TABLE 5.2 Diverse approaches to privacy, data protection, and breach notification
Sectoral approach to privacy/data protection
Brazil, Dubai, Greenland, India, Singapore, Thailand,
the United States, and Zimbabwe
Recognized by the EU as having adequate data
Andorra, Argentina, Canada, the EU, Guernsey,
Israel, Jersey, New Zealand, Switzerland, the Faroe
Islands, the Isle of Man, and Uruguay
Privacy/data protection laws considered generally
compatible with the APEC Privacy Framework
Argentina, Australia, Canada, the EU, Japan, Korea,
Malaysia, Mexico, Russia, Singapore, and the United
Mandatory reporting of data breaches
Austria, Germany, Norway, Spain, Mexico, the
United Arab Emirates, the United States (46 states,
the District of Columbia, Puerto Rico, and the U.S.
Sources: BSA, “Global Cloud Computing Scorecard,” 2013; USTR, National Trade Estimate, 2013; Nymity, “Sectoral
and Omnibus Privacy and Data Protection Laws,” 2012; Bevitt et al., “Dealing with Data Breaches,” 2012; and FTC,
“FTC Becomes First Enforcement Authority,” July 26, 2012.
characteristic of U.S. privacy law is the targeted enforcement of privacy requirements by
the Federal Trade Commission (FTC), the Department of Health and Human Services,
and other federal and state regulators.
In fact, based on the activist role of privacy
regulators, and other aspects of the U.S. system, researchers have found a strong regime
of “privacy on the ground” in the United States, notwithstanding the lack of an omnibus
By contrast, the EU has a regionwide Data Protection Directive, with national
implementing laws in all EU jurisdictions.
It allows the transmission of EU personal
data to third countries only if the country is deemed to provide an adequate level of
protection by reason of domestic law or international commitments.
Commission has found that only a handful of non-EU countries have adequate
protections (table 5.2).
Moreover, although the EU has a regionwide directive, each member state enacts its own
implementing laws. These laws can vary greatly, creating inconsistency and
unpredictability for firms seeking to transfer data within the EU and on to third
Industry representatives state that addressing the “fragmentation,
inconsistency, redundancy and procedural complexity” caused by different national data
For example, the Attorney General of California and Amazon, Apple, Google, Hewlett-Packard,
Microsoft, and Research in Motion recently reached a voluntary agreement that establishes a set of standards
to improve privacy protections in mobile applications. Harris, “Privacy on the Go,” January 2013, 4; see also
FTC, “FTC Staff Comments,” January 2011, 2, and Digital Trade Coalition, written comments to USTR,
May 10, 2013, 3.
“Privacy on the ground” means how corporations actually manage privacy and what motivates them.
Bamberger and Mulligan, “Privacy on the Books and on the Ground,” 2011, 247; Wolf and Maxwell, “So
Close, Yet So Far Apart,” Summer 2012, 9.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such
Wolf and Maxwell, “So Close, Yet So Far Apart,” Summer 2012, 9.
European Commission, “Decisions on the Adequacy of Protection of Personal Data,” n.d. (accessed
May 6, 2013).
Wolf, written testimony to the USITC, March 7, 2013, 3; U.S. government officials, interview by
USITC staff, Washington, DC, March 19, 2013; industry representatives, interviews by USITC staff, San
Francisco, CA, April 16, 2013.
How to C#: Generate Thumbnail for Raster
VB.NET How-to, VB.NET PDF, VB.NET Word, VB.NET Excel, VB.NET PowerPoint, VB.NET Tiff, VB.NET Imaging, VB.NET OCR, VB How to C#: Generate Thumbnail for Raster. pdf files thumbnails; enable pdf thumbnails
Create Thumbnail in Web Image Viewer | Online Tutorials
or Images; Create Thumbnail; Generate Barcodes on Your Documents; Read Barcodes from Your Documents. Multi-page Tiff Processing; RasterEdge OCR Engine; PDF Reading pdf thumbnail generator; how to make a thumbnail from pdf
protection requirements within the EU should be a priority of the of the Transatlantic
Trade and Investment Partnership (TTIP) negotiations.
Another comprehensive approach to privacy regulation is found in the Asia-Pacific
Economic Cooperation (APEC) Privacy Framework, endorsed by APEC members in
The framework includes nine high-level principles governing the collection, use,
and handling of personally identifiable information.
According to the USDOC’s
Internet Policy Task Force, it is a useful model for groups of countries with common
values but sometimes divergent policy frameworks.
Countries identified as having
privacy regimes that are generally compatible with the APEC framework are listed in
Witnesses at the Commission’s hearing stressed the importance of achieving
“interoperability” among countries’ varying privacy regimes.
In contrast to
harmonization, interoperability assumes that while there are different privacy approaches,
the outcomes generally will be similar and thus should be entitled to mutual
More specifically, privacy interoperability requires that organizations take
on binding obligations to protect private information based on established criteria; that
there are mechanisms to enforce these obligations; and that regulatory agencies can
depend on each other to ensure that these obligations are honored when data travels
around the world.
Without this mutual recognition, there is the potential to cause substantial damage to
consumer trust in the Internet; to erode business opportunities for data-related
innovations, for example, in the areas of analytics and Big Data; and to raise costs for
businesses complying with multiple divergent standards.
regulatory complexity often favors large incumbent firms over new entrants and small
firms. SMEs have reported that they do not have the regulatory expertise and resources
Digital Trade Coalition, written comments to USTR, May 10, 2013, 7; The Internet Association,
written comments to USTR, May 10, 2013, 8.
APEC has 21 member economies: Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia,
Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore,
Taiwan, Thailand, the United States, and Vietnam.
These principles are as follows: preventing harm, notice, use collection limitation, choice, security
safeguards, integrity, access and correction, and accountability. Harris, “The APEC Cross Border Privacy
Rules System,” March 2013.
The USDOC’s Office of the Secretary, with the assistance of the National Telecommunications and
Information Administration, the Patent and Trademark Office, the National Institute of Standards and
Technology, and the International Trade Administration, has created an Internet Policy Task Force to conduct
cybersecurity, and innovation in the Internet economy. USDOC, Internet Policy Task Force, “Commercial
Data Privacy,” 2010, 55–56. Updates on the work of the task force are published on its website
As noted in the Citi submission: “[a] primary goal of any regulatory scheme concerning cross border
data processing should be the establishment of global interoperability of national legal and regulatory
requirements.” Citi, written submission to the USITC, March 14, 2013, 6.
USITC, hearing transcript, March 7, 2013, 138 (testimony of Edward Gresser, Globalworks
Foundation); USITC, hearing transcript, March 7, 2013, 109–10 (testimony of Joshua Meltzer, Brookings
Institution). Harmonization efforts aim for a higher level of similarity among regulatory approaches.
USITC, hearing transcript, March 7, 2013, 60, 107–8 (testimony of Martin Abrams, Centre for
Information Policy and Leadership).
USITC, hearing transcript, March 7, 2013, 60, 107–8 (testimony of Martin Abrams, Centre for
Information Policy and Leadership); industry representatives, interviews by USITC staff, April 16, 2013, San
Francisco, CA; industry representatives, interviews by USITC staff, April 18, 2013, Redwood City, CA.
Create Thumbnail Winforms | Online Tutorials
Create Thumbnail; Generate Barcodes on Your Documents; Read Barcodes from Your Documents. Multi-page Tiff Processing; RasterEdge OCR Engine; PDF Reading; Encode create thumbnails from pdf files; show pdf thumbnails in
How to C#: Overview of Using XImage.Raster
Empower to navigate image(s) content quickly via thumbnail. Able to support text extract with OCR. You may edit the tiff document easily. Create Thumbnail. can't see pdf thumbnails; view pdf thumbnails in
necessary to navigate the complex privacy landscape, noting particular problems with
nontransparent and subjective privacy rules at the EU member state level.
Interoperability Challenges: The U.S. and EU Systems
Interoperability is also more likely to be obtainable than harmonization because of the
different cultural and legal starting points on privacy across countries.
In the United
States, for example, the use of personal information is generally permitted unless a law
prohibits it; this is due in part to strong protections for freedom of expression and
By contrast, the EU generally prohibits the collection and processing of
personal data unless a law explicitly permits it.
The EU does not consider the U.S. data protection framework adequate, mainly because
it is based on sector-specific legislation and self-regulation rather than an omnibus law.
To enable continued data flows between these two major trading partners, the EU has
approved a Safe Harbor provision, which requires eligible U.S. firms to certify
compliance with various EU data-handling requirements (box 5.5).
Although the Safe Harbor Framework is seen as providing a valuable mechanism for data
transfer between the EU and United States, firms reportedly face ongoing problems
navigating the broader EU privacy landscape:
Different EU member states implement the EU Data Protection Directive
differently, causing uncertainty and increasing costs for U.S. and EU firms. The
European Commission has estimated that this variation costs European firms an
estimated 2.3 billion euros (approximately $3 billion) each year.
estimate is not available for the burden on U.S. firms, although anecdotal
evidence suggests that the EU’s privacy regime, and particularly nontransparent
differences across member states, impose substantial costs, especially on
The EU has recognized that there is a need to update its Data Protection
Directive to provide a regionwide regulation applicable in the same way in each
member state and address other shortcomings.
Industry representatives, interviews by USITC staff, April 16, 2013, San Francisco, CA; industry
representatives, interviews by USITC staff, April 18, 2013, Redwood City, CA.
Notwithstanding divergent starting points, both the U.S. and the EU approaches are grounded in the
Fair Information Practice Principles, which form the core of the 1980 OECD privacy guidelines and focus on
empowering people to control their personal information as well as ensuring adequate data security. USITC,
hearing transcript, March 7, 2013, 61 (testimony of Martin Abrams, Center for Information Policy
USITC, hearing transcript, March 7, 2013, 60 (testimony of Martin Abrams, Center for Information
Policy Leadership); Wolf and Maxwell, “So Close, Yet So Far Apart,” Summer 2012, 8.
The EU approach is predicated on the idea that privacy is a fundamental human right; thus the
collection and processing of all personal data should be regulated.
Wolf and Maxwell, “So Close, Yet So Far
Apart,” Summer 2012, 9.
Wolf and Maxwell, “So Close, Yet So Far Apart,” Summer 2012, 10.
For their part, EU firms may be subject to the regulatory jurisdiction of the FTC and other
enforcement authorities with regard to their handling of U.S. personal data.
European Commission, “How Will the EU’s Data Protection Reform,” 2012.
Industry representatives, interviews by USITC staff, April 16, 2013, San Francisco, CA; industry
representatives, interviews by USITC staff, April 18, 2013, Redwood City, CA; Digital Trade Coalition,
written comments to the USTR, May 10, 2013.
Wolf and Maxwell, “So Close, Yet So Far Apart,” 2012, 10; Microsoft, written comments to the
USDOC, December 6, 2010, 3.
BOX 5.5 Elements of the U.S.-EU Safe Harbor provisions and data protection requirements
The U.S.-EU Safe Harbor Framework went into effect in 2000. It is a voluntary framework, administered by the
USDOC’s International Trade Administration. General elements include these:
To join the Safe Harbor, U.S. firms must undertake to comply with specific privacy principles in the areas of
notice, choice, onward transfer, data integrity, security, access, and enforcement.
Compliance with the Safe Harbor framework enables the transfer of personal data from the EU to the United
States across industrial sectors. Exceptions include financial institutions and telecommunications common
carriers, which are governed by different rules.
Over 3,700 U.S. companies have self-certified to the Safe Harbor Framework requirements since its
implementation (not all of these certifications remain current). More than 70 percent of these companies are
Other approaches for compliance with EU Data Protection requirements include:
“Model Contracts,” which are standard contractual clauses that EU authorities approve and must be included
in agreements that involve the transfer of personal data outside the EU; and
“Binding Corporate Rules (BCRs),” which are a set of policies that apply to intra-company transfers of data
worldwide, and not just to the United States.
o The review and approval process for BCRs has proven to be time-consuming and costly. To date,
fewer than 50 companies have had BCRs approved by the relevant authorities across EU member
o Given the substantial compliance costs, large multinational companies generally are the only ones
that have availed themselves of BCRs.
Sources: Wolf, written testimony to the USITC, March 7, 2013, 3; USDOC, Office of Technology and Electronic
Commerce, “Comparing the U.S.-EU Safe Harbor Framework,” March 7, 2013; Lamb-Hale, written testimony to the
House Energy and Commerce Subcommittee, September 15, 2011.
U.S. companies involved in cloud computing and social networking have faced
particular challenges with regard to their business models and privacy practices,
often as a result of different requirements and interpretations across EU member
o For example, the USDOC recently had to issue “clarifications” on how
the Safe Harbor Framework should be applied to cloud computing
service providers to rebut more stringent interpretations being articulated
by data protection authorities in EU member states.
o Social network providers reportedly are classified as data controllers
under the EU Data Protection Directive, making them subject to
obligations that potentially conflict with their basic business models.
For example, data controllers are required to minimize their collection of
data to a level that is “adequate, relevant, and not excessive.”
social networking platforms focus on collecting the most data possible
from users to create rich and highly accurate profiles that facilitate
information sharing among users, thereby enhancing the value of the
Tensions between the Directive’s requirements and the social
USDOC, “Clarifications Regarding the U.S.-EU Safe Harbor Framework,” April 2013.
Martinez and Pardillo, “Impact of Privacy Regulation,” 2012, 135.
See chapter 2 for a discussion of social networking websites.
networking business model have spurred EU efforts to revise and update
its regulatory framework.
New Approaches to Privacy and Data Protection in the United States and
Both the United States and the EU have proposed fundamental changes to their privacy
and data protection regimes. The Obama Administration has proposed a new privacy
framework, which includes a Consumer Privacy Bill of Rights and the development of
enforceable industry codes of conduct through a multi-stakeholder process led by the
USDOC. The proposal also includes a commitment to interoperability between different
countries’ privacy regimes through mutual recognition of different frameworks.
Government and industry privacy experts who support enactment of a baseline U.S.
privacy law state that that it would foster the free flow of data by clarifying the ground
rules and increasing interoperability at the international level, where the EU framework
has held sway in the absence of a U.S. omnibus law.
For its part, the European Commission has proposed a new privacy framework that would
replace the 1995 directive. The U.S. and EU proposals are similar in their focus on
“privacy by design,” meaning that privacy considerations should be built into every stage
of product development and that those who collect and use personal data should be held
accountable and obtain informed consent.
Language in the EU proposal that provides
for a “one-stop shop” for data protection, and that brings more interoperability across
member states, also has been favorably reviewed by U.S. firms.
The proposals differ substantially, however, in their approach to enforcement. The United
States places continued importance on voluntary and flexible codes of conduct, subject to
enforcement by regulators. By contrast, the EU proposal contains broad new consumer
rights—the right to have data deleted (the “right to be forgotten”) and to move data from
one service to another (“data portability”)—that are not part of existing or proposed U.S.
Industry representatives have noted problems with these proposals; for example,
the right to be forgotten reportedly is inconsistent with the data backup and
synchronization services that cloud computing providers guarantee to their customers.
The EU proposal is also more stringent in the area of data breach notification. The laws
of 46 U.S. states, as well as the laws of several countries, reportedly mandate notification
in the event of a data breach (table 5.2). However, the EU proposal would impose fines of
up to 2 percent of a firm’s annual global revenue—an amount that many stakeholders
consider to be unreasonable, given the uncertainty and discretion surrounding the draft
Martinez and Pardillo, “Impact of Privacy Regulation,” 138, 2012.
White House, “Consumer Data Privacy,” 2012, 31; Wolf and Maxwell, “So Close, Yet So Far
Apart,” 2012, 11.
Kerry, statement to the U.S. Senate Committee on Commerce, Science, and Transportation, June 29,
2011, 3–5; Torres, “The New Frontier,” February 22, 2013; U.S. government official, interview by USITC
staff, Washington, DC, March 19, 2013. However, within the framework of the TTIP negotiations, some
industry representatives highlight the strength of the existing U.S. regime and state that there should be no
presumption of substantial changes in U.S. or EU law. The Internet Association, written comments to the
USTR, May 10, 2013, 7; Digital Trade Coalition, written comments to the USTR, May 10, 2013, 10–11.
Wolf and Maxwell, “So Close, Yet So Far Apart,” 2012, 11.
Allan, “Facebook Views on Privacy,” 2013, 143; Digital Trade Coalition, written comments to the
USTR, May 10, 2013, 7–8; The Internet Association, written comments to the USTR, May 10, 2013, 8.
Allan, “Facebook Views on Privacy,” 2013, 143.
Industry representative, interview by USITC staff, San Francisco, CA, April 16, 2013.
There remain substantial differences in the latest privacy proposals in
the EU and United States.
The Internet facilitates access to large amounts of content that would otherwise be
difficult, if not impossible, to access, contributing to innovation and creativity. On the
other hand, it also creates opportunities for significant intellectual property theft and
Digital content representatives who testified at the Commission’s hearing
identified Internet piracy as the most damaging barrier to digital trade in their industry.
By contrast, Internet intermediaries focused on the chilling effect that overly broad or
unpredictable legal obligations can have on their ability to deliver valuable services.
Digital content representatives also have recognized the importance of clearly defined
liability guidelines. An ongoing challenge for governments is facilitating a balance
between IPR protection and online commerce and innovation, in an era of rapidly
changing technologies and business models.
Digital Content Representatives Identify Piracy as the Single Most
Damaging Trade Barrier
Innovative software and digital content companies that rely on copyright, trademark,
patent, and trade secret protections report that effective IPR protection and enforcement
are critical to their economic success and growth.
Conversely, IPR infringement or
piracy is identified as the “single-most damaging barrier and impediment to digital trade”
because it “undercuts legitimate services, harms investors in content production, and
cheats law-abiding consumers.”
Specific examples were provided at the Commission’s
hearing (box 5.6).
Determining the size and scope of Internet-enabled IPR infringement is extremely
challenging; infringing files are traded online, and websites offering counterfeits are
launched and accessed, countless times each day. As a result, estimates of online
infringing activity often represent only a small snapshot of the total, although even the
snapshots suggest extremely large volumes of IPR-infringing content online.
example, an analysis of Internet traffic commissioned by NBC Universal found that
approximately 99 percent of BitTorrent traffic on peer-to-peer (P2P) networks is
Rand, “Privacy and Data Protection,” 2013, 66; Wolf, written testimony to the USITC, March 7,
2013, 4; Digital Trade Coalition, written comments to the USTR, May 10, 2013, 12–13.
For example, the White House has noted that U.S. companies, law firms, academia, and financial
institutions are increasingly experiencing cyber-intrusion activity against electronic repositories containing
valuable trade secrets and other data. White House, “Administration Strategy on Mitigating the Theft,”
February 2013, 1; Meltzer, “The Internet, Cross-Border Data Flows,” 2013, 8. The following sources contain
a more extensive discussion of cybercrime and cybersecurity issues: Verizon, “Data Breach Investigations
Report,” 2013; Mandiant, “APT1: Exposing One of China’s Cyber Espionage Units,” 2013; Norton, “2012
Norton Cybercrime Report,” 2012.
LeDuc, written testimony submitted to the USITC, March 14, 2013, 4.
IIPA represents the publishing, business software, entertainment software, independent film and
television, motion picture, music publishing, and recording industry associations. IIPA, written submission to
the USITC, February 28, 2013, 7; RIAA, written submission to the USITC, February 28, 2013,7; MPAA,
written submission to the USITC, March 15, 2013 (“The most immediate, most pernicious impediment and
threat to the digital offerings of audio-visual content is the theft of that content”).
USITC, China: Effects of Intellectual Property Infringement May 2011, 2-13 to 2-14.
BOX 5.6 IPR infringement-related barriers to digital trade
Representatives of the music, publishing, software, and movie industries reported the following IPR infringement-
related barriers to digital trade:
Foreign web sites that facilitate infringement
RIAA categorizes different types of infringing sites as follows:
o Hubs that enable users to upload content to “lockers” accessible to others, including Rapidgator,
Turbobit, DepositFiles, and PutLocker;
o P2P networks such as The Pirate Bay;
o Infringement directories that are dedicated to increasing access to infringing content;
o Search applications that enable users to search for content and then link to sites where it can be
illegally obtained; and
o Streaming sites that provide on-demand and unauthorized access to copyrighted materials.
Book and journal publishers report taking action against foreign sites offering an “Internet library” of more
than 400,000 unauthorized copies of e-books in 2012. The sites made the e-books available for free
downloading, reportedly earning more than $10 million annually for the sites’ operators in Ireland from
advertising, subscriptions, and donations.
The entertainment software industry reports two emerging problems in particular: the online theft of “digital
entitlements,” such as game keys and virtual currencies, and the establishment of unauthorized servers that
use the publishers’ digital assets to host unauthorized game play.
Songwriters and music publishers, who are overwhelmingly small businesses, report that the inability to take
down infringing online content on foreign sites substantially undermines their ability to collect royalties.
The movie industry reports that one of the leading sources of infringing copies of audiovisual works online is
their illegal recording in theatres.
End-user software piracy
This type of business software piracy includes the installation of software on multiple computers beyond the
terms of a license, as well as client-server overuse, in which more than the authorized number of
employees have access to a program. The software may be obtained from online or offline sources.
Unauthorized software installation onto PCs, mobile devices, and media boxes
Manufacturers and dealers reportedly install illegal copies of software, movies, music, television
programming, and other creative materials on Internet-connected devices.
Circumvention of technological protection measures (TPMs)
TPMs are intended to ensure that works made available in the digital and online environments are not easily
stolen. However, there are reportedly entire business models built around providing devices or technologies
to circumvent TPMs.
Sources: IIPA, written submission to the USITC, February 28, 2013; BSA, written submission to the USITC,
February 28, 2013; Association of American Publishers (AAP), written submission to the USITC, March 14, 2013;
Entertainment Software Association (ESA), written submission to the USITC, March 7, 2013; National Music
Publishers’ Association, written submission to the USITC, February 28, 2013.
copyright content being shared illegally.
An economic consulting firm, Frontier
Economics (on behalf of the Business Action to Stop Counterfeiting and Piracy),
estimated the value of digitally pirated music, movies, and software (not the actual losses
resulting from the infringement) at $30–$75 billion in 2010, growing to $80–$240 billion
Envisional, An Estimate of Infringing Use, 2011, 2 (estimate excludes pornography distributed over
these mechanisms). P2P networks and BitTorrent are defined in the glossary.
Frontier Economics, “Estimating the Global Economic and Social Impacts,” February 2011, 5; IIPA,
written submission to the USITC, February 28, 2013, 8.
Documents you may be interested
Documents you may be interested