There is a basis to work from. The United Nations Guiding Principles on Business and Human Rights states that every country has a duty to protect individuals from abuse by business and other third parties. In addition the UN General Assembly adopted a resolution 68/167 which expresses deep concern at the negative impact that surveillance and interception of communications may have on human rights and affirmed that the rights held by people offline must also be protected online, and called upon all States to respect and protect the right to privacy in digital communication. So far so good but although it is not hard to agree with these principles their application is far more difficult.

Some suggest that the EU’s consensual style of politics is poorly placed to deal with the problem – being too protectionist, focusing too much on controlling the data and not on managing the users. Others point out that this is because regulators are obliged to deal with legacy legal systems and governance structures bound by geographic borders at a time when the world has moved on. Certainly the current European model is designed to help existing market leaders adapt to change and collaborate with challengers. Brussels is taking a tough stance on privacy, increasing fines, placing requirements on organisations for obtaining consent and creating a “data protection by design” obligation. The US on the other hand is more open to creative disruption. China and India veer to the European approach. In a multicultural, multi-lingual environment there is a lot to be said for this as only the well-established companies can afford the time, money and resources to work with regulators to identify the challenges and opportunities ahead.

Despite some important differences, the privacy frameworks in the United States and those countries following the EU model are both based on the Fair Information Practice Principles. The European approach, based on a view that privacy is a fundamental human right, generally involves top-down regulation and the imposition of across-the-board rules restricting the use of data or requiring explicit consent for that use. The United States, in contrast, employs a sectorial approach that focuses on regulating specific risks of privacy harm in particular contexts, such as health care and credit. This places fewer broad rules on the use of data, allowing industry to be more innovative in its products and services, while also sometimes leaving unregulated potential uses of information that fall between sectors.

Going forward, the US is keen to encourage bilateral engagement with the European Union, Asia Pacific Economic Cooperation (APEC), and Organization for Economic Cooperation and Development, and with other stakeholders, to collectively take stock of how existing and proposed policy frameworks will address big data. It also aims to strengthen the U.S.-European Union Safe Harbor Framework, encourage more countries and companies to join the APEC Cross Border Privacy Rules system, and promote collaboration on data flows between the United States, Europe and Asia through efforts to align Europe’s system of Binding Corporate Rules and the APEC CBR system.