Fred H. Cate

Building a data sharing model for global genomic research

Data sharing models designed to facilitate global business provide insights for improving transborder genomic data sharing. We argue that a flexible, externally endorsed, multilateral arrangement, combined with an objective third-party assurance mechanism, can effectively balance privacy with the need to share genomic data globally.

The Limits of Notice and Choice

The US Federal Trade Commission (FTC) has embarked on a series of three workshops on exploring privacy. The first, in December 2009 in Washington, DC, focused on market and regulatory issues; the second, in January in Berkeley, California, examined technological issues; and the third, scheduled for March in Washington again, will focus on possible solutions. But after hearing from more than 70 speakers at two standing-room only workshops, at least one theme is emerging: notice and choice are inadequate tools for protecting information privacy or security.

Protecting Privacy in Health Research: The Limits of Individual Choice

Introduction.1766 I. The Critique of Choice.1771 A. Inaccessibility.1771 B. Inadequate to Motivate Action.1772 C. The Absence of Choice.1772 D. The Illusion of Choice.1773 E. Inadequate Privacy Protection.1773 F. False Dichotomy.1775 G. Burden on the Individual.1775 H. The Cost of Providing Choice.1776 I. Government Access to Personal Data Unaffected.1776 J. Choice As a Disservice to Individuals.1777 II. Health Research and Its Regulation.1778 A. The Role of Personal Data in Health Research.1778 1. Information-Based Health Research.1778 2. Personalized Medicine and Genetic Analysis.1779 3. Data-Based Health Research.1781 B. Autonomy and Informed Consent.1783 C. The Common Rule.1784 III. The Privacy Rule.1786 A. Basic Requirements.1786

The Changing Face of Privacy Protection in the European Union and the United States

Among the wide variety of national and multinational legal regimes for protecting privacy, two dominant models have emerged, reflecting two very different approaches to the control of information. The European Union has enacted a sweeping data protection directive that imposes significant restrictions on most data collection, processing, dissemination, and storage activities, not only within Europe, but throughout the world if the data originates in a member state. The United States has taken a very different approach that extensively regulates government processing of data, while facilitating private, market-based initiatives to address private sector data processing. Under the EU data protection directive, information privacy is a basic human right; the failure of the U.S. legal system to treat it as such offends European values and has led the EU to threaten to suspend information flows to the United States. This threat is understandable in light of the directives treatment of privacy as a human right, and necessary if the privacy of European nationals is to be protected effectively in a global information economy. In the United States, however, the government is constitutionally prohibited under the First Amendment from interfering with the flow of information, except in the most compelling circumstances. The EU data protection directive is plainly contrary to that constitutional maxim, and the suggestion that the directive should be extended to the United States exacerbates that conflict, as well as threatens U.S. leadership in information technologies and services. This Article examines the expanding conflict and emerging compromises between the European Union and the United States over data protection. After describing each of the legal regimes and the principles that undergird them, the article concludes by addressing the conflict between those principles, current political efforts to minimize that conflict, and the inadequacies of both systems in the context of the Internet.

A Transatlantic Convergence on Privacy

Both the European Union and US recently released major reports on privacy. These significant and long-awaited government reports provide new insights into how regulators on both sides of the Atlantic view privacy challenges. They also reveal the extent to which those views are converging.

LIFESAVING CONNECTIONS : COMMUNICATIONS, COORDINATION, AND TRANSPLANTATION

Thousands of people suffer and die, and numerous biomedical experiments are cancelled or scaled back each year because of an unnecessary shortage of organs and tissues for transplantation and research. Exacerbating the shortage is the absence of effective national coordination of organ and tissue procurement and the lack of systematic attention given to educating the public and the medical profession about transplantation and donation. The National Organ Transplant Act, passed by Congress in 1984, was an incomplete, narrowly focused, and inadequately funded effort to address these issues. We recommend the more effective use of advanced communications technologies and skills to assure a unified, concerted effort to bring the benefits of donated organs and tissues to greater numbers of Americans. We must ensure that advances in computers, telecommunications, mass media, and interpersonal communications are employed to ensure the coordination of procurement agencies with each other and with physicians and biomedical researchers, the systematic education of physicians and families, and the increased involvement of the public. Realization of the full potential of transplantation will not be possible without a renewed spirit of cooperation, better funding, and sustained political support from both the public and policymakers.

The business of privacy

Over the last decade, privacy has become big business. Company executives hobnob with data protection regulators at conferences held all over the world; associations of privacy officers are experiencing exponential growth in membership; data protection has become a money-maker for consultancies and law firms (as well as for academics who provide consulting services); and lobbyists engage policy-makers in an effort to influence data protection and privacy regulation. In the past, data protection was seen mainly as a cost factor, but now it is increasingly becoming a way to make money, and to ensure the continued trust of customers, employees, and business partners. The economic importance of data processing makes it natural that the business of privacy would expand as well. Viewing privacy as a business opportunity can result in increased attention and resources being devoted to its protection. In recent years, governments and regulators have emphasized that respect for data protection and privacy should be seen as a way to strengthen confidence in online commerce, and have encouraged the growth of the professional side of privacy; indeed, there is evidence that viewing privacy as a business enabler can itself be a powerful factor to encourage respect for regulation. All of this has led more and more companies to take steps to protect privacy as a way to strengthen their brands and enhance customer confidence through measures such as appointing internal privacy compliance officers and taking the impact of business decisions on privacy into account before they are implemented, developments that are all to the good. At the same time, these developments raise questions. Most countries with data protection laws regard privacy as a fundamental right, and viewing the protection of a fundamental right as a money-making opportunity may seem distasteful. The number and cost of conferences and seminars covering privacy issues often seems excessive (not to mention the environmental implications of privacy experts travelling all over the world to attend them). The increasing number of professional firms offering consulting or legal services may have contributed to the emerging view of privacy compliance as a complex and costly exercise. And many smalland medium-sized companies struggle to afford the high cost of the privacy compliance industry, with the result that many simply ignore compliance altogether. It would be hypocritical for the editors to paint the ‘privacy industry’ in too negative a light, since each of us is involved in it in one way or another. On the contrary, we believe that creating economic incentives is one of the most effective ways to further privacy and data protection, and that the growth of privacy as a business area holds the potential to motivate compliance with privacy regulation and individual expectations not just as a matter of law, but for pragmatic economic reasons as well. We see nothing wrong per se with making money from data protection and privacy, as long as the monetary rewards are kept in proportion to the reasons that privacy is protected in the first place. Data protection is not purely a money-making activity like investment banking, but exists to protect fundamental values cherished by societies around the world. This means that everyone involved in the business of data privacy should ask not just how to make it more profitable for themselves, but also how they can use it to give something back to society. Making such contributions need not be a grandiose endeavour, and can include things such as writing articles to explain complicated legal issues to a wider audience; teaching data privacy law to students; and engaging in pro bono activities on behalf of individuals and small organizations. Indeed, we regard IDPL as a forum for discussing important issues of data protection and privacy law, and thus as a way to give something back to what we regard as one of the most fascinating and important areas of law.

The end of the beginning

As readers of IDPL are no doubt aware, on 25 January 2012 the European Commission published a proposal to reform the EU legal framework for data protection that has captured the attention of the data protection and privacy community around the world as have few other legislative initiatives in recent decades. The attention given to the proposal began even before it was officially released, as a ‘leaked’ preliminary draft found its way onto the Internet in late 2011 and precipitated a veritable feeding frenzy of attention. Since then, there have been numerous conferences, articles, blog entries, etc. devoted to the proposal, which will no doubt only increase as it works its way through the EU legislative process over the next few years. The intense attention given to the European Commission proposal is certainly justified. With the possible exception of the relevant provisions of the Lisbon Treaty, it is the biggest development in EU data protection law since enactment of Directive 95/46 in 1995. It is not just a redraft of the existing Directive, but an attempt to radically remake the EU legal framework. While individuals faced with increasing difficulty in asserting their data protection rights, and companies frustrated with the difficulty of complying with 27 divergent member state laws, had long known that the EU legal framework for data protection was broken, the realization took longer to dawn on member state governments and EU bureaucrats in Brussels. The jury is still out as to whether the proposal meets its intended objectives, and it is too early for any sort of definitive opinion on the details, given that numerous details of it will no doubt change substantially over time (indeed, it is possible that political factors may even cause the entire proposal to fall apart). But no matter what one thinks of it, at least the Commission has recognized the necessity of a root-and-branch revision of the law. Beyond the obvious data protection implications, the proposal serves as a laboratory to illustrate the current political tensions in the EU, and the compromises that will have to be made if a more pan-European conception of data protection law is to arise. The Commission’s decision to aim for complete harmonization of data protection law applicable to public authorities and the private sector via a regulation means that some member states are now faced with the prospect of having, as they see it, their existing national standards ‘watered down’, while others are concerned that the standards are being raised too high. This debate is an inevitable consequence of the changes brought by the Lisbon Treaty leading to a greater harmonization of fundamental rights law; since the data protection proposal is one of the first and most visible manifestations of these changes, it is proving to be a catalyst that will force governments and citizens to decide how much harmonization they really want. For years, many in the data protection community had been calling for greater harmonization, but some of the same actors are now also expressing concern about the loss of the special characteristics of their national data protection law, thus proving the truth of the adage ‘be careful what you wish for’. The proposal has important implications not only for the EU, but also for actors in both the public and private sectors around the world. Among just a few groups outside the EU affected by the proposal are non-EU governments seeking to share data with their counterparts in Europe, companies selling goods and services via the Internet to Europeans, and countries planning to enact data protection legislation based on the EU model. This last group deserves special attention, since in the last few years EU Directive 95/46 has found increasing favour as a model for numerous countries in other regions to use in drafting their own data protection legislation. The Directive has had the great advantage that it is a single legislative text that has also been analysed and used in practice for several years, thus making it an easy choice for countries

Privacy—an elusive concept

It is interesting to consider how difficult it is to describe what ‘privacy’ is. Attempts at defining privacy date back, at least, to Warren and Brandeis’ 1890’s description of it as the ‘right to be let alone’. Another, more recent, definition is that privacy is ‘The interest of a person in sheltering his or her life from unwanted interference or public scrutiny.’ Perhaps an even more sophisticated definition would be to say that privacy relates to ‘[m]aterial that so closely pertains to a person to his[/her] innermost thoughts, actions and relationships that he[/she] may legitimately claim the prerogative of deciding whether, with whom and under what circumstances he[she] will share it.’ None of these definitions could necessarily be said to be more correct than the others, but taken together they provide a useful composite view of what we mean when we talk about privacy. While it is notoriously difficult to define ‘privacy’, the other side of the coin is that virtually everyone thinks they know what privacy is, or instinctively has ideas as to what it entails. Privacy is also often described in terms of its tension with other objectives or interests, in particular the following three types of tension:

Government Access to Private-Sector Data

The paper is discussing governments access to private enterprise data to administer social service schemes, tax calculations, law enforcement and national security purposes.