A Bill of Rights dedicated to consumer privacy is huge. The US, which enforces a quilt of privacy statues, will have some coherent guidance sourcing in a sort of a fundamental law, such as a Bill of Rights.
Data protection (or informational privacy) reform is as full of energy as a volcano on both sides of the Atlantic. While the European Commission publicized its proposed data protection regulation exactly a month ago, its US counterpart published yesterday a White Paper containing substantial privacy reforms.
The Bill of Rights is part of the new privacy framework presented in the White Paper, which encompasses three more components: a multi-stakeholder process to determine how these rights will apply in specific business contexts; an effective enforcement model; and greater interoperability between the privacy frameworks of the United States and its international partners.
Having a first look on the Bill of Rights, I noticed it uses the notion of “personal data”, just like the EU data protection legislation, and not “personally identifiable information”. It defines the personal data as “any data, including aggregations of data, which is linkable to a specific individual”. The definition is also similar to the EU definition of personal data, according to which personal data is any information related to an identified or identifiable person.
What is interesting is that the US privacy Bill of Rights recognizes directly that “Personal data may include data that is linked to a specific computer or other device“, while in the EU this is an almost endless discussion (whether the IP address falls or not under the data protection Directive provisions).
I should note that the Bill of Rights is not enforceable per se, but “The Administration supports Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights”.
Another common point of the EU and the new US privacy Bill of Rights is the reference to codes of conduct. While the EU regulates in detail what a code of conduct is and how it should be used in the proposed data protection regulation, the US also recognizes such means for protecting informational privacy: “Even without legislation, the Administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission.”
Another statement included in the Privacy Bill of Rights indicates that one of the main reasons it was adopted is precisely compliance with EU data protection standard: “These elements—the Consumer Privacy Bill of Rights, codes of conduct, and strong enforcement—will increase interoperability between the U.S. consumer data privacy framework and those of our international partners“.
I also have to underline that the US Bill of Rights envisages “consumers”, while the EU data protection legislation refers to “any person”. The two concepts are evidently not identical. Nonetheless, the EC Directive on the protection of personal data in electronic communications is also somehow guided to protect more of a consumer than a mere individual.
If you want to look closer to the Bill of Rights yourself, be my guest: http://www.hldataprotection.com/uploads/file/White%20Paper.pdf
Also, you can find HERE more on the White Paper and the Bill of Rights.