Privacy executives from Google, Microsoft and Facebook say that privacy protections in the US are stronger than assumed by Europeans. However, they do not intend to offer varying degrees of protection to users worldwide if they are required by EU law to guarantee a greater degree of protection to Europeans.
In a wide-ranging discussion here last week at the annual RSA Conference, the top privacy executives for the firms discussed privacy policies, regulation and innovation. All three companies have their European base in Ireland.
Robust regime
Facebook privacy officer
Erin Egan
said international regulatory discussions did not give enough credit to the US.
"What we worry about with the call for comprehensive privacy protection in the US is it sends out a message" that the US is not strong on privacy regulation, when oversight now included state and federal agencies such as the Federal Communications Commission and Federal Trade Commission, she said.
“We actually have a very robust privacy regime, and that is what we want to make our international counterparts understand when they think about ensuring the free flow of information between the US and EU,” she said, in an indirect reference to fraught negotiations between EU and US officials to revise the Safe Harbour principles that govern cross-border data transfers.
The European Court of Justice is currently considering whether the Safe Harbour regime is adequate. This is part of a referred Irish case in which Austrian law graduate Max Schrems has argued the Irish Data Protection Commissioner failed to ensure his Facebook data was adequately protected.
Google privacy officer Keith Enright said the company – which is currently under EU investigation for its dominance in the European online advertising market – has "probably had as much dialogue with European regulators as any company in the world".
Google has always been committed “to providing the best possible product and service to every Google user everywhere in the world.
“That means the best privacy protections, the best privacy controls the best security. We have no intention of fragmenting that and providing a different service to one place than we provide in another place,” he said.
Enright said any international company now has to consider whether, due “to some individual regulatory idiosyncrasies, and more specific demands from regulators in some countries, you may end up with some fragmentation in your offerings.
“But I wouldn’t say that’s a model for better privacy protection in the EU.
"In fact, if we learn things from our engagement from regulators in the European Union that are better for privacy and can help us develop better privacy controls and better products and services, then we are going to make them available to our users all over the world."
Egan said Facebook had its European base in Ireland and said the company complied with Irish regulation and thus with EU law.
“We actually made changes to our user service worldwide in response to the Irish Data Protection Commissioner,” she said, referring to the company response to two much publicised audits of Facebook by the Data Protection Commissioner.
Arguments
In a reference to ongoing arguments among European officials on a proposed new data protection regulation, Egan said: “I think the real risk in
Europe
is not the Europe vs the US [regulatory environments]. What I’m worried about now is that there are going to be 28 member states with 28 different legal regimes, and that’s going to be really hard not just for our company, which is big, but really for the small developers and the small innovators around the world.”