In my twenty years as a privacy lawyer, the past three months has created the most challenging legal/policy issue I have seen. Concerns about government access to personal data has threatened our global economy and created uncertainty on how to bridge the different legal and government structures in the US and Europe.
Last October, the Court of Justice of the European Union called into question the “Safe Harbor”, which has been the legal mechanism to allow companies to transfer personal data between the EU and the US. The Safe Harbor has been in place since it was agreed upon in 2000, and it has fostered a transatlantic data economy that has benefited everyone. That data economy still holds great potential for dramatic advances in healthcare, education, agriculture, the environment and safety. The decision by the Court of Justice put all of that potential at risk. Fortunately, three intense months of negotiations between the European Commission and the US Department of Commerce culminated in a political agreement announced last week on a EU-US Privacy Shield (a new name for a set of requirements and restrictions on the transfer and use of data). While the language of the agreement has not been released, EU and US officials believe it willallow continued lawful transfers of personal data with additional safeguards for EU citizens. I commend the negotiators on their hard work and disciplined focus to reach a political agreement. However, while the agreement puts us on a better path, there are still many issues.
The Court of Justice ruling stated that to allow transfer of data from the EU, the receiving country’s legal protections for the individual must be essentially equivalent to those in the EU. No one is completely certain what “essential equivalency” means. The Court of Justice says the phrase does not mean “identical”, but we do not know exactly what standard it creates. Further legal challenges are almost certain. Exacerbating this uncertainty is the fear this standard of essential equivalency could also be used to prevent transfers of data from the EU to other countries such as Russia, China, India and Brazil. These countries have fewer privacy protections than the US. If transfers to the US do not meet the EU standard, then is unlikely transfers to these other countries will satisfy EU law. A European economy without transfers to any of these countries would have a significant negative impact on the entire world.
The opinion could also apply to how EU Member States transfer data among themselves, and how they use that data to promote national security, fight terrorism and prevent crime. The Court of Justice’s opinion lacked any thorough factual analysis of the US legal structures of oversight and controls in the use of personal data for these purposes, so we do not know the standard that we should apply to understand whether enough privacy protections have been put in place. This lack of analysis creates even more uncertainty for any company doing business in Europe. Unpredictability of future data flows would heavily damage the European economy and the newly established Digital Single Market, curtailing opportunities for investment, job creation and innovation. In the absence of the ability to rely upon the Safe Harbor, many companies are using binding corporate rules (commitments within a company) and standard contractual clauses (restrictions agreed between companies) to transfer data. However, it is unclear whether these data transfer tools can survive the Court of Justice’s standard of essential equivalence.
Europe has shown leadership in promoting privacy as a fundamental right in the digital age. The reform of the data protection legal framework is an example of European commitment in this domain. However, a broader discussion needs to be had on surveillance: we need to recognize the political, economic and social magnitude of technological choices relating to the access to data by law enforcement authorities and especially by security agencies. Threats in cyberspace are increasing in number and resilience, and security has to be pursued in parallel with privacy. Security and privacy are not alternative options, and they can be pursued in parallel. Technology allows for the possibility of individual freedom and empowerment, if individuals can trust their use of that technology. One of the largest current risks to privacy is the theft of personal data as a result of cybersecurity breaches. Increased cybersecurity can further privacy, and is an example of how security and privacy can complement each other.
It is possible for government agencies to conduct surveillance while also respecting privacy. Focusing on limiting data collection, only permitting essential uses of the data by government agencies and robust oversight and controls to promote accountability, can protect individual privacy, while also promoting security. These concepts are at the core of recent legal reforms in the US and Europe, and the issues require continued dialogue between governments. It is critical we allow those conversations to proceed in a productive manner. Equally important is that data flows and the private sector should not be disrupted while those government discussions take place, especially in situations where the private sector is attempting to comply with the law.
A transatlantic dialogue on privacy, security and surveillance should be further promoted to avoid future harm to the transatlantic relationship. On January 28th, we celebrated Data Privacy Day in the US and Data Protection Day in Europe. The idea for Data Privacy Day was first discussed around my dinner table eight years ago, in a conversation among friends from the US and Europe. During that dinner we noted that the US and Europe share common values on privacy. That recognition of shared values sparked an idea to have organizations in the US recognize the anniversary of the signing of the Council of Europe’s Convention 108, by fostering transatlantic dialogue and raising privacy awareness. By the end of that dinner we had created an annual event that is now recognized by thousands of organizations around the world.
Awareness and dialogue are even more important now than they were eight years ago. Our shared values have created a close friendship between the US and Europe. It is appropriate for friends to expect more from each other than they demand from others. Over the past two years, media attention to issues of surveillance agencies have tested that friendship. When friends find themselves at odds, it is important to find a workable path forward without threats or actions that would create long term harm to the relationship. Friends owe it to each other to find ways to have a productive and respectful dialogue.
The Fair Information Practice Principles (FIPPs) have been jointly created by the US and the EU. The FIPPs demonstrate shared values, and have become the “common language” of privacy. It is time we use this common language to chart a course forward, which is why Intel has developed an effort called Rethinking Privacy. The effort looks to the FIPPs, as articulated in the 1980 OECD Privacy Guidelines, and explores how we can implement them for an environment of the internet of things, cloud computing and advanced data analytics. This tremendous accomplishment of the agreement on the Privacy Shield should be celebrated as an opportunity to continue discussion of how to Rethink Privacy in the contexts of national security and law enforcement. We now have the opportunity to have that conversation as friends who share common values and who speak a common language. Data transfers between Europe and the other countries listed above will require examination of these same issues. The results of that conversation between friends can then form the basis of a global dialogue establishing a worldwide common language to promote privacy and security.