Text and photography by Christian Ernhede
Following the ruling of the European Court of Justice (ECJ) in October 2015 invalidating the Safe Harbor agreement which allowed for the transfer of personal data to the United States, the negotiations between the European Commission and the U.S. Department of Commerce on a new “safer Safe Harbor” as promised by Commissioner Věra Jourová in October have been intense. The deadline for reaching an agreement was set for 31 January 2016 with a plenary meeting of the Article 29 Working Party of national data protection authorities scheduled for 2 February. While having missed the deadline, the Commission announced a new deal marketed as the “EU-U.S. Privacy Shield” on the same day as the Article 29 Working Party met.
Throughout the negotiations, the United States has maintained their position that it already offers an adequate level of privacy protection. Commissioner Andrus Ansip indirectly confirmed that he is of the same opinion at the press conference introducing the EU-U.S. Privacy Shield by referencing the progress made by the United States following President Obama's speech on mass surveillance in 2014. Contradictorily, the ECJ ruling is clear in its dismissal of the privacy protection offered in the United States. Peter Swire, privacy expert at the Georgia Institute of Technology and former adviser to the Clinton and Obama administrations, however believes that a fundamental error in the ECJ ruling is that it did not take into account aspects of U.S. privacy protection that are absent in the EU. While there may be some logic to that interpretation, Max Schrems, the privacy activist who brought the case to the ECJ dismisses the criticism. “I think many of the protections in the United States are great but they are not available to me [as a European]”.
Max Schrems, the Austrian privacy activist who brought the case against Facebook.
A key aspect that the new framework thus aims to address is the lack of access to justice for Europeans in the United States. The proposed measures varies depending on whether it concerns companies mishandling data, use by law enforcement agencies, or for national security purposes. Most controversial in the context is likely to be issues concerning U.S. national security where privacy protection will be ensured by an ombudsperson. According to the Commission, the ombudsperson will be independent from the intelligence services and will report directly to the Secretary of State. Additionally, the ombudsperson will work in the context of existing U.S. oversight mechanisms such as the Inspector-Generals, and the Privacy and Civil Liberties Oversight Board. Mr. Swire claims that secrecy is one of the fundamental strengths of privacy protection in the United States. “We have people with top security clearance that evaluate legal compliance”, and he points out that this does not happen in the EU. In this context the ombudsperson is a welcomed addition but questions remain on the level of insight that the new ombudsperson will have, and to what extent any potential infringements will be shared with European counterparts given that the Commission itself is not privy to discussions concerning national security.
Likewise, the Judicial Redress Act would give Europeans the possibility to bring civil actions under the U.S. Privacy Act against U.S. law enforcement agencies. The Judicial Redress Act is in doubt however with an amendment introduced at the last moment before the vote in the Senate Judiciary Committee adding the exemption that “to qualify as a covered country, a foreign country must permit commercial data transfers with the United States and may not impede the national security interests of the United States.” In addition to delaying the bill by sending it back to the House of Representatives, the added exemption can also serve as a limit on EU national data protection authorities to interfere on issues concerning U.S. national security or lose the rights afforded by the Redress Act.
Justin Antonipillai, Deputy General Counsel at the U.S. Department of Commerce and a member of the U.S. negotiating team says that while “we have great respect for the thought put into the case by the European Court of Justice, in 15 years there is no record of companies not meeting privacy obligations. What is the problem?” To the U.S. negotiators, it is not about the Snowden revelations, but about “focusing on the [confirmed] facts” as pointed out by Mr. Antonipillai. The U.S. trump card in the negotiation process was thus arguably their categorical refusal to recognise any privacy infringements revealed by Snowden. The ECJ however made it clear that the Snowden revelations were an important consideration in its conclusion. Robert Litt, General Counsel at the Office of the Director of National Intelligence and another member of the U.S. negotiating team clarifies the position of the United States on indiscriminate surveillance of every internet user. “We're not interested, we couldn't do it even if we wanted to, and we have better things to do.” In response to the Snowden allegations, he added categorically that “the suggestion that the NSA is sweeping up everything is false. End of discussion.”
Mass surveillance is thus another aspect that is clouded by obscurity. According to Mr. Swire, U.S. security personel have no direct access to individual data but only to the results presented by algorithms that filter out irrelevant information. The number of people ultimately affected by U.S. snooping after filtering is thus “not mass surveillance and indiscriminate” according to Mr. Swire. Mr. Schrems however points out that it boils down to terminological differences. “We are talking about mass surveillance but have different understandings. In Europe, tapping into the cable is mass surveillance.” When questioned for this article, the Commission failed to clarify whether the promised written assurances that the United States “do not carry on indiscriminate mass surveillance of Europeans” included a clear definition of mass surveillance. A lack of such a definition is not surprising given the urgency of the deal, but it is a worrying indication that the EU-U.S. Privacy Shield is but another bureaucratic house of cards built on a mistaken understanding of fundamental terms.
Mr. Litt would be one of the best-placed people for clarifying any misunderstandings but he was reluctant to offer more concrete information on how U.S. surveillance work, and added that it is not appropriate to discuss security service methods with the Commission due to the fact that it is not taking part in the national security debate. That the negotiating teams where facing difficulties in reaching a deal under those circumstances is unsurprising, but it is remarkable that the Commission now says that the United States offers adequate privacy protection given that they are not privy to discussions concerning surveillance.
According to Mr. Schrems however, the challenges to reaching a watertight deal go deeper still. “The commission is bound by the court ruling and the Department of Commerce by national security and none have the authority to make a deal”. If the consequences of a restriction to data transfers between the United States and Europe and a balkanisation of the internet is not daunting enough, Mr. Swire thinks that the implications might be further reaching still. “There would be a renewed debate about a trade agreement if there is a complete ban on transfers of data to the United States”. But Mr. Schrems is categorical in his condemnation of the business practices of the large internet companies based in the United States. “They are used to not follow EU law.” Unfortunately, the legal limbo is likely to remain until another court case on the new EU-U.S. Privacy Shield reaches the ECJ.