EU-US in collision course on privacy

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

Edward Snowden, seen on a screen via satellite from Moscow, Russia, speaks during a press conference about a new campaign to persuade US President Barack Obama to pardon him for violating the United States' Espionage Act in 2013 by leaking classified documents in New York, New York, USA, 14 September 2016. [Justin Lane/EPA/EFE]

For seven decades, the United States and Europe have been moving in different directions on the right to privacy and these days, a major clash on the issue is now very much in prospect, writes Dick Roche.

Dick Roche is a former Fianna Fáil politician. He was the minister of state for European affairs when Ireland conducted the two referendums on the Treaty of Lisbon of the European Union, in 2008 and 2009.

In 1950, the Council of Europe’s Convention on Human Rights provided “everyone has the right to respect for his private and family life, his home and his correspondence” – wording very similar to the Fourth Amendment of the US Constitution.

With the arrival of the internet,  the EU sought to set standards for data security and privacy in the 1995 European Data Protection Directive.

A right to the protection of personal data was enshrined in Article 8 of the Charter of Fundamental Rights in 2000. The EU set a global gold standard for protecting privacy in the 2018 General Data Protection Regulation (GDPR).

Since the 1950s US lawmakers have moved in the opposite direction. US agencies were granted Orwellian powers to intrude on individual privacy. President Truman established the National Security Agency (NSA) in 1952 at the height of the Red Scare.

Operating with little oversight through the 1960s and 1970s the NSA expanded its list of perceived enemies of the state, adding anti-war activists, civil rights leaders, including Dr Martin Luther King, journalists, at least two US Senators, Muhammad Ali and John Lennon.

Following the Watergate scandal a Senate Committee, chaired by Frank Church, one of the Senators who had been under NSA surveillance, released a damning report chronicling repeated infringements of protections contained in the US Constitution by the NSA.

In response to the Church Committee’s revelations, the Foreign Intelligence Securities Act (FISA) was enacted in 1978.  The Act created the Foreign Intelligence Surveillance Court to oversee requests for surveillance warrants and prevent abuse. The Act was extensively overhauled in 2008.

But FISA did not halt the abuse. In December 2005 The New York Times revealed that the NSA was still intercepting Americans’ phone calls and emails without the necessary warrants.

The following year an AT&T technician revealed that web browsing requests and other electronic communications sent through AT&T networks were automatically copied to the NSA, again without any warrants.

In May 2013, Edward Snowden, a contract employee of the  NSA, released 1.5 million documents material to The Guardian and The Washington Post revealing an extraordinary range of US domestic spying activities.

The Snowden revelations attracted worldwide attention but did not bring reform.  They did however prompt the privacy campaigner Max Schrems to lodge a complaint, in June 2013, with the Irish Data Protection Commissioner (IDPC) seeking, in essence, to prohibit Facebook transfer any of his data to the US.

Mr Schrems’ complaint has resulted in two critical judgements in the Court of Justice of the European Union (CJEU) which have the power to fundamentally alter the way electronic data is transferred between Europe and the US.

In the first of the cases, the  CJEU found that data transferred to the US could be collected by US agencies without EU citizen’s “benefiting from effective judicial protection” and  ruled that arrangement put in place by the US authorities and the EU Commission, called Safe Harbour, were invalid.

The court also directed that European Data Protection Commissioners should decide whether the “transfer of data of Facebook’s European subscribers to the US should be suspended”.

Following the Court’s decision, revised transfer arrangements, fancifully titled “Privacy Shield”, were agreed between the EU Commission and US officials.

While that process was underway, Mr Schrems was invited by the IDPC to reformulate his Facebook complaint He did so and it too was referred to the CJEU.

On 16 July 2020, the CJEU issued its judgement in the Schrems II case. In robust language the court highlighted concerns about the intrusive possibilities of surveillance in US law; suggested the controls in US law are inadequate to protect EU data subjects from becoming a target for US surveillance and struck down Privacy Shield finding it “impossible to conclude” that the arrangements could ensure the level of protection guaranteed by the GDPR.

The Court confirmed that EU Commission’s Standard Contractual Clauses (SCCs) could still be used when transferring data to third countries. However, it emphasised that the body exporting the data must, on a case-by-case basis, verify that the data is protected to the level guaranteed by GDPR, a very high bar for companies exporting data to the US.

The Schrems II judgement led to the IDPC serving notice on Facebook to suspend European data transfers to the US. Facebook immediately appealed the order to the Irish High Court to halt the proposed order. The Court decision is due in a number of weeks.

The Trump administration response to the CJEU judgement was dismissive.   The US Department of Commerce (DOC) issued a White Paper examining what it termed the issues “that appear to have concerned the ECJ in Schrems II.

It outlined changes made in the US privacy safeguards since the Snowden revelations that “the ECJ neither considered nor addressed”.

A statement from the Deputy Assistant Secretary for Services at the DOC accompanied the White Paper.

It warned “the ECJ’s ruling has generated significant legal and operational challenges for organizations around the world at a time when the ability to move, store, and process data seamlessly across borders has never been more crucial”, recalled that European nations also conduct intelligence gathering activities and pointed out  that cross border data flows “underpin the $7.1 trillion transatlantic relationship.”

Concerns about the judgement threatening the trillion transatlantic relationship were repeated by US Secretary for Commerce, Wilbur Ross, in early November 2020. Mr Ross said the Trump administration was actively working with Europe to find a solution.

Since President Biden assumed office US and EU Commission officials have continued to search for another “workaround” that would allow data transfers to continue. But it is hard to see what another workaround can achieve. The markers set out in the Schrems II judgment are clear.

The key problem that has to be resolved is not deficiencies of ‘Privacy Shield. The matter of fact is that US surveillance laws are based on an approach that is antithetical to the privacy structure put in place in Europe. And US responses to date provide little room for confidence that that reality is recognised in Washington.

Subscribe to our newsletters