European Union, US officials say they're getting closer on privacy

Top privacy regulators agreed Thursday that the United States and the European Union are moving closer in their approaches to protecting consumer privacy. But they still remain at odds over whether a U.S. national law is needed to ensure companies follow widely agreed upon privacy principles.

During a discussion on the U.S. and European approaches to privacy protection at the International Association of Privacy Professionals conference, EU Data Protection Supervisor Peter Hustinx agreed with Federal Trade Commission Chairman Jon Leibowitz that the two sides are moving closer but noted one key difference remains: the Unites States still lacks a broad privacy protection law.

"I see more convergence than divergence," Leibowitz said.

The European Commission is currently in the process of reviewing its broad privacy framework, which includes the EU's 1998 data protection law. Hustinx said among the issues it plans to address include trying to reduce the "diversity" in how the law is applied among the EU's 27 member countries and ways to make the privacy law more effective.

The EU review comes as the FTC is sifting through the nearly 450 comments it received on a staff report released in December on proposals for boosting consumer privacy. Leibowitz noted that British and French data protection authorities were among those who submitted comments on the FTC report and they noted that many of the concepts in the it are "ones being stressed in the new regulatory framework in the EU."

Hustinx said he was glad to see a recognition in the FTC report that the "status quo in the U.S. is not satisfactory."

The FTC, however, does not have the authority to impose rules implementing the proposals in its privacy report, power that Congress would need to grant the agency by passing privacy legislation.

While the FTC has endorsed a controversial proposal calling for the creation of a "do-not-track" system to allow consumers to opt out of Internet tracking, the commission has not taken a stand on whether Congress should pass baseline privacy legislation, Leibowitz noted after the event.

The issue of whether the United States' privacy laws are up to par with the EU is more than a philosophical exercise. The EU's privacy directive bars the flow of data from the EU to countries that do not have "adequate" privacy rules.

The U.S. mix of industry self regulation and sector-specific privacy laws does not meet this standard on its own and as a result the Commerce Department negotiated a safe harbor with the EU in the late 1990s for those U.S. firms that agree to abide by a set of principles on how they will treat consumer privacy, which include notice, choice, security and data integrity.

Both Hustinx and Leibowitz were asked whether the United States would meet this adequacy standard if the United States finally passed a broad privacy law. Hustinx said that the "trend is moving in the right direction if the principles [in the report] are delivered as binding, baseline binding principles." But he added that "whether this is adequate in a technical sense may not be so decisive."

During a later discussion, Daniel Sepulveda, a staffer who works on privacy and other tech issues for Senate Commerce Communications Subcommittee Chairman John Kerry, D-Mass., also discussed the issue. In responding to claims by two industry officials that the EU is becoming more open to self regulation, Sepulveda said without a "backstop" in law, the U.S. system of protecting privacy will not be found to be adequate by the EU.

Sepulveda's boss is working on his own privacy legislation. The Senate Commerce Committee plans to hold a hearing next week on privacy at which Leibowitz is set to appear as well as other government and industry officials.