EU Fails to Build on Data Privacy Success
Back in October, a stubborn Austrian law student got the top European court to invalidate the European Union's "safe harbor" agreement with the U.S., which allowed 4,700 American tech companies to transfer EU citizens' private data to the U.S. without any safeguards. Now bureaucrats in Brussels are essentially rendering the judgment meaningless.
As Edward Snowden, the National Security Agency whistle-blower who alerted the world to the dangers of indiscriminate U.S. electronic surveillance put it in a tweet, "EU capitulates totally on safe harbor. Interesting, given that they held all the cards."
The Austrian student, Max Schrems, became interested in personal data transfers to the U.S. when he studied Fascebook's arrangements for handling such data. He discovered it was hard to get the company to release all the information it held about him, as it was required to do under European law. Schrems also worried that vast amounts of data that users didn't even know companies were storing were available to U.S. intelligence services. So he crowdfunded a legal challenge to safe harbor, and last October, the European Court of Justice ruled that the U.S. wasn't really safe for Europeans' private data.
"Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," it said.
Spurred on by the tech companies, which found themselves in a legal vacuum, officials on both sides scrambled to fix the problem. It is now clear that this effort amounts to little more than window dressing.
The EU could have chosen to require U.S. companies to make arrangements for data storage in Europe instead of sending data to the U.S. Late last year, Microsoft suggested a creative solution that would have worked for everyone: It arranged for Deutsche Telekom to serve as "data trustee" under Germany's tough privacy laws, storing the U.S. company's client information in two data centers in Germany and only allowing access to it with the clients' permission.
Instead, the European Commission asked the U.S. to provide guarantees that Europeans' data wouldn't come under blanket surveillance and they would have legal redress if they had a privacy complaints.
As Vera Jourova, the EU commissioner charged with renegotiating "safe harbor," told the European Parliament on Monday,
In the context of our negotiations, we are obtaining specific written assurances from the U.S. that access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate. These assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-U.S. persons.
In other words, the EU will be happy with a written promise that its citizens' private messages won't be read without a very good reason. Jurova promised that would be monitored through an "annual joint review."
As for legal redress, the U.S. Senate is now considering special legislation to make it possible, and Republican senators are looking to insert a provision that would oblige the Attorney General to certify whether a country whose citizens will have redress don't have policies that endanger U.S. national security.
Suing in the U.S. is already a difficult and expensive proposition for Europeans – even Schrems' doggedness could be tested – and Republican insistence on exceptions for what they see as U.S. national security interests could complicate the process even further.
If the negotiations end as Jurova described, the old safe harbor agreement will be back with some added meaningless guarantees and a new layer of European bureaucracy: Apart from the joint reviews, Jurova proposes to create an ombudsperson to deal with primary complaints.
This is conflict resolution, Brussels style: Exchange letters, draft some useless legislation and set up a commission, preferably two, and perhaps the problem will get bored and go away.
If this approach prevails, as it looks set to do, Europeans concerned about the safety of their personal data and more inclined to trust – and better equipped to sue – their home countries' authorities will need to confine themselves to dealing with those U.S. tech companies that take their concerns into consideration voluntarily.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Therese Raphael at email@example.com