Parallel Privacy Universes and PRISM
The U.S. and Europe seem locked in their own separate, parallel universes in the way they view PRISM and other recent revelations concerning law enforcement data access, as demonstrated by differences in transatlantic media coverage.
Here in Europe, discussion of law enforcement surveillance of electronic communications has dominated the major news media for the last few weeks. By contrast, while visiting the U.S. in July, I found that, with the exception of a couple of national newspapers, the mainstream media seemed disinterested in the long-term privacy implications of the story, concentrating instead on peripheral issues such as whether Edward Snowden had been sighted at the Moscow airport.
The media coverage reflects differences in how the issues are viewed on opposite sides of the Atlantic. Some Americans regard the recent announcement by German data protection authorities that they would review the legality of data transfers under the U.S. Safe Harbor as evidence that for Europeans, these revelations are just an excuse for protectionism.
The close transatlantic cooperation in intelligence-sharing has also led many in the U.S. to view European complaints about U.S. surveillance as hypocritical. It seems that some European governments may have in effect “outsourced” their intelligence-gathering to the NSA, allowing them to avoid doing it themselves but still to express public indignation about U.S. activities.
For their part, Europeans are sceptical of whether U.S. oversight of intelligence-gathering is as effective as claimed. Many in Europe would agree with U.S. Supreme Court Chief Justice John Roberts, who admitted in his confirmation hearings in 2005 that the U.S. Foreign Intelligence Surveillance (FISA) Court, where only the government is represented and whose opinions are not published, is “not what we usually think of when we think of a court”.
U.S. commentators also seem not to realize that for Europeans, PRISM and other U.S. surveillance programs are conducted by a foreign country. Having electronic communications surreptitiously surveilled by your own government is worrying enough; having it done by a foreign country, even a friendly one, is particularly troubling (indeed, the U.S. has been vocal in objecting to alleged electronic surveillance by other countries).
According to reports in the German press, the NSA stores data from 500 million telephone calls, e-mails, text messages and chat transcripts per month in Germany alone, a number approximately six times the entire German population. How would Americans react if the roles were reversed and a powerful foreign nation was conducting surveillance of their communications on such a scale?
Just as Americans are worried about protectionism in Europe, Europeans are concerned about the use of surveillance by the U.S. for economic espionage. As early as 2000, former CIA Director James Woolsey strongly hinted that U.S. surveillance of electronic communications may be used for economic espionage purposes, which was confirmed in a 2001 report by the European Parliament.
This transatlantic war of words has led to increasing legal uncertainty for companies. EU Commission Vice-President Viviane Reding recently stated that the Safe Harbor “may not be so safe after all”, and both the Safe Harbor and the EU standard contractual clauses are likely to receive increased scrutiny from DPAs. Savvy companies should consider moving to binding corporate rules (BCRs) to provide a stronger legal basis for their data transfers from the EU.
Both the U.S. and the EU need to break out of their parallel universes and find some common ground in order to better understand each other’s positions and avoid a political meltdown.
Europeans should refrain from precipitous, unilateral actions that seem legally questionable, like that of the German DPAs. The EU Safe Harbor Decision allows DPAs to restrict data flows to particular Safe Harbor members under certain conditions, but refusing to allow transfers to all member companies in effect constitutes a determination that the level of data protection in the U.S. is inadequate, which is the sole prerogative of the European Commission.
Europeans also need to investigate the extent to which their own governments are involved in and profit from U.S. intelligence-gathering and data-sharing practices before they put sole blame on the US.
For their part, Americans should recognize that for the most part European concerns arise not from protectionism, but from understandable worries about U.S. intelligence-gathering practices. They also need to ask hard questions about whether it is really necessary for the U.S. national security establishment to collect so much data and whether oversight mechanisms under U.S. law should be strengthened.
Misunderstandings and paranoia thrive in an atmosphere of excessive secrecy, and both sides need to increase transparency about their intelligence-gathering and intelligence-sharing activities, ideally including some sort of independent verification. It is impossible to evaluate the legality of the practices at issue when so many important facts remain in dispute.
Unfortunately, I suspect that both sides lack the will to take actions like these that would require considerable political courage, and so the transatlantic fallout is likely to continue.
About the Author
Christopher Kuner is Senior of Counsel in the Brussels office of Wilson, Sonsini, Goodrich & Rosati and is Honorary Fellow of the Centre for European Legal Studies, University of Cambridge, where he also teaches. His books European Data Protection Law: Corporate Compliance and Regulation (2007) and Transborder Data Flows and Data Privacy Law (2013) are both published by Oxford University Press. He is editor-in-chief of the journal International Data Privacy Law and co-chair of the Task Force on Privacy and Data Protection of the International Chamber of Commerce and has 20 years’ experience working in EU data protection law. He holds a PhD in data protection law from Tilburg University (the Netherlands), and law degrees from New York University and Notre Dame Law School.