under the
directive, as we heard earlier today, they are cumbersome.
Finally, the directive's requirement that organizations
have a legal basis to process data can impose additional
burdens without yielding good privacy outcomes. In the United
States, companies can use data unless they are specifically
prohibited from doing so. In Europe, by contrast, companies are
not allowed to process data unless the processing meets one of
six criteria found in the directive.
The most significant of these criteria is informed consent
of the data subject. To obtain consent, companies must specify
in the privacy policy the purpose for which data will be
processed. However, the ways in which data can be used evolve
rapidly and may not be readily foreseen by companies. When data
holds such broad and unanticipated potential, companies will
hesitate to specify its criteria for processing for fear of
limiting their options in the future. Companies instead may
create broad privacy policies aimed at obtaining permission to
undertake any data activity they see fit.
What is at issue is not the value of privacy protection nor
that of fair information practices. They continue to serve as
the most respected and trusted foundation for privacy
protection. What requires our consideration is how quickly the
fair information practices are applied in this new and rapidly
changing data environment and how companies and regulators
faced with the need to make the best possible use of scarce
resources can be empowered to direct time, funding and
personnel towards efforts that yield optimal privacy for
individuals without unduly constraining innovation.
In a digital age, in an economy driven by data, getting
privacy protection rights is hard. There are no simple
solutions. Policy makers, industry leaders, regulators and
advocates are engaging in discussions here in the U.S. and in
international forums to develop approaches that serve both
organizations that collect data and the privacy of individuals.
Therefore, as this committee continues to explore this issue, I
encourage you to consider the alternatives developed in these
ongoing discussions.
Thank you again for this opportunity, and I look forward to
answering any questions.
[The prepared statement of Ms. Bruening follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much, Ms. Bruening.
And Professor Swire, you are recognized for 5 minutes.
STATEMENT OF PETER P. SWIRE
Mr. Swire. Thank you, Madam Chairman and Ranking Member
Butterfield, and other distinguished members of the committee.
Thank you for inviting me to participate today.
This is an area that has long been of great interest to me.
I wrote a book on the U.S. and EU privacy laws back in the
nineties. I was chief counselor for privacy under President
Clinton and helped to negotiate the Safe Harbor agreement that
have we heard about today.
Before turning to my written testimony, just a brief
comment on the very important research that Professor Tucker
has talked about today. This is incredibly useful data, but I
would like you to think about advertising being targeted. We
could do it even better if we saw every e-mail you saw, every
text message you ever wrote, every moment-by-moment location
information. We could target better, but having all of that
known to the advertisers creates some risks and I think we
probably would want to have privacy and have good business not
just maximize how much everybody sees about us.
In my written testimony there are three points. I will
focus on the third one today. The first point is that the EU
Data Protection Directive has deep roots in the United States
history of privacy protection. The fair information practices
came from here, and that is what is built into the directive.
A second point is I have often criticized the EU directive
in a number of details in my writing, but with that said, the
European regime has made important contributions to our privacy
practices. Many of the sensible ways that we self regulate
today in the United States really grew out of discussions that
were involved in European regulators, and we have taken the
best of that in many cases to do good business and good
privacy.
The focus of my time today, though, is going to be on jobs
and U.S. businesses and the effects on those. My point here is
that support for baseline privacy principles is good business
and good policy for the United States. If we adopt a ``we don't
care about privacy'' attitude, that creates major risks for
American jobs, American exports, and American businesses. Other
countries could then decide that the U.S. is a noncompliance
zone, and they can ban transfers of data to the United States.
Foreign competitors can then use the lack of U.S. privacy
protections as an excuse for protectionism and then insist that
all the information processing happen in their countries and
not here in the United States, where right now we have such an
important technological edge.
So I am going to continue with a little more detail on some
of those job and business effects.
The Safe Harbor, as was discussed earlier, is a big help
for transferring data between EU and the United States, and we
made the European rules much more workable as we negotiated
that. But the risk of protectionism is growing again. The EU is
in the midst of a major revision of the directive. They may
make it substantially stronger in some respects. And as the
chairman noted, India's privacy laws are coming online now,
Mexico and most of Latin America are adopting these laws, and
right now they are copying the European approach. If we had a
baseline approach in the United States that was simple and easy
to communicate, I think it would be a lot easier for them to
copy the U.S. approach or at least for us to have U.S.-style
principles accepted around the world. If we don't do that, we
are risking having a very bad model become the practice
generally.
Cloud computing is just one industry that gives an example
of the risks we face here. The Province of British Columbia few
years ago canceled contracts because they thought sending data
to the United States wasn't safe enough. There have been
several discussions in European Parliaments this year that,
similarly, having databases in the United States is not safe
enough for the data of European citizens.
Now, when we have these important information services,
cloud computing, Internet sales, other U.S. areas of
leadership, we can't just ignore the rest of the world in this
case. And here is why. Many of the U.S.-based companies have
assets in these countries. We have employees in these
countries. If Germany, which for instance one of the German
States had a 60,000 euro fine this week about a financial firm
for affiliate sharing. When the German regulators do this, they
can go after American companies' assets overseas. We have seen
that Italy has even gone against a Google employee on a
criminal basis.
So we are stuck in a world where they have national
jurisdiction and national legislation. I think the question
then is how do we engage, how do we find a way for the United
States to best have our self-regulatory, our good privacy
principle, but our nonintrusive approaches, but also explain to
the rest of the world how to stop this protectionism.
I think we should maintain our own privacy legal structure.
Baseline principles I think are the way to go, baseline
legislation if possible. The risk is that we do so little that
the rest of the world says we don't do enough at all and shuts
us out. And I think that is something to avoid.
Thank you, Madam Chairman.
[The prepared statement of Mr. Swire follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you, Professor. I appreciate very
much all of your testimony, and apologize for always having to
rush to get it in under 5 minutes. But now I will recognize
myself for the first 5 minutes of questioning.
Professor Tucker, to you, in your research how did you
account for the difference between what European privacy
regulations say on paper and then how they are actually
enforced? And what does that difference mean for those who
would suggest we model U.S. privacy regulations on European
ones?
Ms. Tucker. So my study, because it is an empirical study,
is really a study of how firms interpreted the laws, with all
their ambiguity, all the lack of clarity, all the uncertainty.
And when I talk to people about my results, what has been
really emphasized to me is the extent when laws are written in
a vague way and people don't really quite know what they mean,
often counsel do urge the company to take a very conservative
and cautious approach.
So I think one way, you know, of understanding that gap is
if there is a gap between what was intended and what companies
are doing, it often tends to be conservative, because companies
obviously do not want the bad publicity associated of being
found guilty of privacy violations.
Mrs. Bono Mack. Thank you. In your testimony you state you
would like to see research that tests elements of a ``do not
track'' technology, because your research shows some forms of
consumer choice regarding their privacy can improve advertising
effectiveness. Can you explain further what you mean?
Ms. Tucker. Yes. So this is a separate study, where I
actually looked at online advertising on Facebook. And you may
remember a year ago Facebook was under a lot of pressure, and
they actually implemented a whole new series of privacy
controls. And what we saw is that when we actually gave users
control over their own privacy and how their personal
information was being used, that it has actually a large
improvement in terms of how willing people were to click on
relatively personalized advertising.
Mrs. Bono Mack. Thank you. And I kind of have a golden
question. And I will go to you, Professor, and then let each of
you take a swipe at this one. What questions do you all think
need to be answered for us to understand how restrictions on
data could affect digital media and services? And I will start
with you, Professor Tucker, on that.
Ms. Tucker. OK. So I feel--I mean I am constantly
frustrated by how little empirical research there is out there.
And as a policymaker, we found it hugely difficult to try and
say what matters and what doesn't in terms of actually
affecting consumer response. So I think what we really need is
more research on trying to understand, well, if we do have to
have regulation, how can we make it good regulation which
actually benefits firms and consumers at the same time? Thereby
through giving trust, encouraging consumers to trust companies,
and therefore getting some benefits, while hopefully not
costing firms so greatly.
Mr. Pratt. You are right, that is a big question. So I
think the question I would ask, if I was sort of sitting up
there rather than here, would be how all the innovation here
that we see on the Internet really is U.S.-based. I think
Professor Swire is right, we really have the edge as a country.
It is because of the freedom that we have to have innovated
that all these innovations are here that are moving around the
world. But we also know that the Internet, all the free stuff,
all the free stuff is monetized in some way. It is supported by
an economy. And I think the key question, which I have heard in
some other hearings, is so if we are going to strip away a lot
of what supports, you know, what is the economy that supports
the way that we interact with the Internet today, what takes
its place and what is the consequence of a whole different
system of billing individuals for participating in powerful
tools, search engines, and so on and so forth? So I think this
monetizing economy question is sort of fundamentally important.
But I would certainly agree that go slow and seek empirical
answers is awfully important as well. So there is no reason to
rush to some immediate conclusion.
Mrs. Bono Mack. Thank you. Ms. Bruening?
Ms. Bruening. Yes. I think it was acknowledged earlier
today already that so much of what we think about privacy is
very culturally based, it is based on history, and experience,
and mores, and we are going to be hard pressed to convince one
part of the world or another that our way is better. And we
certainly don't want to adapt their approaches.
At the same time, global flows of data are critical to our
economy, to the world economy. They have to be robust in order
to keep economic growth going. And it is so necessary right
now. So the question becomes how do we respect these divergent
ideas about privacy and yet have an interoperable system that
allows for those data flows? And I think trying to figure out
how you create that system is going to be really, really
important.
I think the other question is, you know, we keep hearing
about how companies need more flexibility to process data than
is perhaps allowed for in something like the directive. And
even in many ways in the kinds of rules and regulations we have
here in the United States. So again, how do you provide that
flexibility in a way that also requires that companies assess
the risks that they are raising for individuals when they are
using that data, and that they mitigate those risks so that
they are accountable for the way in which they are using data?
Mrs. Bono Mack. Thank you. Professor Swire, I apologize. My
time has expired. But I know that some of my colleagues will
jump to you. So I would like to recognize Mr. Butterfield for 5
minutes.
Mr. Butterfield. Thank you. Dr. Tucker, I thank you for
your testimony. Obviously, it is very thoughtful. And I
certainly don't want to make light of your research. And it is
important research that can and should contribute to our
decision-making process. But because those who oppose privacy
legislation have touted it as their rationale for opposition, I
want to summarize what we know.
This study looks at a universe of ads that are not very
effective to begin with. Then it concludes that those not very
effective ads have become even less effective as a result of
European countries' efforts to protect consumers' privacy. And
so we need to certainly continue that conversation.
A couple years ago, Mr. Swire, the RAND Corporation
authored a report reviewing the strengths and weaknesses of the
EU's Data Protection Directive. The directive contains a set of
data protection principles. Each of the 27 countries then has
its own set of laws implementing those principles. One of the
goals of the directive was to set out a framework to bring the
laws of each individual country closer together so the EU could
truly function as one market.
We are talking about 27 different sovereign countries. So
at the end of the day, there were bound to have been some
differences, around the edges at the very least, in how they
interpret and carry out the directive. But the RAND report
concludes that one of the strengths of the directive is that it
has harmonized data protection principles, and to a certain
extent enabled an internal market for personal data. It cites
as evidence the implementation of legal rules across Europe
that have greater compatibility than prior to the directive's
introduction. In other words, the legal rules of each of those
countries have come closer together than they were prior to the
directive.
Professor, can you please comment, if you will, on this
observation generally? And in particular, can you please
discuss whether and how this convergence in the legal rules of
27 countries has actually benefited the U.S. and other
companies trying to do business in the European Union?
That is a very comprehensive question. You have a couple
minutes to respond.
Mr. Swire. I won't take all your time. Thank you,
Congressman.
When the directive was first being considered in the early
1990s, there were two big goals. One of the goals was to
protect privacy, but the real driver was the Common Market,
which is what you were talking about, which is there is
supposed to be free flow of information between Italy and
France and Germany, and now all the other countries. And so the
directive was set up so that the ceiling and floor were
supposed to be pretty close together. So it wasn't total
preemption, it wasn't exactly the same everywhere, but if it
had been a great big difference, now it is supposed to be a
much, much smaller difference.
And we know in the United States we face this, your
committee faces this on preemption for data breach and the
rest. If the things are pretty darn close, a lot of time
companies can deal with it. That is what the directive was
supposed to do. In practice, it probably hasn't always achieved
that. But that free flow of information within Europe was one
of the two main goals for creating the whole thing.
Mr. Butterfield. Thank you. We still have some time.
Professor, in your testimony you state that prior to
implementation of the Safe Harbor agreement that you helped
negotiate, there was widespread perception that American-based
companies were subject to stricter privacy enforcement in
Europe than EU-based companies. As U.S. leaders, we, of course,
hear about the problems faced by our companies in dealing with
the regulatory regimes of other countries. And we, of course,
hear complaints about unfair treatment and enforcement. And
when it is a giant like Microsoft, Google, or Facebook,
everyone is going to read and hear about it if an EU country
goes after them.
Given all of this, sir, some of us might still be under the
impression that the U.S. companies are treated differently and
more strictly when it comes to enforcement of EU data
protection rules. I think you know where I am going with that.
Please help me with it.
Mr. Swire. I will try to help, sir.
Mr. Butterfield. Yes.
Mr. Swire. So my view is in the early period there was a
highly visible focus on U.S.-based companies for enforcement.
The enforcement action this week that I mentioned in Germany in
the financial area was against a German company, dealing with
German providers. And over time a far bigger fraction of
enforcement actions, as I understand it, have been for European
companies, and not focused on the U.S. We should always look
for problems with that discriminatory treatment, and we should
step in when we see it. But the point about discriminatory
treatment is if we just say we don't care about privacy, it
strengthens the hand of European enforcers who want to go after
U.S. companies, because they think they can't trust it when the
data comes here. So just saying we don't care or we don't do
that here really raises the risk of focus on the U.S.
enforcement--enforcement against U.S. companies.
Mr. Butterfield. So there is some perception of singling
out of U.S. companies?
Mr. Swire. My sense is that you know, the home field
advantage is quite important. I am from Ohio State, and we
believe in the home field advantage. And you know, this sort of
thing happens. And the U.S. Constitution has a diversity
jurisdiction so that if you are out of State you get Federal
judges to help you.
So that is a concern. But if we are able to keep showing
that in the U.S. we do basically a solid job on privacy, then
that is an enormous answer back to the people who want to be
protectionist.
Mr. Butterfield. Thank you. Very helpful. Thank you.
Mrs. Bono Mack. I thank the gentleman. And the Professor
would note that the chair is a U.S.C. Trojan grad.
Mr. Swire. Also a fine team, ma'am.
Mrs. Bono Mack. Thank you. The chair will recognize Mr.
Stearns for 5 minutes.
Mr. Stearns. Thank you, Madam Chair. Dr. Tucker, it just
seems to me it comes down to that there are two questions here.
If we don't adopt privacy regulation like the European Union,
then in a sense we are shut out of their market. And if other
countries in Latin America and others that are taking the
European Union as a standard and moving in that direction, then
we have around us, whether it is Latin America, Europe, we have
all these countries that are subscribing to the European Union
model, then in a way we are disadvantaged.
So that is one question. And the other question is, though,
that, you know, when you look at it, you know, Google, and
Twitter, and YouTube, and Facebook, and Groupon, all these came
because of the innovation here in the United States. It didn't
come from Europe, it didn't come from Latin America. So if we
adopt the European Union model that everything has to be opt-
in, then the innovation that comes from behavioral
advertising--we all agree that financial and health records
should be protected; that is OK--but some of the behavioral
advertising works to the benefit of the consumer. Groupon is a
good example. You can get ads now that it will give you a
discount on things that you might not have thought of, but it
is in your behavioral interests. And so, you know, it is caught
between those two, whether the United States succumbs to the
European model and loses its innovation, or at the same time
does the European Union--we just say we are not going to do it,
and continue our innovation, and who knows what will come up
besides another Facebook or Twitter?
So I guess my question is do you believe there is a
demonstrated harm to consumers from being tracked online for
the purpose of being served targeted ads?
Ms. Tucker. OK.
Mr. Stearns. Amen.
Ms. Tucker. Amen. OK. So there is three questions embedded
there.
Mr. Stearns. This is the only question I have.
Ms. Tucker. This is the only question.
Mr. Stearns. Because if you can show from your models or
your empirical evidence that we are better off with innovation,
then why don't we convince the Europeans to be like us? Which
we can't do, but I understand.
Ms. Tucker. So we have tried to run some initial studies to
see how customers respond to personalized advertising. We
haven't seen any behavioral evidence they are navigating away,
appear to be unhappy of being shown it. Beyond that----
Mr. Stearns. But can't you say there is substantial
benefits to consumers from having this model that we have in
the United States? Wouldn't you say that is true?
Ms. Tucker. Well, I mean in terms of how many wonderful
free and innovative services are supported through advertising,
I mean I would say definitely.
Mr. Stearns. Let me just go down. Mr. Pratt, do you have a
comment on this question? Basically, is there a demonstrated
harm to consumers from being tracked online for the purpose of
being served targeted ads, in your opinion?
Mr. Pratt. You know, our world, the CDIA world, is the risk
management world. But you know, you have no risk management
decisions if you don't reach the right consumer with the right
offer at the right time. So it begins with how we reach
consumers. And in all parts of our industry, even in the CDIA's
member, consumers are online more than ever before. When
consumers get free credit reports, they go online to get them.
So the bottom line is it is desperately important that we have
very effective mechanisms for connecting consumers with
products. It empowers businesses. It is a home run, in my
opinion. So you have got to have it. We do have it. We should
be really careful about how we do harm to it.
Mr. Stearns. And you would not favor the European model?
Mr. Pratt. Well, we don't. You have heard that in our
testimony. We are unequivocally opposed to importing that.
Mr. Stearns. All right. Ms. Bruening?
Ms. Bruening. I have not seen any empirical evidence about
harm to consumers based on behavioral targeting. What I would
say, though, is that the way we define harm in the United
States is fairly circumscribed. We talk about it in terms of
physical harm, financial harm. I think there is a growing
recognition that harm may take different forms, that
reputational harm, I think with the advent of social
networking, has shown us that there are other harms involved.
Reputational harm is one of them. I think there is a concern
amongst consumers about how much data is being collected about
them and how it is being used, and that there is not enough
clarity about that.
So to say, you know, that there has been empirical
evidence, I have not seen that, but I would not say that there
is no harm at all if that is--if that is a practice that there
is not the appropriate assessment of risk and mitigation of
risk on the part of companies who are engaging in it.
Mr. Stearns. Professor Swire?
Mr. Swire. Yes. Is there any harm to consumers? One answer
is it is a reason to have effective data breach protection.
Mr. Stearns. The question is more is there demonstrated
harm to consumers that you have seen?
Mr. Swire. I think the demonstrated harm comes when there
is data breaches and all the information about me gets leaked
out. And then with the identity----
Mr. Stearns. But that is a security problem, not
necessarily a privacy problem.
Mr. Swire. If everything is in the database, there is a
bigger risk when it gets leaked.
Mr. Stearns. But if we have a good data security bill, and
we say to the companies that you have to have a security
officer, and you have to have it encrypted, and you have to be
protected, that is different than just having behavioral
advertising out there in which customers use it to buy things.
So I am just asking have you found any demonstrated harm, any
empirical----
Mr. Swire. I pointed to the biggest harm, which is when it
leaks out.
Mr. Stearns. All right. Thank you, Madam Chair.
Mrs. Bono Mack. Thank the gentleman. And now recognize Mr.
Pompeo for 5 minutes.
Mr. Pompeo. I will waive.
Mrs. Bono Mack. And he waives. And Ms. Blackburn for 5
minutes.
Mrs. Blackburn. Thank you, Madam Chairman. And I apologize
to you and the witnesses for being late to the hearing. I had a
mandatory meeting that ran long, and I was a little bit
detained. I do have a couple of articles that I want to submit
for the record. They are from Financial Times. One is
``Companies in Confusion Over Cookie Laws'' and the other is
``Dutch Cookie Law May Lead to Online Exodus.'' And I would ask
to submit those for the record.
Mrs. Bono Mack. Without objection.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. Thank you. I think that as Mr. Pratt said
earlier, most of the innovation that has taken place in the
digital revolution has come from here in the U.S. And I think
there is no mistake in what that reason is. And that you can
look at what is happening with the EU model, and it does cause
you to back up and say, you know, if our job--if our goal is to
grow jobs, to expand the virtual marketplace, the virtual
economy, then we are going to need to continue with a more
flexible approach and make certain that we are protecting data,
but that also we are allowing the use of that data in some
ways.
I think the lack of implementation and variance in local
interpretations on this cookie law, from what I have read,
creates incredible uncertainty. And one of the things we are
hearing right now from employers is they don't like the amount
of regulatory uncertainty that is coming out of Washington
because they don't know what their next step should be. And
they also don't like the compliance cost, that there is an
uncertainty built into that also.
So Mr. Pratt and Ms. Bruening, I would like for you to talk
for just a little bit about the impact that the uncertainty and
the rising compliance costs have on business. And then Dr.
Tucker, as you address that, I want to go back to something
that Mr. Butterfield was saying. And let's talk about the
multinational companies and what you are seeing with what the
application is to them. What is the cost to them? What is the
lost opportunity cost that is going to be there to those
multinational companies? And then for your companies that are
local European companies, how are they going to lose out? So
Ms. Bruening, to you first, and then to Mr. Pratt, and then to
Dr. Tucker.
Ms. Bruening. Thank you. I would say that the biggest
indication of the concerns of businesses about uncertainty and
compliance costs is the what we see at the Centre for
Information Policy Leadership is their continued engagement in
processes and deliberations internationally that would help to
create more streamlined approaches to compliance. I think that
many leadership companies are spending a great deal of time and
resources engaging in processes at APEC. We are leading an
international project on accountability that we have
participants from the EU, North America, and Asia working on
this with us, trying to figure out ways to make compliance more
streamlined, to make it more certain, to give companies more
flexibility, but also provide the appropriate privacy
protections.
Mrs. Blackburn. Great. Mr. Pratt?
Mr. Pratt. I think the greatest uncertainty we could insert
into the U.S. would be to create an umbrella entity, which is
really what you have in Europe and in the various European
Union member countries, and that is a data protection authority
that essentially by fiat can make any decision about any data
flow. To me, this is just abrogating the Congressional
responsibility to legislate. It is empowering a regulator to
then make decisions about commerce in a way that I just think
is unhealthy. That kind of uncertainty makes it hard to
innovate. You don't innovate first. You go to your lawyers and
say what do you think they are going to say? And then maybe you
build that product, maybe you don't. Maybe you roll the dice,
maybe you don't. And I think it begins to impinge on the
freedom to innovate.
That is one of the many reasons why we don't think the
European model is a good one to look at. We are not
isolationists. We deal with the international dialogues. We
have members who support these very international dialogues
that she is referring to. We participated, actually, as a
private company, as a private trade association in the EU Safe
Harbor negotiations that took place way back when. We want data
flows. We want that competition for our U.S.-based companies as
well. We are global companies. But let's just make sure that we
don't stifle what has been best.
Mrs. Blackburn. Dr. Tucker?
Ms. Tucker. So quickly, as we are out of time, the firms
that have been really hurt have been the small firms on two
dimensions. First of all, it is expensive to try and work out
what these laws mean. Secondly, if you are a small start-up Web
site, you are trying to get customers to opt in. When they are
uncertain about whether or not to opt in, it is going to be
harder for you to get that kind of consent.
Mrs. Blackburn. Thank you. Yield back.
Mrs. Bono Mack. I thank the gentlelady, and am happy to
note it looks like we have concluded the hearing before the
floor votes. I would like to thank the panelists all very much.
It is clear that everybody in this room has learned something
today, and cares deeply about these issues as we move these
forward.
This was our second in a series of privacy hearings that we
will be holding this year. I look forward to our continued
discussions on how we can best balance the need to remain
innovative with the need to protect consumer privacy.
I remind members that they have 10 business days to submit
further questions for the record. And I ask the witnesses to
please respond promptly to any questions they receive.
Mr. Butterfield. Madam Chairman?
Mrs. Bono Mack. Yes.
Mr. Butterfield. May I be recognized for the purpose of
offering a letter into the record, please?
Mrs. Bono Mack. The gentleman is recognized.
Mr. Butterfield. I have a letter in my possession from the
TransAtlantic Consumer Dialogue addressed to the chairman and
to the ranking member. I ask unanimous consent that it be
included in the record.
Mrs. Bono Mack. Without objection.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. And again, the hearing is now adjourned.
Thank you all very much.
[Whereupon, at 12:40 p.m., the subcommittee was adjourned.]
�