The US government has reacted sharply to the ECJ advocate general’s recent opinion on the EU-US data sharing agreement Safe Harbour, criticising its “numerous inaccurate assertions about intelligence practices of the United States”.
Despite the blow from the court’s advisor Yves Bot, the US Mission to the EU said in a statement on Monday (28 September), “We are optimistic that our discussions will conclude soon with a positive outcome for both sides.”
Bot published his opinion last week (23 September) calling the Safe Harbour agreement legally invalid, because of the “large-scale collection” of EU citizens’ personal data in the US, where they don’t have judicial protection.
Companies have been able to transfer data from Europe to the US by drawing on the Safe Harbour agreement—provided there’s adequate privacy protection for the data.
The US dismissed Bot’s charge that data protection in the US is inadequate because of the country’s intelligence agencies. In his legal opinion, Bot specifically mentioned Edward Snowden’s 2013 revelations about the US government’s surveillance of data transferred from other countries.
“The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” the US government replied yesterday.
“The PRISM program that the Advocate General’s opinion discusses is in fact targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations.”
Snowden’s leaks unmasked the US National Security Agency’s PRISM programme, which broadly intercepts general online communications, including those of US and EU citizens, not just security suspects and foreign military targets.
The European Commission is renegotiating a new Safe Harbour agreement with the US, which the US Mission praised for its “important privacy and trade benefits”.
An ECJ decision on Safe Harbour is expected later this year.
With Safe Harbour hanging by a thread, the Commission is working on other data sharing agreements with the US and pushed through the ‘umbrella agreement’ earlier this month.
That agreement, which the Commission promoted as ‘restoring trust’, will allow US and EU law enforcement agencies to share data if they abide by certain restrictions and privacy safeguards. The umbrella agreement has to be approved by the European Parliament before going into effect.
A connected bill that would give Europeans the right to take legal action against US government bodies that violate their data protection rights is now awaiting a vote in the US Senate. The House of Representatives’ Judiciary Committee approved the bill last week. US citizens already have similar legal rights in the EU.
Congressman Jim Sensenbrenner, who introduced the Judicial Redress Act in the House of Representatives earlier this year, emphasised that the bill could patch up lost trust between Europe and the US on data sharing.
“As we continue to work through the complexities of security and privacy protection on a national and global scale, it’s imperative we keep lines of communication and cooperation open with our European Union allies,” Sensenbrenner told EurActiv.
“Although there is work to be done, legislation such as the Judicial Redress Act, which is currently being considered in the US House of Representatives, helps bridge the gap between nations while promoting safety, security, and trust among allies.”
Several MEPs have signaled that they want US Congress to pass the Judicial Redress Act before they sign off on the umbrella agreement.
Large American technology companies have spoken out in favour of the Judicial Redress Act, including Google and Facebook, which is at the centre of the Safe Harbour case before the ECJ. Last week, another group of tech organisations endorsed the bill, including the tech industry lobby Computer & Communications Industry Association.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.