Working with the U.S.: a good conversation on data protection

How do you contribute to enhancing data protection at the international level? At the end of 2022, this question was the focus of a discussion ‘The Dutch and U.S. Approaches to Data Privacy: Envisioning a Shared Path Forward’.

Close-up van handen die op een laptop typen

Dutch data privacy experts discussed collaborations between Dutch and U.S. organizations and how they can strengthen data security and privacy practices. The session was moderated by Josh Kallmer, Head of Global Public Policy and Government Relations at Zoom. In 2022, Zoom strengthened data policies and practices according to GDPR and facilitated this session to exchange the US and EU perspectives on data privacy.

Security goes hand in hand with privacy

The basics of privacy and security start with technology and involve technical measures to protect data such as: the security of a website, a network, or a database in the cloud, which is key. Marlon Domingus, Data Protection Officer at Erasmus University Rotterdam (and chairman of the SURF Taskforce Beyond Privacy Shield), highlights that security goes hand in hand with privacy: “There is no zero-sum game. Privacy is just as important as security, they are interdependent and should be given equal priority.” 

Data minimisation should be standard

One of the privacy’s building blocks is data minimization. “Is it really necessary that you collect data on when a user opens and closes a document or changes the document name?” – questions Sjoera Nas, Senior Privacy Advisor at Privacy Company.  In her experience, a thorough analysis of the type of data an international company collects and why makes the privacy conversation with Data Protection authorities much more productive. Tobias Guenther, Privacy Counsel at Zoom, agrees that in the work of international tech companies adhering to strong privacy and security standards, minimization of data collection should be the default setting and one of the guiding principles in keeping commitments before customers. 

Data inventory

Another important step for “privacy by design” is taking stock of the data a company processes. “It is important that companies look beyond personal data within content and include other types of personal data (e.g., telemetry data) in their privacy assessments," says Sjoera Nas.

Transparency about data processing

Companies have to be transparent with users about the types of data they collect and process. “Users do not want to be surprised when they realize that the service they trust is using their data for purposes that were not agreed upon,” continues Marlon, “neglecting transparency means loss of users’ trust.” 

Data privacy plan with long-term strategy

Developing robust data privacy practices requires building a long-term strategy and thinking beyond data protection at a given moment. What will happen to privacy in 5 or 10 years time under the influence of machine learning and AI? Can we foresee that and act on it now? Rob van Eijk, Managing Director for Europe at the Future of Privacy Forum, says, “The key question is whether we should anticipate and develop additional control requirements for innovative technologies many companies start deploying. Following and meeting these requirements could be very costly, especially for small and medium businesses, SMBs, which, for example, might not have resources to conduct Data Protection Impact Assessment, DPIA, for AI-based solutions they are using.”

According to Sandy Janssen, Legal Counsel at SURF, the business and privacy community need to be on top of these developments. "Data protection agreements go beyond just legal agreements, they are also about agreements on taking technical measures. The vendor must ensure a privacy-friendly implementation of the application for the users who entrust their data to the vendor. This was a cornerstone principle of our collaboration with Zoom, which worked hard to meet the privacy expectations of SURF's members." Sandy says. For example, Zoom has updated their processor agreements, end-to-end encryption is possible in both one-to-one and group calls since November 2020, it will soon be possible to store most data in Europe, and helpdesk requests will be handled in the EU.

Government

In addition to these efforts, the privacy community and industry rely on governments that play the crucial role of setting the legal-ethical frameworks and forming the future policy landscape. Maintaining an ongoing international dialogue on the most critical data privacy questions forms the basis for long-lasting and effective global cooperation.

Executive order contributes to implementation of EU-US Data Privacy Framework

Discussing the examples of such cooperation, the experts welcome a new executive order recently signed by President Biden, contributing to the implementation of the EU-U.S. Data Privacy Framework. According to Rob van Eijk, it is an extraordinary decree, as he notes, “The framework prioritizes proportionality of data collection and storage rather than reasonableness, which is a much broader concept. This means there is less room for interpretation, making privacy a fundamental right and empowering citizens with additional control mechanisms over their data.”

Cooperation between Dutch and US organisations

On the other hand, the experts signal that privacy policies in the U.S. and the EU need more synchronization. “For example, in the U.S., data could be collected ‘just in case’ and used for innovation, research, and numerous other purposes. In contrast, in the EU, we approach data collection with more caution and develop our policies based on the principle that data belongs to users. The work on the EU-U.S. Data Privacy Framework is a step in the right direction of bringing two privacy approaches closer together, but there is still work to be done,” points out Sjoera Nas. This is why she advises that Dutch and U.S. organizations should continue to actively seek cooperation to ensure the highest data privacy and security standards.