“Specifically, we are considering the establishment of a multi-stakeholder process,” Nicole Lamb, assistant secretary of the International Trade Administration, told the congressional panel. The parties would produce agreed-upon codes of conduct and enforcement mechanisms, she said.
Such a structure could possibly provide consumers and businesses with a better way to redress privacy violations than is currently available under U.S. law, says Christopher Wolf, director of the Privacy and Information Management practice at the law firm Hogan Lovells.
The Commerce Department proposal represents a more collaborative approach to working with EU trading partners, said Swire at the hearing. Swire said collaboration and improved dialogue had already led to some convergence of U.S. and EU privacy practices in key areas.
One example he cited was the position of corporate privacy officer (CPO). European companies were the first to hire CPOs, but large U.S. corporations also now have CPOs.
Swire noted that the U.S. Federal Trade Commission, which has played a stronger role in data privacy-related enforcement efforts in recent years, has already strengthened its dialogue with EU agencies and regulators. Swire and other experts have also noted convergence in additional areas, including data breach notification, data minimization, and limitations on data retention.
The EU, for its part, is currently making major changes to its data protection and privacy laws. Last year, member states were required to finalize national laws to comply with revisions to the Privacy and Electronic Communications Directive (PECD). Changes to the PECD, which was written to compliment the EU’s broader Privacy Directive, aim to strengthen consumers’ control over their online privacy. Among other new requirements imposed by the changes, Web sites will need to let users “opt in,” as opposed to the currently more common option of “opting out,” when it comes to having information-tracking electronic “cookies” placed on their computers or devices.