US Internet rights bill 'clearest' ever on data privacy

Mr Kerry, who was appointed by President Obama in 2009, was in Brussels where he met Justice Commissioner Viviane Reding, who herself published proposals to revise the EU Data Protection directive in January.

Meanwhile, the mobile phone industry has responded to the draft regulations in the EU and US, with the international regulator GSMA launching a new set of privacy guidelines for mobile phones applications at the industry’s annual congress in Barcelona on Tuesday (27 February).

Europe’s biggest mobile phone companies, including Deutsche Telekom, Orange, Telefónica, Telenor Group, TeliaSonera and Vodafone, have promised to immediately implement the guidelines, which include provisions giving users the right to withdraw consent for using their data, along with details about what data will be accessed by apps, how it will be used, and for how long.

In a step which is similar to the European Commission’s proposal to establish the ‘right to be forgotten’ - giving users the right to demand the deletion of their data - the GSMA states that users “should be offered the ability to deactivate their account, and must be able to delete their accounts, resulting in complete removal of all personal information.”

Anne Bouverot, Director General of GSMA, claimed that the new privacy guideline would “help preserve the trust and confidence of users as they navigate this new world of applications.”

She added that the new rules would “put users first” and allow them to “exercise choice and control” over the use of their personal data.

The move is the latest attempt at self-regulation by the mobile phone industry, amid rising criticism from policy-makers and the public about the lack of effective data protection. It also comes just days after a judgement by the Attorney General of California which will require mobile apps to post privacy policies.

In addition to the users email address and contact list, the latest smartphones also collect personal photos and the user’s location, all of which is gathered to a single ID number.

A recent survey by online campaigning group the Future of Privacy Forum estimated that 60 percent of all mobile apps do not have a privacy policy that notifies consumers what parts of their personal data are accessed by apps. Meanwhile, a study by TrustE and Harris Interactive found that 95 percent of all apps lack a privacy policy.

The US Privacy Bill of Rights shies away from the ‘right to be forgotten’ provision in the new Data Protection directive published by Commissioner Reding, but it does see citizens having the right to correct data, for example on personal credit information, and the right to withdraw their consent to data being used.

Kerry admitted that twenty years after its creation it was clear that Internet “self-regulation alone is not enough” but added that he did not want the US to take “a prescriptive approach”.

Although the privacy bill of rights marks a clear step away from what Kerry described as the “hands off” approach taken by previous US administrations, it is set to involve more business involvement and be less ‘top-down’ than the Commission’s draft directive.

Unlike the Commission proposal which proposes the creation of a new European Data Protection Board to enforce the data regime, Kerry indicated that the White House intends to beef up the role of the Federal Trade Commission (FTC) rather than create a new government agency.

The White House bill is expected to reach Congress within the coming weeks, with Mary Bono Mack, the Republican Chair of the House of Representatives subcommittee on Commerce and Trade, set to start hearings on the bill in March. However, Kerry indicated that if Congress does not back legislation the administration would bypass Congress and set up a formal code of conduct with its own enforcement regime.