Privacy Shield Reaffirmed, but Hypocrisy Reigns
The European Commission on October 18 affirmed that the U.S.–EU Privacy Shield agreement that allows European personal information to be transferred to certain firms in the United States can continue. That’s a Very Good Thing: a positive decision was not a foregone conclusion given many Europeans’ jaundiced view of the Trump administration’s approach to civil liberties.
But a thought experiment: What would have happened had the Commission decided otherwise? And do other countries, like China and Russia, also measure up? If not, what does that imply?
Background[1]
Europeans are in many ways more sensitive than Americans about who has access to their personal information, as many had lived under authoritarian regimes. They are therefore proud of the strict rules they have adopted to safeguard privacy, enshrined in the European Union’s Data Protection Directive of 1995 and the new General Data Protection Regulation (GDPR, which enters into force in May 2018). The legislation broadly defines the personally identifiable information that is protected, and narrowly constricts what others can do with such information. For instance, firms must obtain explicit consent for any processing of an individual’s data or for transferring it to other parties.
The EU understandably wants to protect the personal information of its people outside the EU as well. Both the Data Protection Directive and the successor GDPR thus prohibit the transfer of personal data from the European Union to any country outside the EU, unless that country provides “adequate” protection for such data. In the absence of such a determination, personal data can only be transferred to third countries if the individual provides explicit personal consent, or if there are other protections under contract or binding corporate rules.
Only five countries outside Europe have “adequate” levels of protection: Argentina, Canada, Israel, New Zealand, and Uruguay. The United States as a whole is not considered “adequate,” in part because it does not have a general data protection law.
Safe Harbor and Privacy Shield
To get around this, the United States and the European Union in July, 2000 concluded the U.S.–EU “Safe Harbor” agreement, under which the EU Commission gave a partial adequacy ruling for companies in the United States that adhere to certain obligations on handling Europeans’ personal data.[2] At its height, some 4,500 companies participated in Safe Harbor.
Concerned about reports that the National Security Agency (NSA) was spying on data held by companies, including those in the Safe Harbor program, the European Court of Justice (ECJ) in October 2015 ruled the Safe Harbor agreement invalid. The ECJ argued the Commission had erred in not investigating whether there were sufficient “democratic controls” over the ability of government agencies to access personal data held in the United States; the absence of such controls would violate Europeans’ “fundamental right” to data protection.
In this, the ECJ dramatically broadened the “prohibition” on the transfer of personal information to third countries. While its ruling applies only to Commission adequacy decisions, if data protection is such a fundamental right, protecting it against government intrusion must override personal consent, contracts, and binding corporate rules as well.
The European Commission and U.S. government worked feverishly to conclude, in February 2016, the “Privacy Shield” agreement to replace Safe Harbor. This effort was helped by the many steps the Obama administration and Congress took in response to the Snowden revelations, including Presidential Policy Directive 28 which explicitly curtails NSA’s ability to access data, the 2015 Freedom Act that puts constraints on bulk data collection and access to telephone records, and the 2016 Judicial Redress Act which gives Europeans the same right as Americans to contest government abuse of certain personal information in U.S. courts. On the basis of these and many other steps — including letters from the Director of National Intelligence, the Department of Justice, and the Secretary of State spelling out restrictions on intelligence and law enforcement access to data — the European Commission in August, 2016 determined that the new Privacy Shield agreement guaranteed that Europeans’ personal data would be adequately protected by firms that participated in it.
The Decision
The European Commission conducts annual reviews of Privacy Shield. This first review was particularly important, both to see how the U.S. government implements Privacy Shield, and because of the change to the Trump administration in January 2017.
Both the Commission decision and the staff document that underlies it show how seriously both sides took this review. Over the course of six months, the Commission carefully scrutinized administration acts and judicial decisions, solicited input from companies associated with Privacy Shield and nongovernmental organizations dedicated to protecting civil liberties,[3] and spent two days intensively discussing with numerous U.S. government agencies[4] — including the General Counsel of the Office of the Inspector General of the Intelligence Community — issues that had come up.
In the end, the Commission determined that the U.S. government had established strong procedures for certifying companies under Privacy Shield, that appropriate mechanisms had been established to respond to questions and complaints by Europeans about the handling of their data, and that the Federal Trade Commission and the Department of Transportation had effectively responded to these complaints.[5] The Commission was also satisfied with the new administration’s continued pledge to constrain intelligence and law enforcement access to personal data, including in particular the continued application of Presidential Directive 28.
The Commission did have some suggestions, including ensuring companies cannot claim they are in Privacy Shield until after the Department of Commerce certifies them; proactive investigation for false claims; ongoing monitoring of compliance; improved coordination between U.S. enforcement agencies and their EU counterparts; and swift appointment of a new Ombudsperson and members of the Privacy and Civil Liberties Oversight Board. Perhaps the most important recommendation was that Congress enshrines into law the protections in Presidential Policy Directive 28 when it reauthorizes parts of the Foreign Intelligence Surveillance Act that expire at the end of 2017.
The Alternative
The Commission decision to reaffirm Privacy Shield was reasonable, as are its recommendations for improvement. This ensures that normal electronic commerce can continue between the United States and Europe, at least with the Privacy Shield companies.
But what would have happened had the Commission found otherwise, or should the ECJ determine, in the case now before it, that in fact the United States does not have adequate democratic controls over U.S. intelligence and law enforcement agency access to personal data held by companies? (This would be very different from its previous decision about Safe Harbor, which turned on procedural grounds, as it found the Commission had not done its homework.)
Personal data is contained in virtually every email, commercial contract, hotel booking or casual interaction with the Internet. Without the ability to transfer personal data to the United States, the $1 trillion annual trading relationship between the United States and Europe would literally collapse, never mind the millions of family ties and friendships that would be severed. Indeed, even a finding that would prohibit the transfer of personal data to the hundreds of thousands of U.S. companies that interact with Europeans but are not in Privacy Shield would be catastrophic.
Given the importance of these ties, the U.S. government has bent over backwards to assure its European allies that the chances of personal data being “abused” by government agencies is strictly constrained — by law, Presidential Directive, independent privacy oversight boards, and independent inspectors general, including inspectors general overseeing the intelligence agencies and answerable directly to a democratically-elected Congress as well as the Supreme Court.
That’s quite a lot. Indeed, not all EU member states have such oversight structures.
But while the European focus on the United States may be understandable, given that (as top EU officials stress) many of the biggest IT firms are American, it is not the only country in the world. Thousands of Europeans go daily to Internet sites in Russia to view, for instance, sports events. And, China is now Europe’s largest foreign supplier, based on exchanges of personal information from European importers.
Russia intelligence agencies, unfortunately, have been found by the European Court of Human Rights to regularly access personal data transmitted to that country, while China was found in a 2015 report to the European Parliament as having inadequate protections for personal data even before considering questions of governmental access. Neither even pretends to have independent democratic oversight of its intelligence or law enforcement agencies; indeed both actively engage in hacking into such data in both Europe and the United States.
As the report on China rightly goes on to state, however, it would be “impractical” to prohibit data flows to China, given the immense economic relationship the EU has with it. As it would be impractical to prohibit data flows to the United States, or indeed any other country.
The Hypocrisy
The EU intent to protect privacy is admirable.
But its absolutist extension of these “fundamental right” principles to international communication and commerce, under which transfers to other jurisdictions is prohibited barring “adequate” “democratic controls” over government access to data, is simply “impractical.” And, focusing these concerns just on the United States is hypocritical.
The EU must get real. It cannot just prohibit what its citizens do thousands of times daily — send their personally identifiable information to other countries, even those that do not pretend to be democracies. It must understand that all trade depends on these data flows. The alternative — working with member state governments to educate Europeans about the risks they take in transmitting personal information abroad — requires more work. But it is the responsible way to address the issue.
[1] See also GMF’s Transatlantic Explainer: EU-U.S. Privacy Shield, September 19, 2017.
[2] These include obligation on notice (that data is being collected and how it will be used), choice (the ability to opt-out, including on onward transfers), onward transfer (only to other organizations accepting similar constraints), security (of the data collected), data integrity (relevance and reliability of the data for purpose), access (the right to correct data being held) and enforcement.
[3] Human Rights Watch, American Civil Liberties Union, Consumer Federation of America, Center for Digital Democracy, New America’s Open Technology Institute, Access Now, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC).
[4] Commerce Secretary Wilber Ross led the U.S. side, which also included a number of officials from the Department of Commerce, the Federal Trade Commission, the Department of Transportation, the Department of State, the Office of the Director of National Intelligence (ODNI), the Department of Justice, the acting Ombudsperson (a new role created in Privacy Shield, sitting in the State Department), the Privacy and Civil Liberties Oversight Board (PCLOB) and the General Counsel of the Office of the Inspector General of the Intelligence Community.
[5] According to the staff document accompanying the EU Commission’s decision, “… very few complaints have been lodged so far with Privacy Shield companies (later specified as seven) and IRMs (independent recourse mechanisms; the report later notes that four of these were related to Privacy Shield and all were satisfactorily addressed). The FTC received three complaints referring to the Privacy Shield framework during its first year of operation. None came from the EU. The DoC (Department of Commerce) and the DPAs (EU Data Protection Authorities) did not receive any complaints. Op cit, footnote 7, pages 12-16.