On Monday I summarized the reasons that the European Court of Justice struck down the European Commission decision that permitted the transfer of personal data from the European Union to the United States. And yesterday I heard the plaintiff in that case, Maximilian Schrems, speak at NYU’s journalism school. He and Professor Ira Rubinstein (NYU Law) highlighted a critical portion of the ECJ’s judgment, but came to conflicting conclusions. The court decided that the protection of EU citizens’ privacy rights, as laid out in the European Charter of Fundamental Rights, could not be compromised. Merely “adequate” protection of personal data, as required by the Data Protection Directive, is not enough; the level of protection must be “essentially equivalent” to that provided by EU law.
Here’s the court:
73 The word ‘adequate’ in Article 25(6) of Directive 95/46 [the Data Protection Directive] admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. … [T]he third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. If there were no such requirement, the objective referred to in the previous paragraph of the present judgment would be disregarded …
74 It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection. Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.
(emphasis added)
In other words, the Commission would have to take into account US surveillance laws and practices. Facebook, Google, Microsoft and the telecoms could be perfect privacy angels—it wouldn’t matter if the data these companies collect is available to US intelligence.
Schrems is obviously ecstatic about this, Rubinstein more skeptical. In addition to concerns with the factual record relied on by the court, Rubinstein expressed a common complaint: the decision cloaks a double standard in respectable clothing. The EU member states, most notably the UK, are no privacy utopias; many of them surveil their own citizens and those of other countries. Why should the ECJ single out the United States when even the member states don’t respect these rights?
The response to this question is seemingly obtuse: the ECJ doesn’t have jurisdiction over member state’s national security policy. The ECJ can make rulings about the commercial use of data, but not about the collection of data by the member states national security institutions. But it can get at the commercial nexus linking commercial bulk data collectors to national intelligence agencies, i.e. where commercial entities hand data to governments. It seems perfectly reasonable to me for the ECJ to step in where it can to protect fundamental European rights—and thus lay claim to popular legitimacy. That the court can’t make its will felt everywhere can be no argument against this particular judgment.
But Rubinstein also raised a concern with what he later called the “logic” of the decision: if data can only be transferred to countries with data protection regimes “essentially equivalent” to that of the EU, then there’s a danger that the Internet will split into a set of national and transnational Internets with different barriers to data transfer.
“This decision creates an interesting conundrum,” Rubinstein said. “At some level its not the Safe Harbor or the transfer to the US, its the international flow of data that’s the problem. And there’s no reason to think that surveillance in countries that were formally evaluated as adequate is any more protective of privacy rights than in the US or any EU member state.”
Some argue that the ECJ’s stance on data privacy and the international backlash against US surveillance will undermine the openness of the World Wide Web. I like to think that the arrow points the other way: I hope that the ECJ’s stance on data privacy will discourage US mass surveillance by making US intelligence pay the cost of offending international sensibilities. If the Internet giants all hold onto their data in Europe without transferring it to the US, it will make the data that much harder for US intelligence to access; they’ll have shot themselves in the foot.
So far there’s no additional word on what the safe harbor replacement, EU-US Privacy Shield, will look like. I’m afraid I’m not so optimistic: How can the US can live up to the essential equivalency test without cutting back on mass surveillance? After all, it looks like the opposite is true. And if the US doesn’t budge on the substantive issue, it seems likely that all the changes will be merely cosmetic.
PS. I referred to the safe harbor arrangement as an “agreement” in my post Monday. This implies a higher degree of coordination between the US and EU authorities than appears to have been the case. The United States and the European Union did not sign a treaty on data transfer. Rather, the European Commission promulgated a decision in 2000 which permitted data transfers to the organizations in the US as long as they “self-certify” to the so-called safe harbor principles, a set of guidelines drawn up by the US Department of Commerce concerning EU privacy law and appended to the Commission decision. This self-certification process would ensure the “adequate protection” demanded in the Data Protection Directive.
So Safe Harbor was a joke – the usual police-thy-self one. Well I haven’t seen that in, oh maybe 10 minutes.
I don’t see such a terrible problem with borders on the internet. We have them now at corporation firewalls for example. Europe and Co. certainly know how they work in real life.
It isn’t like dealing with such borders would be more than a mild to moderate distributed computing problem. Too bad for Google, and others, to have to actually serve their customer’s legal protections under the Rule of Law in their country of residence.
Can’t the IT world do better than bricks and mortar?
I feel much the same. If the increase in transaction costs that derives from having to “offshore” your data mining to comply with privacy laws is that big of a deal, then it will just encourage Google et al to resist the invasive US surveillance regime more than they’re already prone to do. If one can say they do already. I guess they do when it serves them; and it will serve them more when they can’t do business in Europe because the US is busy gathering its mountains of “sigint”.
The “essentially equivalent” part reminds me of IEEE’s WEP (Wired Equivalent Privacy) for wireless computer network communications. The WEP designers were not Crypto pros. WEP went down in a pile of bits. What can we say, broadcast, especially radio, media is hard to secure. To bad WEP problems were more fundamental and primary to crypto design.