In a decision by the EU Court of Justice, the EU-US Safe Harbor arrangement for transmitting personal information was deemed to have inadequate privacy safeguards. The decision arose from strong objections to the surveillance of European persons conducted by NSA. Without an arrangement to provide sufficient privacy protection, digital commerce between North America and Europe would dwindle and result in hardships for those economies. Just four months later, Europe and the US reached a political deal called Privacy Shield with the following main elements:
- Any US company handling human resources data from Europe has to commit to comply with decisions by the 28 European data protection authorities. The US Department of Commerce (and the FTC) will monitor that companies publish their commitments and publication makes them enforceable under US law.
- US assures the EU that the access of US public authorities for law enforcement and national security will be subject to clear limitations, that there will be safeguards and oversight mechanisms and no indiscriminate mass surveillance. There will be an annual joint review, including on national security access.
- Any EU citizen who feels their data has been misused can appeal for redress. To handle complaints of access by national intelligence authorities, a new Ombudsperson will be created.
The political deal looks simple, but it contains some ambitious promises that may be impossible to make real.
NSA’s surveillance continues. Section 702 of the Foreign Intelligence Surveillance Act Amendment permits surveillance of non-US persons. White House Executive Order 12333 governs spying outside the US and does not prohibit collection of personal information and communications. The executive order and the NSA’s FISA court will not be effectively jettisoned just to continue European commerce. It is more likely that the scale and nature of national security surveillance will be an ongoing source of friction between the US and the EU.
The US Department of Homeland Security has an interest in cooperating with US firms against hacking and terrorism, especially within critical infrastructures. The cooperation envisioned will presumably share suspicious actions and network activities, and supply the identities of suspects, when known. One advantage of working with DHS is that such cooperation can be exempt from privacy violation lawsuits.
The British and French spy agencies are competent and usually cooperate with NSA. Of course, lately they have remained in the shade, delighted that NSA is soaking up the international heat for privacy violations. The other 26 European data protection authorities handle their own surveillance needs. In each case, vestiges of nationalism and some real world terrorism problems may cause delay and low enthusiasm for the newly proposed Privacy Shield details. Everyone in the law enforcement and national security community needs reassurance that they will have the tools to deliver good information when their political masters demand it. The demands for protecting the public from terrorists schooled in the Middle East surely overwhelms abstractions about commerce with the US.
As well, the EU nations (and their data protection authorities) will need to vote on the General Data Protection Regulation, designed to replace a patchwork of privacy laws across EU’s 28 member states. That harmonization may take time, and logically should be considered in parallel with the Privacy Shield.
The Privacy Shield calls for European persons to be assured of their European rights. European privacy expectations go much deeper and flood over public record. For example, the “right to be forgotten” confers a right to redact your digital history, something that most in the US consider to be rewriting history — akin to a judge pretending that a defendant’s litany of earlier criminal convictions can be disregarded. The judgements that European persons obtain in US courts may not satisfy them.
There are inherently different attitudes and approaches to enforcing public privacy protections between the US and EU. While the EU is convinced it has correctly elevated privacy to a “right,” given the increased threat of terrorism, it may later decide that among rights, the right to life supersedes others.