A report on the IAPP data protection conference in Washington DC

Article by Dr. Sebastian Kraska (attorney at law, external Data Protection Officer).

From March 7-9, 2012, the annual IAPP (International Association of Privacy Professionals) conference took place in Washington DC. More that 10,000 privacy professionals worldwide belong to the IAPP. Some 2,100 privacy professionals took part in the Washington conference, where they exchanged views on various global data protection issues in a series of workshops held over three days.

Opening speeches: Comparing the US and Europe

The opening speeches that were held by Jeff Jarvis and Brad Smith placed a special emphasis on the different regulative approaches taken by Europe and the US. While, in the US, the citizens basically think that data protection focuses on the issue of what the state is permitted to do with its citizens’ data, in Europe, under the term data protection, the focus is more on what companies are permitted to do with consumers’ personal data. It is precisely when the various drafts for new data protection regulations are compared that another fundamental difference surfaces: while the trend in Europe is to pursue an “opt-in” concept (data processing is only permitted with proper legal permission or the affected party’s consent), the US prefers an “opt-out” concept (data processing is basically always permitted with mandatory notification obligations and options to delete data and to object to data processing).

Data protection: Part of the US regulation world

On the whole, the size of the event showed how much importance is, in fact, attached to the issue of data protection in the US and which professional data protection structures are implemented there. For example, one product presented at the event was a whole series of software products to support American privacy professionals in their daily work.

US focus: “Data breach notifications”

The talks held on “data breach notifications” formed another focal point (in Germany, this is known through Section 42a of the Federal Data Protection Act as the “Obligation to notify in case of unlawful access to data by a third party”). In the US, a relatively dense body of regulations exists, which in part varies by state, and explains who needs to be notified in the event of data loss and what additional measures need to be adopted. The upshot is that US companies are increasingly relying on encryption technology and on the early implementation of data protection guidelines in company process landscapes.

Key topics: Cloud computing, the EU Data Protection Regulation and “BCRs”

In my personal opinion, the events held on the following issues were the main focus of this year’s meeting:

  • Cloud computing (“Privacy Compliance in the Cloud—12 Myths and Facts,” speech by Prof. Dr. Lothar Determann (Partner, Baker & McKenzie LLP) and Ms. Barbara Cosgrove (Chief Security Officer, Workday, Inc.), “Global Cloud Computing: Preventing a Digital Trade War” and “Selecting a Cloud Service Provider”)
  • The draft of the EU Data Protection Regulation (“Advanced Topics in European Privacy” and "EU Legislative Update")
  • Binding Corporate Rules (“BCRs”) (“Binding Corporate Rules: We’ve Come a Long Way, Baby!”)

A complete overview of what took place at the event can be found here.


The annual IAPP conference serves as an industry meet-up for data protection professionals worldwide and provides a forum to exchange ideas and information. It was interesting to see the different views the various cultures had on the importance and on the contents of data protection regulations in an international context. We can eagerly look forward to seeing if the EU and the US are able to reach a compromise on the issue of data protection, and if they reach a compromise, then on what the contents of the compromise will be (especially on key topics such as “application area” and “enforceability”). In my opinion, based on what I saw at the IAPP conference, the assumption that the US would generally not address the issue of data protection is an inaccurate one.

Get advice now

Call-back service


Arrange a consultation