Data Security on Both Sides of the Atlantic

Privacy and Technology Expert Kurt Wimmer Discusses Policy Differences Between U.S. and the EU at European Legal Studies Center Event
New York, October 1, 2014—Tensions between how the United States and the European Union envision data security complicate compliance for firms wishing to operate in both markets, said Kurt Wimmer, U.S. chair of Covington & Burling’s privacy and data security practice, in a Sept. 24 talk at Columbia Law School hosted by the European Legal Studies Center.
“There are different philosophies,” said Wimmer, who spent several years focused on EU data protection law as managing partner of his firm’s London office. “In the EU privacy is looked at as a fundamental human right, while U.S. constitutional law tends to see it solely as privacy from government.”
Wimmer explained that the EU has pursued data security systematically, as a matter of broad principles, while U.S. federal law has tended to emerge in reaction to crises. U.S. law is more stringent in protecting certain areas like financial and health information, while less concerned with how companies utilize users’ data.
“Some say that the EU trusts government and not companies, while the U.S. trusts companies and not government,” Wimmer said.
Issues of federalism also complicate privacy law on both sides of the Atlantic. In the EU, directives go to each member state, which interpose standards into variegated national laws, while the absence of federal privacy legislation in the U.S. has led to a patchwork of state laws that supplement specific areas covered by federal statute.

Wimmer said that many companies, including some of his clients, want one set of data security principles on which to base all of their global activities. He predicted that, in years to come, the U.S. will pursue a federal privacy law.

“I think there will be legislation eventually,” Wimmer told students in the packed lecture hall, “but most of you will probably be seasoned lawyers by then.”