In my former government career, I recall one of those transformational moments where you realize things are going to be much harder than you could ever imagine. Ridiculously hard.
The moment was in the fall of 2006 and involved meetings between European Union (EU) and United States (US) Government officials on the possibility of a transatlantic data sharing agreement. This was the first meeting of the High-Level Contact Group (HLCG), composed of senior officials from the European Commission, the European Council Presidency, and the Departments of Homeland Security, Justice, and State. We met in 2006 to start discussions on data privacy in the exchange of information for law enforcement purposes, as part of wider discussions on how best to prevent and fight terrorism and serious transnational crime. Sitting in the room, my immediate thought was that this should be straightforward as both the US and the EU Member States followed the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted in 1980 (“Guidelines”). The Guidelines are based on the Fair Information Practices or Fair Information Practice Principles (FIPPs), which had been embraced by the US government as well as the EU.
Achieving a shared view based on the FIPPs did not turn out to be as easy as I thought. The HLCG discussion went on for two years ending in 2008 and while the FIPPs were not questioned, the final report noted areas outside of privacy for further cooperation, urging experts from both sides to examine issues related to redress and issues related to the equivalent and reciprocal application of data privacy law principle. The report set the stage for the years of discussions that culminated in 2016 in the “Umbrella Agreement.”
In entering into the Umbrella Agreement, the parties issued a joint statement emphasizing that they “share common values of democracy, rule of law and respect for human rights and fundamental freedoms.” Not only did they share those values, but they also shared a commitment to the FIPPs. By the conclusion of the agreement, I had left government service and while I congratulated my former colleagues who had seen it through, I kept thinking, “did it have to be this hard?”
Earlier this spring, I posted that I was co-teaching a seminar with Professor Alex Joel at American University Washington College of Law on Privacy Across Borders. The course has taken the students through application of the FIPPs in multiple cross border data sharing frameworks including the Passenger Name Records (PNR) agreement, Privacy Shield, the Umbrella Agreement, the APEC Cross Border Privacy Rules (CBPR), and even the US-Mexico-Canada Agreement’s Chapter 19 on Digital Trade. In each case, we reviewed side-by-side comparisons matching elements of the FIPPs with the framework at hand. The students could see a pattern that the FIPPs can serve as a basis for data transfers across borders. I have written a brief paper here that maps out these commonalities.
My hope is that between teaching future policy makers and bringing together policy experts currently working in the area, future agreements “shouldn’t be that hard.”