Anthony Luzzatto Gardner1
(1)
London, UK
Anthony Luzzatto Gardner
On October 6, 2015, Joseph Daul, the influential head of the center-right pan-European People’s Party, was proudly showing me around his farm near Strasbourg. As we were inspecting his livestock and chatting about ways to increase European support for transatlantic agricultural trade, my mobile phone rang with an urgent message. The legal adviser of the US Mission to the EU was calling from Luxembourg’s European Court of Justice, the supreme court on matters of EU law. The court had just handed down a judgment effectively invalidating a critically important transatlantic data exchange agreement called “Safe Harbor.” That agreement, concluded in 2000 between the United States and the EU, enabled companies in Europe to transfer EU citizens’ personal data to the United States in a manner consistent with EU data privacy law.
Shortly after that call, I had to cut short my visit and an Alsatian meal of sausages, cabbages, and white wine in order to join a call with the White House Situation Room. This was the first in a long series of video conference calls that confined myself and senior members of my staff to a windowless, airless conference room in the embassy. An army of officials from the State Department, the Commerce Department, the Office of the Director of National Intelligence, the Treasury Department and the White House staff also participated. The impact of the court judgment on transatlantic data flows was so important that President Obama received regular briefings. By January 2016, the United States and the European Union had concluded a new data exchange agreement called “Privacy Shield.”
The case that triggered all of this frenetic activity, Schrems v. Facebook, involved an Irish lawsuit brought in 2013 against Facebook by Maximilian Schrems, a 23-year-old Austrian law student. Based on recent newspaper accounts of documents leaked by Edward Snowden, Schrems alleged that Facebook had been improperly allowing the National Security Agency to access data of its customers in the EU and, moreover, that the NSA might have accessed personal information in his Facebook account. Why the NSA would have been interested in him remained unclear. Rather than shut his Facebook account because of these unsubstantiated fears, he complained and then sued.
Schrems had originally brought a complaint to the Irish Data Protection Commissioner (DPC), the national regulator in charge of protecting data privacy, but it had rejected the complaint as “frivolous and vexatious” on the basis that Facebook had self-certified its adherence to the Safe Harbor program. Thanks to the European Commission’s determination in 2000 that the program offered an adequate degree of data privacy protection consistent with EU law, more than 5000 companies had self-certified their adherence to numerous principles regarding the proper treatment of EU citizens’ data. The Irish DPC ruled that it was bound by the Commission’s “adequacy” finding and could not investigate further. Schrems appealed that rejection to the Irish High Court, which in turn referred several questions of EU law to the European Court of Justice.
The Safe Harbor program was of critical importance to transatlantic data flows and hundreds of billions of dollars in commercial transactions. Participants in the program included not only Fortune 500 firms, but also many small- and medium-sized companies in a wide variety of sectors (except financial institutions, communications and insurance companies, and non-profit organizations). Many of the members were US subsidiaries of European companies. The data in question included data as diverse as human resources data, hotel bookings, people’s browsing histories, and a wide variety of business records. Not only did the program provide a much-need “safe harbour” giving certainty about the legality of transatlantic data flows; it also provided a “one-stop shop” establishing EU-wide standards of adequacy, thereby preventing national (and, in the case of Germany, regional) data protection authorities (DPAs) from imposing their own widely divergent standards.
As dramatic as the Court’s judgment was, it had been expected for some time. Oral arguments at the Court in late March had clearly indicated the direction of travel. My legal adviser had reported from Luxembourg that the European Commission’s advocate had wilted under withering questioning from the judges. The most hostile questioning came from the German judge, Thomas von Danwitz, who had authored prior judgments striking down EU laws as incompatible with EU fundamental rights and who was tasked with writing the judgment in Schrems. The current Safe Harbor program was flawed, the European Commission’s advocate had conceded in oral argument, and he couldn’t confirm that it provided adequate protection for EU citizens’ data. The US, moreover, was “excessively relying” on that national security exception in the Safe Harbor Privacy Principles. According to that exception, adherence to the Principles could be limited to the extent “necessary” to meet national security requirements. The advocate pleaded for more time to conclude the ongoing negotiations to improve Safe Harbor.
The Court’s Flawed Judgment
In late September, one of the Advocates General, the senior jurists whose opinions the Court typically follows in their final judgments, had found that the Safe Harbor Agreement contravened EU law. Although we had long anticipated a negative result, we were taken aback that the Court had ruled less than two weeks after the Advocate General’s opinion; this was highly unusual, as the gap would normally be several months, and it suggested that the Court had perhaps written its judgment at the same time as the Advocate General. The latter’s opinion, released on September 23, infuriated quite a few people in the US government.
Since the Irish DPC had dismissed the complaint on its own motion, Facebook never had the chance to appear before the court. Nor did the US government have an opportunity to appear as an interested party before the Irish High Court proceedings to set the record straight. As it had not done so, it had no right to appear in the Luxembourg proceedings. The government had understandably been reluctant to discuss its surveillance practice in public but now it was in the worse situation of dealing with a catastrophic judgment based on inaccurate allegations.
We knew that recent jurisprudence of the Court regarding data privacy and the EU’s Charter of Fundamental Rights would make the case hard to win. However, the Advocate General made several damaging assertions that were as sweeping as they were unfounded.
He referred to recent “revelations” in the press according to which “the NSA established a programme called ‘Prism’ under which it obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the Internet and technology field, such as Facebook USA.” The Advocate General accepted as fact that the PRISM program, under Section 702 of the Foreign Intelligence Surveillance Act (FISA), enabled the NSA to have access “in a generalised manner” with regard to “all persons and all means of electronic communication, and all the data transferred (including the content of the communications) [is used] without any differentiation, limitation or exception.”1
The PRISM program is one of the several surveillance programs operated under FISA Section 702. (Another one called “Upstream” enables the NSA to copy and search streams of Internet traffic as data flows across the telecommunications backbone, such as the network of cables, switches and routers, over which telephone and Internet communications transit.) Section 702 governs the acquisition of “signals intelligence”2 within the United States in relation to non-US persons reasonably believed to be located outside the US. Unlike the United States, other countries do not require court oversight of surveillance for foreign intelligence purposes of foreigners overseas.
There are several other legal authorities for surveillance programs (not at issue in Schrems and not directly relevant to the Safe Harbor discussions). The first is what are known as “traditional” FISA orders, whereby the government may obtain individual orders from a specially constituted FISA Court to conduct electronic surveillance or physical searches in the United States if it can show “probable cause” that, among other things, the target is a “foreign power or an agent of a foreign power.” These orders have never been a source of controversy with the EU because they have a high evidentiary threshold and require individualized court scrutiny.
A second legal authority is Section 215 of the Patriot Act that permits the FBI to apply to the FISA Court for an order requiring a business to produce “tangible things” (such as books and records). The application must include facts showing reasonable grounds to believe that the “tangible things” are relevant to an investigation into foreign intelligence not concerning a US person or to protect against international terrorism or clandestine intelligence activities. It requires the use of individualized “selectors” (such as e-mails and telephone numbers) developed pursuant to court-approved procedures.
A third legal authority, Executive Order 12333, is the primary authority under which the NSA collects communications of foreigners outside of the United States.
The “revelations” on which the Advocate General had based his opinion stemmed from an inaccurate The Washington Post story that asserted: “The National Security Agency and the FBI are tapping directly into the central servers of nine leading US Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.”3 On this basis, the Advocate General concluded that the European Commission should have terminated the Safe Harbor program because the unrestricted access of US intelligence services to data transferred from Europe to the United States constitutes an “an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter.”
The edifice of the Advocate General’s reasoning was built on sand. The Advocate General had pointed out that he was required to accept the facts as stipulated by the Irish High Court and that his job was to draw legal conclusions from the case file. The problem was that the Irish High Court had concluded, on the basis of mere press clippings in the pleadings filed by Schrems, that the accuracy of his allegations regarding US intelligence surveillance was “not in dispute” and that “the evidence now available would admit of no other realistic conclusion.” The opposite was true but there was little that we could do.
Since negotiations to update Safe Harbor had not concluded by the fall of 2015, neither the Advocate General nor the European Court of Justice could take into account the significant progress that the US and the EU had achieved over the past two years. I had pressed during the summer of 2015 for an agreement to be finalized and made public, in large part because it might have had a positive impact on the proceedings. But we lost momentum, partly because the European Commission thought that the EU court’s looming judgment would maximize pressure on the US to make further concessions, especially with regard to government surveillance programs. The delay in finalizing an agreement may have been all for the best as it allowed the two sides to address the court’s sweeping criticisms comprehensively.
The working group established by the US government to deal with the brewing crisis decided, against my counsel, to respond publicly to the Advocate General through an opinion piece in the Financial Times. While I shared the general frustration, I believed it would be counter-productive for us to criticize a senior official of a foreign court. I argued that we would not take kindly to a foreign government publicly criticizing our own judicial proceedings, especially while they were still underway. Any statement, even one limited to establishing the facts, would inevitably be seen as an example of high-handedness. It certainly would have no bearing on the court’s final judgment; as it turned out, that judgment was handed down on the day following the publication of the Financial Times article.
The article, authored by the General Counsel of the Office of the Director of National Intelligence Robert Litt, was scathing. While noting that the United States “fully respect[s] the European Union’s legal process” (a phrase I urged be inserted), the article stated that the evidence demonstrated the opposite of what the Advocate General had taken on faith:
[The Prism programme] can be used only when authorised by law, in a manner that protects the privacy of all persons, and with extensive oversight from all three branches of our government. The US legal framework for intelligence collection includes robust protection for privacy under multiple layers of scrutiny and a remarkable degree of transparency. The decisions of judicial bodies should be informed by accurate information. Prism is focused and reasonable. It does not involve “mass” and “unrestricted” collection of data…4
This was not just the view of the Obama administration. The Privacy and Civil Liberties Oversight Board (PCLOB), an independent and bipartisan executive branch agency with responsibilities that include overseeing the use of “signals intelligence,” concluded in July 2014 after an exhaustive review of classified material that the PRISM program is not based on the “indiscriminate collection of information in bulk.”5 Even the EU’s own Fundamental Rights Agency appeared to agree with many experts’ conclusions to that effect.6 US intelligence services do not engage in indiscriminate surveillance of anyone, including ordinary European citizens. They do not have the legal authority, the resources, the technical capability or the desire to intercept all the world’s communications. And they are not reading the e-mails of everyone in the United States, or of everyone in the world.
Intelligence collection is governed by a system of substantive and structural standards and checks. These originate in protections for American citizens and people in the US in the federal constitution and include federal statutes, executive orders, and administrative procedures. In addition, there is extensive oversight to ensure that the intelligence community is complying with legal safeguards and processes. That oversight includes civil liberties and privacy officers, including within the Office of the Director of National Intelligence, who supervise procedures to ensure that the relevant agency is adequately considering privacy and civil liberties concerns. Each agency has its own Inspector General with responsibility to oversee foreign intelligence activities; although their recommendations for corrective action are non-binding, their reports are made public and sent to Congress. Oversight is also exercised by the PCLOB; the President’s Intelligence Oversight Board, the House and Senate Intelligence and Judiciary Committees; and the judiciary itself.
The US government does not have direct access to the central servers of Internet companies. Pursuant to the Section 702 PRISM program, the government may only serve a request on companies in the United States to deliver information relating to communications linked to certain “selectors”—such as telephone numbers and e-mail addresses—that the Attorney General and the Director of National Intelligence have reason to believe are being used to communicate or receive foreign intelligence information. The request must be authorized by the FISA Court on the basis that collection is consistent with the statute. Furthermore, the communications requested must relate to one of specifically enumerated and approved foreign intelligence purposes, such as combating terrorism. Companies who receive such requests may challenge them, including by appealing to the FISA Court. Once collected, there are strict procedures limiting the retention and dissemination of the information. Declassified opinions of the FISA Court show that it does not hesitate to exercise its oversight.
The PRISM program affects a small proportion of Internet traffic. There were only 92,707 “targets” of surveillance under the PRISM program in 2014, a tiny proportion of the 3.2 billion people who use the Internet.7 The total number of customer accounts accessed by the US government in six-month periods in 2014 is revealing: 17,000 for Google, out of approximately 1.17 billion active users, and 10,000 for Facebook, out of approximately 1.55 billion active users.8 The Internet traffic that is collected is subject to targeted queries based on specifically enumerated intelligence requirements. Only those items believed to be of potential intelligence value are presented to analysts for examination; therefore, only a fraction of the information collected is ever seen by human eyes.
Commenting on the findings of the Signals Intelligence Review that he had requested, President Obama said in January 2014 that:
nothing that I have learned…[indicates] that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens…They are not abusing authorities in order to listen to your private phone calls or read your emails.9
The PCLOB report subsequently confirmed that there was no evidence of intentional abuse. Both it and the administration concluded that the information collection under Section 702 is valuable and effective in protecting national security and produces useful foreign intelligence. In Europe, observers noted that the president seemed primarily focused on privacy protections for US citizens. In reality, however, the president had also specifically stated that certain protections would be extended to foreigners—perhaps an unprecedented step for any government to take.
The Advocate General’s opinion infuriated many US government officials because it had stated that US surveillance activities needed to be judged “by reference to the current factual and legal context,” while doing nothing of the sort. It had taken absolutely no account of the significant (and public) reforms in both law and practices relating to intelligence promoted by President Obama during the past two years. These reforms had included limits on collection and policies to ensure that all persons are treated with dignity and respect, regardless of their nationality or place of residence. The reforms showed how the United States is a constitutional democracy under the rule of law, with independent judicial oversight.
The President of the European Court of Justice Koen Lenaerts was at pains to point out that “We are not judging the US system here, we are judging the requirements of EU law in terms of the conditions to transfer data to third countries…”10 That was true, at least formally. The Court focused on the failure of the European Commission to provide detailed reasons for its conclusion in 2000 that the Safe Harbor program provided an adequate degree of data privacy protections. But the problem lay in the fact that the judgment was based on incorrect assumptions about the US system, based on the factual record gathered by the Irish High Court and taken as fact by the Advocate General. The judgment concluded:
“[The Safe Harbor decision] lays down that ‘national security, public interest or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them. In light of the general nature of the derogation [relating to national security, public interest requirements and law enforcement requirements] … [the Safe Harbor] decision enables interference…with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States” which is “not limited to what is strictly necessary.” (emphasis added)
That view necessarily led, not only to the view that the Safe Harbor adequacy decision was invalid, but also to the view that national DPAs must retain their independent authority to investigate claims that transfers of data to a third country do not comply with EU law.
The judgment was extraordinary for many reasons. The facts before the Court did not show any evidence whatsoever of actual infringements by Facebook, or other US companies, of their Safe Harbor commitments. Yet it found that the Safe Harbor Agreement was invalid since its inception in 2000, thereby putting every company that had signed up to Safe Harbor at risk of lawsuits for data transfers conducted since that date. Moreover, it provided no grace period, either to give the US and EU time to conclude their agreement or to companies to find other methods of legally transferring data. (European DPAs declared shortly after the ruling that they would hold off taking enforcement action until January 31, 2016, but that they would in the meantime initiate investigations into complaints.) The massive uncertainty and economic dislocation that this caused seemed not to carry much weight in the Court’s thinking. One of the ironies of the decision was that invalidation of Safe Harbor actually left EU citizens worse off because the Federal Trade Commission would no longer have authority to police commitments made under the program. Finally, the judgment had not seemed at all sympathetic to the reality that surveillance is fundamentally different from law enforcement: Whereas law enforcement focuses on finding the perpetrator of a particular past crime and can therefore be targeted, surveillance seeks to uncover potential threats or adversaries in the future and therefore needs to collect a broader range of information.11
In reacting to the Court’s judgment, the European Commission was at pains to point out that other legal means of transferring data across the Atlantic in conformity with European privacy law continued to be available. These means included “binding corporate rules” (text approved by the competent national data protection agency for insertion into contracts governing the export of personal data to another member of the same corporate group in a non-EU country that does not provide an adequate degree of data privacy protection). They also included “standard contractual clauses” (text approved by the Commission for insertion into contracts governing the export of personal data to third parties in a non-EU country that does not provide an adequate degree of data privacy protection). But they are hardly suitable alternatives for everyone. They are expensive and time-consuming to put into place; moreover, standard contractual clauses require approval by national DPAs in some instances. A few days after the Schrems decision, the German DPAs highlighted the legal jeopardy resulting from the decision by reserving their right to challenge any data transfers occurring under either mechanism.
The European Commission also pointed out that there are other legal justifications for transferring data, including when necessary to perform a contract (the transfer of personal data to the US to conclude a hotel booking), important “public interest” grounds (including data transfers between law enforcement authorities), “vital interest” (including the transfer of medical records to save a person’s life), and the free and informed consent of an individual (for each data transfer). But these alternative justifications were very limited in scope and not available on a systematic basis.
Anger at European Double Standards
Many of us in the administration found it truly absurd that the United States’ data privacy protection regime was found wanting when data flows about EU citizens were occurring regularly to many autocratic states with unfettered intelligence services. Who seriously believes that binding corporate rules and standard contractual clauses provide any protection from the intelligence services of Russia and Iran, for example?
President Obama had voiced frustrations about the Janus-faced attitude of our allies about US intelligence:
…a number of countries, including some who have loudly criticized the NSA, privately acknowledge that America has special responsibilities as the world’s only superpower; that our intelligence capabilities are critical to meeting these responsibilities; and that they themselves have relied on the information we obtain to protect their own people.12
The Court’s judgment deepened anger in the administration about European hypocrisy. The French government, for example, is no stranger to eavesdropping, including on its close allies. According to European Commission President Jean-Claude Juncker, French President Jacques Chirac once called him minutes after a confidential call Juncker had with President Bill Clinton. Without any pretense, Chirac asked Juncker why he had said something to Clinton. “Thanks for listening in, mon ami. Turns out, it’s not always the US listening in on your phone calls.”13
The governments of four member states including Belgium (which would benefit significantly from US intelligence support a few months later during the terrorist attacks in Brussels) and the European Parliament had supported Schrems during the proceedings. None of the member states spoke out publicly to acknowledge the importance of US intelligence cooperation to keep Europe safe. As The Economist put it:
European countries’ spy agencies benefit hugely from intelligence-sharing with America about terrorism, organised crime and the activities of countries such as Russia and China. That politicians fail to acknowledge this to their own voters smacks of timidity and ingratitude.14
Moreover, many academic studies have confirmed that the laws governing intelligence gathering in many other member states give greater freedom of action to government actions than in the United States.15 One exhaustive report concluded that:
Given the greater level of independent judicial involvement in approving surveillance orders, the range of transparency obligations imposed by law upon the intelligence agencies, and the extensive array of oversight mechanisms in place in the US, safeguards in the US legal order are in general more protective than those in effect in the EU…16
Following the terrorist attacks in France and the UK, those countries adopted far-reaching legislation that, in the words of Michael Hayden, former director of the NSA and the CIA, “would never have seen the light of day in the American political system.”17 France’s anti-terrorism and surveillance laws make the Patriot Act look tame by comparison. These laws allow its intelligence services to capture communications to and from France by attaching “black box” filters to undersea cables. They allow the services to collect intelligence, even for French citizens on French territory, without any showing of “particularized suspicion,” or prior independent approval or judicial oversight. Moreover, the laws allow the collection of information for a wide range of purposes, including for commercial advantage in large international tenders.18 The Human Rights Commissioner of the Council of Europe, an international organization established to promote human rights, democracy and the rule of law in Europe, declared that many of the recently passed measures would fall foul of EU law because they “would be applied without any prior judicial review establishing their legality, proportionality or necessity.”19 The EU’s Fundamental Rights Agency also found that some member state laws fall short of EU requirements.20
While some member state laws clearly fall short of EU standards, the United States was de facto the sole defendant in the court (without even having representation). While member states must verify the level of protection in a third country before permitting data transfers to that destination, EU law provides that no such verification is required for transfers within the EU. During one of our interagency conference calls, I suggested that we should carry out a “reverse Schrems” operation by finding an American client of a French Internet service provider willing to file suit before the French data protection authority to allege interference with his EU data protection rights because of the powers of the French intelligence services to access Internet traffic. If that case were referred to the European Court of Justice, the cat would really be set among the pigeons. A “reverse Schrems” would have forced national intelligence services to defend their surveillance programs before EU courts and prove that they were compatible with EU law.21
EU treaties provide that “the Union shall respect [member states’]…essential State functions, including…maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each member State.” The 1995 Data Protection Directive provided that it did not apply to data processing operations “concerning public security, defence, State security…” The EU Charter of Fundamental Rights, moreover, makes clear that it does not extend the application of EU law, including the rights contained in the Charter, to areas beyond the powers of the Union (including State security).
In other words, the European Court of Justice could sit in judgment on whether US laws on intelligence gathering were compatible with EU law because the United States is not a member of the EU, but it might not be able to do so with regard to EU member states. It is true that the EU’s General Data Protection Regulation (GDPR) enables the Court to check, if asked to do so, whether member state restrictions on data privacy based on national security and defense justifications are “necessary and proportionate.” Time will tell whether that black letter law has practical consequences. Some officials of the European Commission told me that “infringement” cases would soon be brought against member states whose intelligence laws do not meet the standards of EU fundamental rights. But only a few limited cases have been brought, perhaps because of the enormous blowback that would ensue from a more aggressive approach. So far, therefore, what is sauce for the US goose is not sauce for the EU gander. This is a perverse result.
The Economic Consequences of the Court’s Decision
The restrictions to data flows that appeared likely in the wake of the Snowden leaks and the Schrems judgment would have had significant economic consequences. Data is the lifeblood of transatlantic (and global) commerce. Nearly every company is a digital company in the sense that it relies on a secure and open flow of data. As two experts put it:
Data is how a modern company understands and services its customers better. Data is what gives managers their understanding into what is happening around the world. And, increasingly, data is the product itself, serving as the raw material for new insights…Put simply, data and the consumption of data are not just a new natural resource – they are the key commodity in today’s knowledge-based economy…The way we use data, the speed and effectiveness with which we collect it, analyse it – and ultimately share it – will set the winners from the losers in this modern world of cheap computing power…22
The amount of data crossing the Atlantic daily is rising much faster than the exchange of goods and services: One indication of this is the 38% estimated compound annual growth rate in data-carrying capacity of transatlantic submarine cables until 2025. Digital trade is the fastest-growing segment of the global economy, representing nearly $10 trillion a year. Mobile data traffic alone grew 18 times between 2011 and 2016.23 By contrast, global trade in goods and services, adjusted for inflation, rose at an average rate of just 2.4% during the same period.24
In 2017, the US exported $204 billion of digitally deliverable services to the EU, while importing $124 billion of such services from the EU. That was only part of the picture, because much of the cross-border data flows were not picked up in international trade statistics. For instances, businesses rely on cross-border data flows to communicate internally and with customers, vendors, and suppliers, to manage global supply chains, to access software in the “cloud” (in data centers across the globe rather than on local devices) and to collaborate globally on research and development. According to one estimate, products and services relying on the transatlantic transfer of data are expected to add $1 trillion in value to the US–EU economic relationship within the 2016–2026 period.25 According to one European think tank, a serious disruption in transatlantic data flows would knock between 0.8% and 1.3% off EU GDP.26
Data storage needs have been exploding, as all this data—including pictures, documents, transaction records, and credit card details—have to be stored somewhere. Since the Internet and especially the provision of cloud-based services are dominated by US companies, many of the data servers are located in the United States. Transferring data across the Atlantic (in large part through the mechanism of Safe Harbor) has been a cheaper option than building data servers to host the data in Europe.
The lack of trust in US data privacy, triggered by the Snowden leaks, threatened to deliver a serious blow to many firms, especially in the cloud computing industry. A growing number of policy-makers around the world were mistakenly concluding that the security of data depends on where it is stored (when in fact the measures used to store it securely are far more relevant). In the decade to 2016, the number of significant data localization measures in the world’s large economies nearly tripled from 31 to 84.27 That included far-reaching legislation in Russia in 2015 and China in 2016.
Estimates in 2013 of the damage to the cloud computing industry ranged from $21.5 to $30 billion, according to one report, to as high as $180 billion, according to another report.28 Many European firms identified a terrific opportunity to win business from their American competitors and to encourage their governments to adopt protectionist IT policies. In August 2013, 30 European CEOs proposed the creation of a “Schengen zone for data” (named after the EU area of passport-free movement of people); such a zone would enable the data of EU citizens to be hosted and processed only on EU territory. In February 2014, French President François Hollande and German Chancellor Angela Merkel voiced support for the development of communications networks that would avoid overseas data transfers. In June, the French government endorsed roadmaps for cloud computing and cybersecurity that included the use of a “secure cloud label” and a preference for working with companies certified by France’s IT security agency (unsurprisingly difficult for non-French firms to obtain).
Creating walls around data threatened to kill off the global Internet and cause significant damage to growth and innovation. People now hold more information on a device in their pocket than they used to keep in their entire house. Data usage and global data transfer rates are exploding29; data is increasingly being held in the cloud. Free data flows are vital to the analysis of large pools of personal data and the extraction of insights from them to improve the services we enjoy and the quality of our lives. Restricting data flows also risked causing significant practical nuisances for consumers. In countless ways, consumers require their information to flow seamlessly across borders. Imagine how frustrating it would be if you could not complete a purchase online because your credit card information needs to be processed somewhere else; imagine having your airline reservation rejected because your passport information cannot be transmitted by the airline to the country to which you want to fly.
Nonetheless, US firms had to respond to the perceived benefits of data localization after the Snowden leaks. They were losing contracts with customers who preferred to store their information in Europe on the misguided assumption that it would be safer there than in the United States. As a result, they scrambled to keep those customers happy by building data centers in Europe: Google already had data centers in Finland and Ireland, but chose to expand its center in Belgium and build one in the Netherlands; Salesforce announced plans to open centers in the UK, France, and Germany; Apple chose to build data centers in Denmark and Ireland; Amazon did so in Frankfurt, in part to show understanding for German privacy preferences; and Microsoft committed to building new centers in the UK and expand others in Ireland and the Netherlands.
Microsoft was also advertising a new “trustee” relationship with Deutsche Telekom, according to which the former would store data in Germany in data centers run by the latter under German law and therefore beyond the reach of US authorities. While the company explained that it was simply responding to customer demand and the reality that the global cloud was dead, some observers saw the decision as promoting the “Balkanization” of the Internet, by tacitly accepting that regions and even countries had a legitimate interest in building separate infrastructure and walling off data.
Threats to Other Key Agreements
As I arrived at my post in March 2014, it seemed that the entire well of US–EU relations had been poisoned by the fallout from the Snowden affair. The situation continued to worsen and it seemed that the Schrems judgment could be the final nail in the coffin. While the economic consequences were bad enough, the political consequences were even worse. The tensions over data privacy threatened the negotiations (in progress since 2013) to conclude a transatlantic free trade agreement (described in Chapter 4). They also threatened the 2012 US–EU Passenger Name Record (PNR) Agreement that governs the transfer to the Department of Homeland Security of information—including names, travel dates and itineraries and contact details about airline passengers traveling to the US. (In 2017, the European Court of Justice ruled that the Canada-EU PNR Agreement had to be amended because certain provisions for the handling of personal data were not limited to what was “strictly necessary.”)
The tensions threatened to lead to problematic provisions in the GDPR under negotiation among the European Commission, the European Parliament, and the Council. One of these proposed provisions was the so-called anti-FISA clause. This clause prohibited a US company from complying with lawful orders from US courts, law enforcement, or regulatory authorities if those orders would result in the transfer of personal data of EU residents without the prior approval of a competent national data protection authority, unless the transfer was pursuant to an international agreement. That provision, thankfully amended, would have exposed these companies to an impossible conflict of laws. (The final text, however, is still problematic and is yet to be tested.) And since such international agreements were either too cumbersome or simply not available, the provision would have caused havoc to transatlantic cooperation in many areas such as law enforcement, antitrust, food and drug approvals, and financial services.
Two other major US–EU issues of common interest were at stake. Since 2011 we had been negotiating a Data Privacy and Protection Agreement (DPPA) to govern data exchange among US federal law enforcement authorities, on the one hand, and EU and member state law enforcement authorities, for the prevention, detection, investigation and prosecution of criminal offenses, including terrorism. Without such an agreement, data exchanges for these purposes would have to be scrutinized on a case by case basis to determine whether they complied with EU data protection laws. That would have been far too complex and time-consuming and would have undermined our ability to combat increasing levels of transnational crime.
The tensions also threatened to reopen prior controversies about EU data protection safeguards in the 2010 US–EU Terrorism Finance Tracking Program (TFTP) that governs the transfer from SWIFT to the US Treasury of financial transaction data for counterterrorism purposes (especially the tracking of terrorism finance). SWIFT is a Belgium-based company that operates a worldwide messaging system used to transmit financial information among banking institutions. TFTP had been established after the terrorist attacks of September 11, 2001 as a classified program and then had been converted into an international agreement between the US and the EU in 2010.
Just before my arrival in Brussels, the European Commission had ominously asked for consultations and for a review and the European Parliament had called for the suspension of the program. Terminating the program would have had serious consequences. It has provided thousands of valuable leads to US and foreign (including European) governments that have aided in the investigation and prevention of many of the most violent terrorist attacks in the past decade. In the fall of 2013 and spring of 2014, the US Treasury and the European Commission worked diligently to document the value of TFTP and reassure critics that information was being transferred to the US in strict compliance with the agreement.
Different Perspectives on Privacy
More generally, the Snowden affair deepened the view in Europe that, with regard to data privacy, Americans are from Mars and Europeans are from Venus. I cannot count how many times Europeans, especially members of the European Parliament, would lecture me that Europeans consider privacy as a basic human right, while Americans do not. The strong feelings in continental Europe about data privacy are of course understandable in light of recent history of autocratic rule, as well as human rights violations. Fortunately, the United States doesn’t share that history; it has been graced with a democracy featuring a strict rule of law and checks on executive powers. But that doesn’t mean that data privacy is undervalued, nor that the dangers of government surveillance are underestimated, in the United States, as discussed further below.
Both sides have long struggled with the difficult tension between the need for security, especially in light of the terrorist menace, and the need for privacy. This tension was dramatically highlighted in March 2016 when the FBI requested Apple to help it write software to break into an iPhone used by Syed Farook, a dead terrorist responsible for the massacre of innocent civilians in San Bernardino, California. The government had a strong case: The phone was government property because Farook had been a public employee. Apple’s help was required because the files on the phone were encrypted and the files were important to solve a serious crime. But Apple (and many other companies that wanted to provide consumers comfort about the privacy of their communications) also had a strong reason to object: Agreeing to the request would embolden other governments around the world to make similar, if not broader and more frequent, requests in the future. In the end, the government found a way to access the files without Apple’s help. Many European governments face this difficult balancing act.
It is true, however, that the cultures of privacy are distinct on either side of the Atlantic. In the United States, privacy is considered as primarily a question of liberty and is related to the rights of private property and free speech. The privacy right is intended principally to protect against intrusions of the state. In continental Europe, privacy is linked to the concepts of dignity and honor; every individual is deemed to have rights to his or her own image, name, and reputation. The privacy right is not only intended to protect against intrusions of the state, but also to protect against the intrusions of the mass media or other private companies.
One of the most notable transatlantic differences in the approach to privacy is the EU “right to be forgotten” that stems from a judgment of the European Court of Justice and is now enshrined in the GDPR. The case involved a Spaniard who complained when searches of his name on Google produced decade-old information in the Spanish press about the forced sale of his home due to social security debts. Arguing that the information was prejudicial to him and no longer relevant, he asked that Google’s search results linking to the press articles be cut. The Court agreed on the basis that the Spaniard was not a person of public interest and therefore that his “right to be forgotten” prevailed over the public’s right to outdated and irrelevant information accessed through Google search (albeit it did not compel deletion of the underlying press reports). There is no similar right in the United States. In a separate case decided in September 2019, the Court ruled that Google did not have to apply the “right to be forgotten” globally as demanded by France’s privacy watchdog.
The United States has no equivalent to the concept of “informational self-determination” (the right to determine what to disclose about oneself) first elaborated by the German Federal Constitutional Court in 1983. The US and the EU strike a different balance between privacy and freedom of expression: while US courts tend to give greater weight to the Constitution’s First Amendment guarantee of free speech when in tension with data privacy, EU courts tend to favor data protection over free speech.30
Notions of what should be considered private vary dramatically, of course, on either side of the Atlantic. As one expert has rightly observed, Europeans consider the American habit of talking about one’s salary or net worth to be nearly the equivalent of “defecating in public.” Americans are amused that Europeans seem so shy about talking about money, while having fewer inhibitions about taking off their clothes to sunbathe. Americans consider many practices in continental Europe to be contrary to privacy, including national ID cards; the authority of some governments to decide what names parents are permitted to give their children; the requirement (in Germany) to be formally registered with the police at all times; and the ability of some governments to conduct wiretaps with ease.31 In the United States, commercial data may generally be processed unless some law prevents it; there is wide tolerance for industry self-regulation and market-based solutions. The EU, on the other hand, takes a more “precautionary” approach that does not require any showing of risk or harm in order to regulate data processing; consumer data may be collected only under strict limitations, upon specific legal grounds, and is subject to oversight by national DPAs.
One of the reasons why many Europeans do not view US data privacy laws as providing equivalent protection to their own is that the US does not have, unlike the EU, overarching pieces of legislation (such as the EU’s 1995 Data Protection Directive, replaced in 2018 by the GDPR, and the 2002 E-Privacy Directive that provide high-standard blanket protections for personal data across all aspects of daily digital activities). This reflects the difference between civil law systems that feature unified codes and common law systems that feature a mixture of judge-made laws and diverse legislation. Indeed, the US privacy landscape is confusing and difficult to articulate because it is a complex web of constitutional law, sector-specific federal statutes, state statutes, and common law rules. Nonetheless, there is a comprehensive system in the United States to regulate and protect data privacy. It is backed by a broad and effective public and private enforcement in the commercial sector. There are substantial and effective safeguards, checks, balances, and independent oversight and legal redress relating to electronic surveillance conducted for national security and law enforcement purposes.
The idea of the citizen’s fundamental right to privacy has been engrained in the US legal order for well over a century, well before that right was recognized in continental Europe. The US Constitution contains fundamental protections against searches and seizures carried out by the government of “persons, houses, papers and effects.” These measures may only be carried out by warrants reviewed by judges requiring the government to meet a high burden of proof. The supreme court and federal courts have extended those rights to new technologies and new forms of communication.32 The government may not take any measures interfering with the rights of free speech, press, religion, and association. Several federal statutes, detailed further below, impose significant limits on what intelligence services may do. There are federal data privacy laws relating to the most sensitive categories of personal data, such as financial, medical, electronic communications, employment, insurance, and children’s data. The Federal Trade Commission has wide-ranging powers to protect consumers by enforcing measures prohibiting unfair and deceptive practices, including those relating to data privacy.
Moreover, there are privacy laws enforced by attorneys general in each of the fifty states; many of the states, especially California, have passed legislation covering a wide range of activity, including unconsented use of facial recognition, voyeurism, and misuse of data relating to voter registration and drivers’ licenses. In 2018, California passed the broadest digital privacy law of any US state. The law, based on many of the same principles as the GDPR, may become a model for other states and could bring about tougher federal privacy laws. Just as significant as state laws have been the growth in the United States of corporate privacy officers who have become integral to risk management, data privacy codes of conduct in companies and across economic sectors, and active non-governmental organizations that publicize and bring legal actions to enforce data privacy rules.
While the US approach is certainly messier than that in Europe, it provides a level of data privacy protection that is “essentially equivalent” to that guaranteed in the EU legal order. That phrase, used by the European Court of Justice in Schrems, describes the threshold for determining whether a third country offers an adequate degree of protection to EU personal data. It means that the protections in the US need not be identical to those in the EU, but rather that they be “essentially equivalent”—in practice and effect, in substance rather than form. It also means that it is unnecessary to consider whether the US has an exact, or even close, equivalent to each and every EU data privacy right. It is the entirety of the protections afforded under the data protection regime that is relevant.33 These conclusions provided the intellectual framework for the negotiations to replace Safe Harbor with Privacy Shield, and they also informed the judgments of US negotiators about how far to stretch to ensure Privacy Shield would survive legal challenge.
Negotiating the Deal
When US and EU negotiators sat down to negotiate a new deal, it was clear that we had to meet the requirements set forth in the judgment of the European Court of Justice. The most problematic area was clearly going to be government surveillance. The Court had set forth several critical requirements. Surveillance measures must be based on clear and precise legal authority. There must be minimum safeguards against risks of abuse and unlawful access by public authorities. For example, the amount of data collected or retained must not exceed what is necessary to accomplish the purpose of the surveillance and cannot be generalized or indiscriminate; there must be effective executive, legislative, judicial and expert oversight of the measures; and the public should be informed about surveillance laws and have some opportunity to have legal redress.
The US negotiators urged that the totality of the data privacy protections before, during and after the acquisition of personal data had to be considered. The key was to consider the entire regime relating to surveillance, including its authorization, the practice of targeting “selectors” (such as e-mails and telephone numbers), the procedures aimed at limiting the acquisition, retention and dissemination of data, access by individuals to the raw data and the multiple layers of oversight to ensure compliance with procedures. The right to individual redress (such as to the courts) was an important, but not the determining, factor in and of itself.
US negotiators also stressed the importance of privacy rights “on the ground” rather than merely “privacy on the books.” While evaluating the “essential equivalence” of the US and European data privacy regimes, US negotiators repeatedly urged their European counterparts to consider the reality of how these regimes were being enforced in practice, rather than simply what the law said on paper. As one exhaustive study concluded: “the EU legal order on surveillance reflects variety and wide discretion as to the necessity of surveillance and the safeguards to limit interference with rights and freedoms.”34 US data privacy rights should only be compared to an EU benchmark that reflects the range of discretion that exists in practice. The rules and procedures in the United States regarding the authorization and conduct of surveillance fall within the range.
US negotiators resisted any suggestion that US data privacy laws and practice had to be judged against the idealized version in EU law and court judgments, rather than the reality of European data privacy “on the ground.” They were aware of the risk that the European Court of Justice would hold us to that idealized standard; but, at the end of the day, there was no way that the United States would make legislative reforms to its intelligence laws to ensure 100% compliance with each and every EU data privacy right on paper. The political reality was that we and the European Commission had to accept at least some risk that Privacy Shield would be successfully challenged.
Despite all the challenges detailed above, the United States and the European Union managed to work through them. Legislative actions and executive branch reforms regarding data privacy during 2013–2015 played an important role in defusing transatlantic tensions caused by the Snowden leaks. The US and the EU negotiated a Privacy Shield Agreement that significantly improved Safe Harbor and in the process they deepened their mutual understanding of their data privacy regimes. The European Commission made a significant contribution by overcoming opposition from the European Parliament and by bringing the member states on board. The DPPA was concluded and the TFTP and PNR Agreements were safeguarded. These were remarkable achievements that set the foundation for important future work to build further data privacy bridges across the Atlantic.
Two legislative actions, both promoted by the Obama administration, were of particular significance. The first was the USA Freedom Act, passed by Congress with a large majority and on a bipartisan basis in June 2015. That legislation addressed the conclusion in the PCLOB’s prior review of US data privacy laws that the government’s bulk collection of “metadata”—including numbers calling and being called, and the date, time and duration of calls—was bad policy and not vital for national security. “Metadata” does not provide content of any conversations, identity of parties to conversations, or location information. Prior to the statute, NSA employees could query the metadata to obtain that detail once FISA Court judges have issued a general order authorizing the bulk collection; now the database can only be queried after judicial approval or in the case of a true emergency. Moreover, the “metadata” will be destroyed after five years.
These limitations on the bulk collection were significant to the Privacy Shield negotiations. In the EU legal order, even the initial acquisition of data involves the processing of that data and is therefore subject to data protection limitations. In the United States, on the other hand, the government does not consider the initial acquisition (conducting by automated means) to be processing and therefore subjects it to fewer limitations than the subsequent steps of storage and human consultation. Executive branch reforms announced by President Obama to US surveillance programs and subsequent legislative reforms in the Freedom Act proved that the United States would use bulk collection only when appropriate and with appropriate respect for individual privacy. That gave the European Commission comfort that Privacy Shield would not be successfully challenged in court because it failed to meet EU legal standards applying to bulk collection.
The Freedom Act provided that intelligence services could only query telephone numbers if they were no more than two steps removed from a number associated with a terrorist organization. It guaranteed the right of major Internet service providers (such as webmail and social network providers) to publish detailed statistics about the number of requests from the government to deliver information relevant to national security investigations. And it codified the administration’s efforts to systematically declassify significant opinions of the Foreign Intelligence Surveillance Court whenever practicable and authorized the creation of a group of independent experts to brief the Court on important cases.
The Judicial Redress Act, passed by Congress with a large majority and on a bipartisan basis in early 2016, was the second key legislative reform. It sought to address the EU’s longstanding complaint that the United States collects large amounts of personal data on Europeans but that US law does not grant them the same rights as US nationals to seek judicial review of complaints concerning misuse of such data. The discrimination rankled because rights of redress in EU data protection law are equally available to EU and other foreign nationals.
I am proud of my role in the passage of this statute. In May 2014, I flew to Washington to meet with Presidential Counselor John Podesta in the White House to explain why the issue had become of “totemic” significance in the general effort to restore transatlantic trust. John was the perfect person to lead an interagency effort to explore whether the discrimination could be fixed by legislation because he was the point man on privacy issues and big data in the White House and was an astute observer of transatlantic affairs. Most experts on legislative affairs at the White House thought that the chances of any legislation passing Congress at that time were low due to very contentious relations between the two political parties. It was unlikely that the administration would expend much political capital to promote legislation for which there was no apparent domestic constituency and that would be perceived as giving the Europeans a “present.” But Podesta immediately appreciated how passage of the legislation could help unblock progress on many issues of transatlantic importance, including free trade, Privacy Shield and law enforcement.
After a very lengthy, and often contentious, interagency review, we managed to gain consensus in favor of new legislation to amend the 1974 Privacy Act. That amendment provides that citizens of certain designated foreign countries would now have the same rights as US citizens under the Privacy Act with regard to personal data transferred under the DPPA Agreement on data exchange between law enforcement authorities. Specifically, with respect to such data EU citizens are now able to access and correct information about themselves; seek and obtain administrative remedies where a request for access to, or correction of, information is denied or information is otherwise improperly processed; and seek and obtain judicial redress in US federal courts for privacy violations. In order to benefit from the Judicial Redress Act, a foreign country or regional grouping (like the EU) must not adopt data transfer policies that “materially impede” the national security interests of the US and must cooperate with the US on the exchange of commercial and law enforcement data.
On top of these legislative reforms, there were other important actions by the executive branch during 2013–2015 that enabled the US and EU to overcome the serious tensions around data privacy. Presidential Policy Directive (PPD) 28 of January 17, 2014 and the President’s speech of the same day introducing it are historic documents.35 They were the result of the recommendations of an experts’ group on intelligence and communications technologies, constituted six months earlier, as well as consultations with the PCLOB.
PPD-28 created new limitations on the use of bulk collection of signals intelligence. US intelligence agencies could only use such data to meet specific security requirements: counterintelligence, counterterrorism, counter-proliferation, cybersecurity, protection of US and allied troops, and combating transnational crime, including sanctions evasion. In no event could signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent, disadvantaging persons based on their ethnicity, race, gender, sexual orientation or religion; or affording a competitive commercial advantage to US companies. The last point was particularly relevant in the case of transatlantic relations because of the prior press reports that US and UK intelligence agencies had targeted the communications of foreign businesses and the European Commissioner in charge of antitrust policy.36 Moreover, signals intelligence had to be as “tailored as feasible”; that determination should be based in part on the availability of alternative information sources, including diplomatic and public sources, that should be prioritized.
PPD-28 also defused the serious tensions caused by allegations that the NSA had been eavesdropping on the communications of foreign leaders, including German Chancellor Angela Merkel. In his speech, President Obama stated that:
the leaders of our close friends and allies deserve to know that if I want to know what they think about an issue, I’ll pick up the phone and call them, rather than turning to surveillance…I have made it clear to the intelligence community that unless there is a compelling national security purpose, we will not monitor the communications of heads of state and government of our close allies.
PPD-28 was also notable because it made the protection of privacy and civil liberties rights of persons outside the US an integral part of US surveillance policy. In his speech, the President noted that “people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security, and that we take their privacy concerns into account in our policies and procedures.” PPD-28 provided that “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information” (emphasis added). US intelligence activities must, therefore, include appropriate safeguards for the personal information of all individuals “regardless of the nationality of the individual to whom the information pertains or where that individual resides” (emphasis added).
The directive also put into place express limits on the retention and dissemination of personal information about non-US persons collected by signals intelligence, comparable to the limits that apply to US persons. Importantly, signals intelligence about the routine activities of foreign persons may not be disseminated as “foreign intelligence” by virtue of that fact alone unless it is otherwise responsive to an authorized foreign intelligence requirement. PPD-28 did not require the intelligence community to apply identical procedures to information of US and foreign persons. Nonetheless, these were extraordinary changes because few, if any, spy agencies around the world constrain their activities beyond their borders; few provide any privacy rights to non-nationals within their borders.
While these legislative and executive branch actions were important to getting Privacy Shield across the finish line, significant enhancements to the prior Safe Harbor program were also fundamental. Critics alleged that many companies had made false claims about their compliance with the program and that enforcement had not been as robust as it should have been. For many years, critics had pointed out—with justification—that Safe Harbor needed to be updated and fleshed out with far more detail. It had been issued in 2000 and based on a 1995 EU Data Privacy Directive, practically at the dawn of the Internet age. The rules were simply not adequate in an era of exploding use of data, due in part to nearly ubiquitous mobile devices connected to the cloud, and due to the increasingly sophisticated tools of intelligence agencies grappling with the pressures of combatting more violent and transnational threats.
The Commission’s Safe Harbor decision concluding that data transferred to the US pursuant to the program would provide an adequate level of protection consistent with EU law was all of three pages long. The European Court of Justice unsurprisingly concluded that the decision barely contained any reasoned analysis at all to substantiate its “adequacy” finding. Since that finding, the European Commission had not considered the evolution in the US legal system relating to the safeguards for privacy and data protection.
Responding to public pressures triggered by the Snowden revelations and amplified by the European Parliament and the national data privacy authorities’ working group, the European Commission issued 13 recommendations to improve Safe Harbor. Eleven of these recommendations were commercially focused and not particularly controversial.
The Privacy Shield contains numerous improvements compared to Safe Harbor with regard to commercial transfers of data. These include stricter obligations on self-certified companies, for example, regarding notices and disclosures that they are required to provide, limitations on how long a company may retain personal data and the conditions under which data can be shared with third parties outside the Privacy Shield framework. They include more regular and rigorous monitoring by the Department of Commerce, including verifying the completeness of self-certifications, conducting periodic compliance audits and referring cases of abuse to the FTC. And they provide enhanced opportunities for EU persons to obtain redress.
The final two recommendations were far thornier because they concluded that restrictions on data privacy justified on the grounds of national security (and enabling US intelligence collection) had to be significantly tightened.
Through many tortuous rounds of negotiations, the European Commission’s negotiating team pressed the United States to provide more and more information about how its intelligence collection works in practice. We realized, of course, that the Commission’s “adequacy finding” would have to provide detailed reasoning about why US intelligence collection is consistent with EU fundamental rights. We were willing to provide information, but we certainly weren’t going to alter intelligence practices or allow a direct negotiation between US intelligence services and the EU. The necessary information was therefore contained in letters from the General Counsel of the Office of the Director of National Intelligence to senior officials at the Department of Commerce (and annexed to the “adequacy finding”).
The European Commission concluded on the basis of these submissions that US law contains significant limitations on such access, storage, and use (including dissemination) of personal data. It also explained why oversight and redress mechanisms provide sufficient safeguards that such data is protected from unlawful interference and risk of abuse. In particular, PPD-28 gave the European Commission comfort that the United States is applying principles that respect the EU law concepts of “necessity and proportionality” in the collection of intelligence: Targeted collection is prioritized, while bulk collection is limited to (exceptional) situations where targeted collection is not possible. When bulk collection is used, it is accompanied by safeguards to minimize the amount of data collected and to limit subsequent access to such data exclusively to the pursuit of legitimate national security purposes. The European Commission’s review also detailed the various levels of executive, legislative, judicial, and independent agency oversight of intelligence activities.
Criticism of the Deal
Critics of Privacy Shield immediately pointed out that PPD-28 is an order from the president rather than legislation and, as such, may be revoked by any of President Obama’s successors. While that is true, a presidential order still has the force of law, in the sense that it is binding on the intelligence services, until it is revoked or amended. Interestingly, the Trump administration has not done so despite having revoked many other directives of the prior administration. Critics also correctly pointed out that the two letters of the General Counsel merely reviewed existing US legislation and procedures and did not therefore amount to binding commitments. They reserved their strongest criticism, however, for the limited powers of the Ombudsperson at the US Department of State. The Ombudsperson is a new role that the United States agreed to create (with strong encouragement from me and the US Mission to the EU) in order to bolster individual rights of redress.
US and EU negotiators knew that Privacy Shield would be challenged before the European Court of Justice, sooner rather than later. A very strong case could be made that the rules and procedures governing the collection, and preventing the misuse, of data by intelligence authorities would meet the high standards of EU law; but it would be harder to show that the remedies available, in the event of breach, would meet those standards.
Many rights under the Constitution (including with regard to unlawful “search and seizure” under the Fourth Amendment) do not apply to non-US citizens. Although EU citizens do, in principle, have possibilities to seek judicial redress in US courts when they have been the subject of unlawful (electronic) surveillance for national security purposes, the European Commission concluded that the available causes of action are limited in practice. US federal courts have on occasion concluded that individuals (including foreigners) have “standing” (a judicial doctrine requiring a plaintiff to show sufficient direct interest to bring a lawsuit). But the European Commission worried that the doctrine is a significant obstacle for EU citizens seeking meaningful judicial redress.
There are other multiple avenues available to EU citizens, including under the Electronic Communications and Privacy Act, to seek judicial redress for unlawful surveillance.37 But the EU considered them partial at best because it is unlikely that an EU (or other foreign) national would ever discover that he has been subject to US government surveillance. We needed to come up with some additional mechanism to provide a form of redress that would, on the one hand, be tolerable for our intelligence services and, on the other, satisfy EU requirements.
The Secretary of State, therefore, appointed an Ombudsperson at the State Department to ensure that individual complaints are properly investigated and addressed. In every case, the Ombudsperson will respond by stating that either US laws have been complied with or that any non-compliance has been remedied. A complainant does not have to demonstrate that his personal data have in fact been accessed by the US government (something that is obviously difficult to do). The Ombudsperson is entitled to rely on the cooperation of US intelligence authorities but remains independent from them. Secretary Kerry appointed as Ombudsperson an undersecretary that was already serving, under PPD-28, as a central point of contact for foreign governments wishing to raise concerns regarding US intelligence activities. The undersecretary was also responsible for keeping the European Commission abreast of changes in policies and procedures limiting access by intelligence and law enforcement authorities to personal data, as well as for participating in the annual review of Privacy Shield.
Critics have claimed that the Ombudsperson mechanism is insufficient to remedy the problem of inadequate judicial redress for EU citizens, according to standards of EU law to be applied by the European Court of Justice. Additionally, the role is enshrined in a letter from Secretary John Kerry to European Commissioner Věra Jourová and subsequently published in the Federal Register. It is not clear that a court would find such a letter to have any binding effect even though it is a communication at very senior levels of government. Critics have also argued that the Ombudsperson is not sufficiently independent of the executive branch; it does not constitute an independent tribunal; it is not permanent; it does not issue reasoned decisions or grant compensation; and it is not subject to judicial review. The powers of the Ombudsperson are limited: He or she will only confirm that a complaint has been properly investigated and that either US laws and procedures providing limitations and safeguards on intelligence collection have been satisfied or that any non-compliance has been remedied. Critically, the Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will he or she confirm any specific remedy that has been applied.
These criticisms, however, fail to give due appreciation to the fact that the Ombudsperson mechanism is the first time ever that a country has created a body to deal specifically with complaints from foreign citizens regarding intelligence activities that affect them. I doubt that any EU member state, including the UK and France, will ever do the same.
The history of the Privacy Shield negotiation demonstrates that, despite the occasional frictions, the United States and the European Union were able to deepen mutual understanding of their data privacy regimes. As a result of the negotiations, the parties were able to put into place a new data exchange agreement that improved protections for EU citizens’ data when transferred to the United States. In anticipation of an inevitable challenge before the EU courts, the European Commission was also able to articulate in detail why it considers that Privacy Shield and the US data privacy regime provide protections equivalent to those in the EU legal order. Privacy Shield has also been a commercial success, demonstrated by the fact that nearly 4000 companies (large and small) have certified their compliance.
Fortunately, the Trump administration has preserved Privacy Shield even though it is the product of the Obama administration. After entrusting a junior official within the State Department to the role of Ombudsman on a temporary basis, the Trump administration finally appointed an undersecretary on a permanent basis in June 2019. The two-year delay in doing so was one of the major criticisms of Privacy Shield in the first two annual reviews conducted by the European Commission. In late 2018, the administration also appointed members to the PCLOB, a critical oversight body discussed earlier and one of the key reasons why the European Commission had issued its “adequacy finding.” The board had been operating without a quorum and had therefore been unable to function since early 2017. Its report on the implementation of PPD-28 provided the European Commission with confidence that the directive’s privacy protections for non-Americans were being implemented across the US intelligence community. Moreover, the US Commerce Department has also increased its proactive oversight of the framework, including by conducting spot checks on companies to verify whether they comply with Privacy Shield principles. Finally, the Federal Trade Commission has also demonstrated a more proactive approach to enforcement.
Despite this good news, Privacy Shield will remain vulnerable to the possibilities that future presidents may dilute or even revoke PPD-28 and that they may fail to ensure that the Ombudsperson carries out its functions with independence and effectiveness. It will also remain vulnerable to the possibilities that privacy watchdogs like PCLOB do not receive the funding or manpower to carry out their functions or that Congress dilutes the privacy restrictions on intelligence surveillance that were put into place during the Obama administration. From the moment it was approved, Privacy Shield (and other mechanisms for transatlantic data privacy flows) has been the subject of numerous legal challenges.
Privacy Shield may not be a durable solution to the important task of building transatlantic data privacy bridges. At the time this book went to press, the EU courts were scheduled to deliver judgments that may have a significant impact on transatlantic data flows. In one case, the European Court of Justice is considering several questions referred to it by the Irish High Court in a second complaint filed by Maximilian Schrems (Schrems II). That complaint alleges that data transfers to the US using standard contractual clauses breach EU law. The Irish High Court had the benefit of hearing from many expert witnesses in US privacy law. Unlike the Schrems I case, the US government decided to intervene in Schrems II to try to set the record straight for the Irish High Court and subsequently for the EU courts. Although the Irish High Court’s factual findings were nonetheless highly critical of US privacy practices and seemed likely to result in an unfavorable judgment, an opinion by the advocate general suggests that the European Court of Justice may find standard contractual clauses to be valid. A second case brought by a French advocacy group challenging the legality of Privacy Shield was postponed until after the judgment in Schrems II.
US and EU negotiators felt that there is a strong basis on which to conclude that the provisions in Privacy Shield, coupled with US data privacy law, when seen in the aggregate and in practice, provide protections that are essentially equivalent to those in the EU. But there will be a risk that EU courts will find that some specific US law, most likely in the field of intelligence surveillance, falls short of EU law on the books rather than against an EU-wide benchmark that considers the reality of how many member states apply the law. As shown by the invalidation of Safe Harbor in Schrems, it is unlikely that the EU courts will be overly concerned with the commercial disruption caused by their privacy decisions. In the event that Privacy Shield is found wanting, the US and the EU will need to scramble once again to put into place a replacement agreement.
Building on Privacy Shield
While negotiating Privacy Shield was a significant achievement, it is a series of one-way explanations and commitments (especially noteworthy in the realm of intelligence gathering). The agreement is also limited to the US–EU dimension, rather than covering a broader geographic scope. Despite the significance of transatlantic data flows, data and the digital economy are becoming increasingly global.
The time is ripe for the US and the EU to build on Privacy Shield by negotiating a two-way agreement that enhances the alignment of their data privacy regimes. This would enhance the trust of consumers on both sides of the Atlantic in the digital tools of modern life. It would help build an integrated transatlantic digital economy and set global standards for data privacy. As argued in Chapter 8, the time is also ripe for a US–EU agreement on the access of our law enforcement authorities to electronic evidence stored abroad.
Recent events in the United States are bringing our data privacy regime into greater alignment with that of the EU. In 2015, the Obama administration proposed (but failed to win Congressional support for) a Consumer Privacy Bill of Rights Act that set conditions on the lawful processing of personal data. The purpose of the bill was to articulate in one document certain rights, such as the right to exercise control over the collection, retention and use of personal data; to have easily understandable information about privacy and security practices; to require that the collection, retention and use of personal data are carried out in ways consistent with consumers’ intentions; to require secure and responsible handling of personal data; and to enable consumers to access and correct personal data. There were other attempts in Congress during the subsequent years to pass similar legislation.
The entry into force of the EU’s GDPR in May 2018 helped to raise awareness in the United States of the need for such a bill of rights. GDPR requires any organization anywhere in the world that handles EU citizens’ personal data to be transparent about how it collects, stores, and processes that data. Shortly after its entry into force, California passed a landmark data privacy law inspired by GDPR. Repeated revelations, involving many of the leading social media companies in the United States, of large-scale unauthorized access to personal data have only increased the sentiment that GDPR-type legislation is necessary at a federal level. The scandal in 2018 involving the purchase by Cambridge Analytica of tens of millions of people’s Facebook profiles without their consent for political advertising purposes is perhaps the leading example. Even the FTC’s record-breaking $5 billion fine against Facebook is not a substitute for a federal legislation.
When I was serving in my diplomatic mission, many CEOs of US tech firms complained to me bitterly that GDPR is an overly intrusive piece of legislation that is typical of EU bureaucratic overreach. They were calling for self-regulation or denying that any regulation is necessary. There were a few notable exceptions. A number of thought leaders on data privacy, such as Brad Smith, President of Microsoft, and Ginni Rometty, President and CEO of IBM, have long pressed for federal privacy rules that empower consumers to better control their data.
Now the giants of the US tech community embrace GDPR. Apple has long underlined its commitment to privacy. In 2018 Tim Cook, the CEO of Apple, called for a federal privacy law to prevent a “data industrial complex” from “weaponizing” personal information with “military efficiency.” One year later Mark Zuckerberg, CEO of Facebook, a company that privacy advocates consider to be one of the key threats to personal data privacy, argued for a globally harmonized privacy and data protection framework in line with GDPR.38 If passed, a US federal “Privacy Bill of Rights” would be another important step in bringing the US and EU data protection regimes closer together.39
US and EU regulators will need to cooperate ever more closely on data privacy. One critical area will be the interplay, and perhaps convergence, between data privacy and competition policy. There are many aspects to this area, including valuing (off-balance sheet) data for the purpose of jurisdictional thresholds for merger review, treating the accumulation of valuable data as an indicator of market power, and determining when and how actors with market power may collect and use data.
Leading privacy experts from think tanks on both sides of the Atlantic have been trying to build “privacy bridges”40 that do not require legislative change. These bridges merit consideration and some are both worthwhile and relatively straightforward. For example, the FTC and the EU Data Protection Board (that coordinates the EU’s DPAs) should establish formal working relations and hold regular meetings. A Memorandum of Understanding could, for example, call on both sides to provide the other with advance notification of an intention to conduct specific policy analysis; to coordinate regulatory activity; and to promote cooperation on enforcement matters involving cross-border violations of data privacy law. Other proposals call for promoting common perspectives on privacy by fostering multi-disciplinary collaboration between data privacy experts and standardizing laws requiring the reporting of multinational data privacy breaches. The proposals also call for technology companies, privacy regulators, industry organizations, privacy scholars, civil society groups, and technical standards bodies to develop common mechanisms for individuals to express their privacy choices with regard to the collection, use, and transfer of their data.
A US–EU data privacy agreement would not be the first regional agreement of its kind. The Trans-Pacific Partnership (TPP) that the Obama administration sought to conclude, for example, included a chapter of binding provisions on electronic commerce. These provisions reflected core principles include such as an open and free Internet (enabling consumers to access content and applications of their choice), unrestricted cross-border data flows (versus discriminatory and protectionist barriers), the prohibition of requirements to store data locally and the protection of innovation in products that enhance security and privacy (such as encryption). After the Trump administration withdrew from TPP, the other signatories proceeded with a new version that also included an e-commerce chapter.
The Asia-Pacific Economic Cooperation (APEC) group, encompassing 21 Asian-Pacific members constituting almost half of world trade, concluded a Privacy Framework in 2004. According to its recommendations, member states acknowledge and implement basic principles of privacy protection, while permitting variations reflecting their different legal systems, cultures, values, and privacy laws.41 The APEC Privacy Framework was based on earlier Guidelines of the Organization for Economic Cooperation and Development (OECD), an organization of 35 economically developed countries. The OECD Guidelines, most recently updated in 2013, represent a consensus on basic principles that can be built into national legislation.
A US–EU data privacy agreement could be more ambitious than these regional agreements because the transatlantic region shares a common heritage of democracy, the rule of law and fundamental freedoms, as well as being the home of the most dynamic digital companies. TTIP would have been an opportunity to enshrine core principles, more ambitious than those in TPP, had we been able to conclude it.
One former colleague of mine at the National Security Council has proposed a Transatlantic Charter for Data Security and Mobility:
Such a document might establish general principles that governments would observe as they analyse and deploy specific rules on data collection, handling and analysis. It would also encourage constructive engagement in these decisions from industry. While final agreement on such a charter by US and European policymakers would represent a signal achievement, the effort of seeking consensus on basic principles can in itself be helpful in establishing trust among governments that regulate data and companies that increasingly depend on data.42
Such a charter might require US and EU regulators to consult with one another when considering rules that might affect the firms or citizens of the other. In their consultations, they would explain how proposed rules align with the data privacy regime of the other and would undertake to minimize any contradictions. According to the charter, the parties would agree to promote an open and free Internet, and cross-border data flows; refrain from discriminating against digital transfers from other countries; ensure that government data be as open and available as possible; and permit data localization rules only in limited circumstances.
Firms could be encouraged to endorse the charter’s principles and to develop industry sector-specific charters that would include codes of conduct and measures to improve standardization and interoperability of data privacy rules. One model for this proposal is the Memorandum of Understanding between the US Department of Health and the European Commission on the interoperability of health-related information and communication technology, products, and services. The MOU sets out a roadmap to facilitate the access, control, and portability of electronic health records.43
The charter would also encourage consultations among legislators and joint work among non-governmental privacy experts on such thorny issues as the interplay between privacy and cybersecurity (including encryption), how to distinguish between industrial and personal data (with the latter deserving a higher degree of protection), how and when to make data anonymous and therefore incapable of being used to identify individuals, and the circumstances in which individuals should be able to claim ownership of data relating to themselves. The charter could serve as a framework for joint proposals by the US and the EU at the G-7 and G-20 groups of advanced economies, as well as at the World Trade Organization.44
The gradual alignment of data privacy regimes in the US and the EU may eventually lead to bolder solutions. In the wake of the invalidation of Safe Harbor, Brad Smith, President of Microsoft, argued that data privacy is a fundamental human right and, as such, it should not change every time data moves from one location to another. Individuals should not lose their data privacy rights just because their data crosses a border; that is especially so when they are not aware of where their information is being moved or stored by someone else. Smith made a simple, but far-reaching proposal that data privacy rights should travel with the data itself:
If we’re going to ensure that data…can move across the Atlantic on a more sustainable basis, we need to put in place a new type of trans-Atlantic agreement. This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards.45
That would mean that the US government would only have the right to demand access to EU citizens’ personal information stored in the United States in a manner that conforms with EU law, and vice versa. Smith advocated in favor of a new transatlantic agreement that would create an expedited process for governmental entities on both sides of the Atlantic to access personal information that has crossed the Atlantic and belongs to the other’s citizens. According to this process, a government could only request access to this data if lawful under its own laws; if the government in the citizen’s country of nationality finds that the request is in conformity with local laws, it would authorize disclosure.
Such an agreement would have far-reaching consequences. It would mean that US law enforcement authorities could only compel US Internet service providers, for example, to deliver data relating to EU citizens if this were in perfect compliance with EU law, even when the data is stored in the United States. That is a significant step beyond the “essential equivalence” standard we observed in Privacy Shield. And it would require significant legislative changes that are highly unlikely in the areas of law enforcement and intelligence collection. Nevertheless, it would be worth considering whether to negotiate a US–EU pact on the minimum privacy standards that US and EU citizens and residents should enjoy vis-à-vis each other’s foreign surveillance.46 Although there are few limitations on US surveillance of EU nationals abroad, President Obama rightly stated that the United States cares about their privacy; this would be a concrete step to prove it.
Footnotes
1
Opinion of Advocate General Yves Bot, Maximilian Schrems v. Data Protection Commissioner, Case C-362/14, September 23, 2015. http://curia.europa.eu/juris/document/document.jsf?docid=168421&doclang=EN.
2
The National Security Agency defines signals intelligence as the production of foreign intelligence through the collection, processing and analysis of communications or other data, passed or accessible by radio, wire, or other electromagnetic means. The National Security Agency: Missions, Authorities, Oversight and Partnerships, August 9, 2013. https://www.nsa.gov/news-features/press-room/statements/2013-08-09-the-nsa-story.shtml.
3
Barton Gellman and Laura Poitras, “US, British Intelligence Mining Data from Nine US Internet Companies in Broad Secret Program,” The Washington Post, June 7, 2013. The authors won a Pulitzer Prize for the story which has since been updated. https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html?utm_term=.42796be20b78.
4
Robert Litt, “Europe’s Court Should Know the Truth About US Intelligence,” Financial Times, October 5, 2015.
5
Privacy and Civil Liberties Oversight Board, “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act,” July 2, 2014. https://www.pclob.gov/library/702-Report.pdf.
6
European Union Agency for Fundamental Rights, “Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU,” 2015, p. 17.
7
There were 89,138 targets in 2013 and 94,368 in 2015.
8
Peter Swire, “US Surveillance Law, Safe Harbor, and Reforms Since 2013,” p. 29. https://peterswire.net/wp-content/uploads/Schrems-White-Paper-12-18-2015.pdf.
9
Remarks by the President on Review of Signals Intelligence, January 17, 2014. https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.
10
Valentina Pop, “ECJ President on EU Integration, Public Opinion, Safe Harbor, Antitrust,” The Wall Street Journal, October 14, 2015. https://blogs.wsj.com/brussels/2015/10/14/ecj-president-on-eu-integration-public-opinion-safe-harbor-antitrust/.
11
The reaction in the US media was damning. For example, Richard Epstein, “Europe’s Top Court Goes Off the Rails,” The New York Times, October 8, 2015.
12
Remarks at the Department of Justice, January 17, 2014. https://obamawhitehouse.archives.gov/blog/2014/01/17/president-obama-discusses-us-intelligence-programs-department-justice.
13
Jean-Claude Juncker, “Politico Brussels Playbook,” November 29, 2019. https://www.politico.eu/newsletter/brusselsplaybook/special-playbook-edition-by-jean-claude-juncker/.
14
Charlemagne, “Swords and Shields,” The Economist, February 6, 2016.
15
Winston Maxwell and Christopher Wolf, “A Global Reality: Governmental Access to Data in the Cloud,” Hogan Lovells White Paper, July 18, 2012. Winston Maxwell and Christopher Wolf, “A Sober Look at National Security Access to Data in the Cloud,” Hogan Lovells White Paper, May 22, 2013. The French Surveillance Law passed after the attacks in Paris enable intelligence agencies to tap phones and e-mails without seeking permission from a judge. It forces Internet service providers and phone companies to give up data upon request. It allows intelligence services to undertake bulk collection of “metadata” (information about communications) and retain it for five years.
16
Sidley Austin, “Essentially Equivalent: A Legal Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States,” January 2016. https://www.sidley.com/-/media/publications/essentially-equivalent---final.pdf.
17
Michael Holden and Kate Holten, “UK Unveils Power to Spy on Web Use, Raising Privacy Fears,” Reuters, November 5, 2015.
18
Stephen Schulhofer, “A Transatlantic Privacy Pact?” in Surveillance, Privacy and Trans-Atlantic Relations, ed. David Cole, Federico Fabbrini, and Stephen Schulhofer (Bloomsbury, 2017), p. 180. Vincent Jauvert, “Comment La France (Aussi) Ecoute le Monde,” Le Nouvel Observateur, July 2, 2015.
19
Nils Muiznieks, “Europe Is Spying on You,” The New York Times, October 27, 2015.
20
EU Agency for Fundamental Rights, “Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU,” 2015. http://fra.europa.eu/en/publication/2015/surveillance-intelligence-services.
21
A key judgment in 2016 held that Swedish and UK legislation permitting the general and indiscriminate retention of all traffic and location data is incompatible with EU law.
22
Paul Hofheinz and Michael Mandel, “Uncovering the Hidden Value of Digital Trade,” The Lisbon Council, Issue 19/2015.
23
Daniel Hamilton and Joseph Quinlan, The Transatlantic Economy 2019, Johns Hopkins University SAIS 2019. https://transatlanticrelations.org/wp-content/uploads/2019/03/TE2019_FullStudy.pdf, p. 35.
24
Paul Hofheinz and Michael Mandel, “Uncovering the Hidden Value of Digital Trade,” The Lisbon Council, Issue 19/2015.
25
Garrett Workman, “TTIP: Underlining the Importance of Digital Trade,” US Chamber of Commerce, May 5, 2016. https://www.uschamber.com/article/ttip-underlining-the-importance-digital-trade.
26
“The Economic Importance of Getting Data Protection Right: Protecting Privacy, Transmitting Data, Moving Commerce,” European Centre for International Political Economy, March 2014.
27
Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel, and Bert Verschelde, “The Cost of Data Localization: Friendly Fire on Economic Recovery,” ECIPE Occasional Paper 3/2014. China enacted a law in 2016 that requires companies to store all their data within Chinese borders. A similar law took effect in Russia in 2015.
28
Daniel Castro, “How Much Will PRISM Cost the US Cloud Computing Industry?” Information Technology and Innovation Foundation, August 2013. James Staten, “The Cost of PRISM Will Be Larger Than ITIF Projects,” Forrester blog post, August 14, 2013.
29
Global data transfer rates expanded by a factor of more than 40 between 2005 and 2014. “The US-EU Privacy Shield Pact: A Work in Progress,” Peterson Institute for International Economics, August 2016.
30
The two approaches are detailed in James Whitman, “The Two Western Cultures of Privacy: Dignity Versus Liberty,” Faculty Scholarship Series, Paper 649, 2004. http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1647&context=fss_papers.
31
Ibid., p. 1159. http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1647&context=fss_papers. According to one study, telephones in France and Germany are tapped at ten to thirty times, and in the Netherlands and Italy at 130–150 times, the rate they are tapped in the United States.
32
Recent judgments have limited the government’s ability to seize an individual’s historical cell phone location information, to use thermal imaging technology to look inside a home, or to examine the content of a cell phone, without a warrant.
33
The Court noted that a third country “cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order.” In deciding whether a third country’s level of data protection is adequate, the European Commission should carry out a “global assessment.” It may make an adequacy finding “even though the manner in which that protection is implemented may differ from that generally encountered in the European Union.”
34
Sidley Austin, “Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States,” January 2016, p. 4. https://www.sidley.com/-/media/publications/essentially-equivalent---final.pdf.
35
See https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities and https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.
36
James Glanz and Andrew Lehren, “NSA Spied on Allies, Aid Groups and Business,” The New York Times, December 20, 2013.
37
The ECPA provides for criminal sanction and civil causes of action for “any person whose wire, oral, or electronic communication is intercepted, disclosed or intentionally used in violation of the Act.”
38
Mark Zuckerberg, “The Internet Needs New Rules,” The Washington Post, March 30, 2019.
39
Another step that would promote the alignment of US–EU data privacy regimes would be US ratification, after appropriate revisions, of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. While the United States is not a member of this body, dedicated to promoting human rights, democracy and the rule of law in Europe, it is already a party to another Council of Europe convention on cybercrime.
40
Privacy Bridges: EU and US Privacy Experts in Search of Transatlantic Privacy Solutions, 37th International Privacy Conference, Amsterdam 2015.
41
APEC Privacy Framework. https://www.apec.org/Publications/2017/08/APEC-Privacy-Framework-(2015).
42
Christopher Smart, “Regulating the Data That Drive 21st Century Economic Growth: The Looming Transatlantic Battle,” Chatham House, June 2017. https://www.chathamhouse.org/publication/regulating-data-drive-21st-century-economic-growth-looming-transatlantic-battle.
43
Carl Bildt and William Kennard, “Building a Transatlantic Digital Marketplace: Twenty Steps Toward 2020,” Atlantic Council, April 2016. http://www.atlanticcouncil.org/publications/reports/building-a-transatlantic-digital-marketplace-twenty-steps-toward-2020.
44
In July 2016, the United States tabled a proposal at the WTO to update the General Agreement on Trade in Services to include a chapter on electronic commerce. The proposal included the following: prohibiting customs duties for digital products, establishing non-discrimination principles between foreign and domestic firms; allowing companies and consumers to move data as they see fit; preventing localization barriers; and barring forced technology transfers. At the time of writing, these proposals have not yet been agreed.
45
Brad Smith, “The Collapse of the US-EU Safe Harbor: Solving the New Privacy Rubik’s Cube,” October 20, 2015. https://blogs.microsoft.com/on-the-issues/2015/10/20/the-collapse-of-the-us-eu-safe-harbor-solving-the-new-privacy-rubiks-cube/.
46
See David Cole and Federico Fabbrini, “Transatlantic Negotiations for Transatlantic Rights: Why an EU-US Agreement is the Best Option for Protecting Privacy Against Cross-Border Surveillance,” in Surveillance, Privacy and Transatlantic Relations, ed. David Cole, Federico Fabbrini, and Stephen Schulhofer (Bloomsbury, 2017).