How Will Obama’s NSA Plans Impact European Data Protection Requirements?
The recently revealed plans by President Barack Obama to reform the way in which the U.S. intelligence services gather and use data throughout the world have had a lukewarm reception by European politicians. The rhetoric by members of the European Parliament in particular suggests that Obama's proposed reforms stopped short of what would have been comforting enough for them. Such reforms are a work in progress that will extend over months and years, but Obama's stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements.
Here are some predictions about the practical impact of the proposed plans in Europe:
- Calls for a tougher, inward-looking new regime will continue at the European Parliament and the European Commission. Early reactions show that the preferred position of some European politicians is to ensure that the EU data protection framework provides for strict legal barriers that make it more difficult for Europeans' data to be accessible elsewhere.
- The European Parliament's LIBE Committee has been particularly vocal in expressing its dismay over the intelligence-gathering revelations of the past months. It is beyond doubt that its stance will remain pretty much intact following Obama's speech. Therefore, we can expect LIBE to carry on with its aim to impose very tight restrictions on data flows.
- The European Commission will be more measured. My expectation is that it will play a slight double game by supporting the development of an "EU cloud" whilst progressing talks with the U.S. government at the same time. In the commission's ideal world, U.S. and global technology providers would endeavour to meet European data protection standards.
- In line with this, discussions between the European Commission and the U.S. government to tweak Safe Harbor will carry on. The good news for Safe Harbor-compliant organisations is that the prospect of Safe Harbor disappearing altogether will die out.
- One of the most visible consequences is that contracts with U.S.-headquartered cloud providers will continue to be carefully scrutinised by EU customers and regulators. The reality is that European data will continue to live in the cloud. Therefore, in the absence of rock solid political guarantees that U.S. intelligence services will stay away from such data, Europeans will seek strong contractual protections setting out how any data access requests are dealt with.
- Ultimately and unfortunately, this issue will continue to distort the data protection legislative process currently taking place in the EU. The risk in that respect is that lawmakers may end up creating an unrealistic and ineffective law that conflicts with other legal obligations and does not provide the intended level of protection.
It is clear that the political landscape will continue to make European data protection compliance more onerous and complex. On the one hand, that may be a fair price to pay in order to protect our individual freedom. But on the other hand, it could have a very damaging effect on the ability of the private and public sectors to maximise the commercial and societal potential of data. At the very least, privacy professionals are going to have to remain alert to the risks of unjustified data access and swiftly find the right balance between acceptable disclosures and privacy demands.
About the Author
Eduardo Ustaran, CIPP/E, is a dually qualified English solicitor and Spanish abogado based in London and an internationally recognised expert in privacy and data protection law. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading individual for data protection by Chambers UK. Ustaran is also the author of The Future of Privacy, a book aimed at reshaping the global debate around data and privacy. Ustaran advises on the impact of EU data privacy law on the operational activities of all types of organisations and has assisted data protection regulators from different countries to align their positions and interpretation of the law. He is editor of Data Protection Law & Policy and a member of the panel of experts of DataGuidance. Ustaran is co-author of E-Privacy and Online Data Protection and of the Law Society’s Data Protection Handbook.