Data Commissioners Conference in Jerusalem Focuses on Future of Privacy, Cooperation and Enforcement

Last week, we joined privacy regulators, practitioners and industry representatives from around the world in Jerusalem for the 32nd International Conference of Data Protection and Privacy Commissioners. On numerous panels, conference participants engaged in lively discussions about privacy compliance and enforcement as well as the future of privacy in light of evolving consumer expectations and advances in technology that tracks and identifies individuals.

In discussions about the current state and future of privacy, some industry representatives took the position that active sharing by consumers of personal data online, including through social networks, is a vote of confidence in the current approach to privacy regulation. In response, some of the regulators and academics called for stronger privacy protections, arguing that consumers are still unaware of the consequences of disclosing their personal data. Notably, opinions on the state and future of privacy did not necessarily split along the industry/regulator lines. Rather, some industry representatives took a decidedly pro-consumer view of privacy protection, seeing it as a good business practice, while some of the privacy regulators, including the Israeli regulator and some of the European officials, sought to balance privacy protection with the interests of the business community.

On the issue of privacy compliance, participants agreed that Europe continues to be a difficult landscape to navigate in understanding the applicability of local data protection laws to personal data processing activities. At the same time, European panelists acknowledged that diverging views on jurisdiction may not be compatible with the fact that data flows do not know physical borders, and called for more uniformity among EU member states.

The topic of privacy enforcement generated great interest among conference participants. It continues to be a source of frustration for the industry and privacy practitioners. At the conference, panelists acknowledged limitations and inconsistencies of the various privacy enforcement regimes. For example, many of the European regulators are constrained by limitations on their investigative or enforcement authority or discretion as to which consumer complaints to address, as well as budgetary constrains. U.S. regulators appear to be taking privacy seriously. The conference was well-attended by representatives of a number of U.S. federal agencies, including the Federal Trade Commission, the State Department, Commerce Department, and the Department of Homeland Security. The FTC’s Director of the Bureau of Consumer Protection David Vladeck explained that the FTC is choosing its enforcement actions carefully to give guidance to the industry as to which practices the Commission considers unacceptable. The FTC’s expectation is that the industry will follow the guidance provided by its privacy enforcement actions. At the same time, the Commission is ready to increase enforcement if it believes that privacy compliance levels are unsatisfactory. Panelists also suggested that private action enforcement, such class actions in the U.S. and group actions in Europe, may be gaining steam, although the practice is still in its infancy.

At the conclusion of the conference, the commissioners took a step in increasing international cooperation on privacy matters by admitting the FTC into membership in the conference. The admission is a vote of confidence in the FTC’s authority and independence in enforcing privacy regulations. It is also without a doubt the result of the FTC’s increased cooperation with European data protection commissioners. According to the FTC’s David Vladeck, this joint work will continue.

There are many more lessons learned from the Jerusalem conference that we expect to mention in future posts, so please stay tuned.