The Brussels and Warsaw Privacy Peace Talks
Next month, FTC Commissioner Julie Brill and Danny Sepulveda, Deputy Assistant Secretary of State, will travel to Brussels to discuss privacy with EU officials. Later in the month, Poland will host the 35th Conference of Data Protection of Data Protection and Privacy Commissioners, a meeting that will be attended by privacy officials and stakeholders from around the world. Both gatherings provide an opportunity to declare a cease fire in the war of words—a war in which most of the “incoming” has originated on the European side of the Atlantic in the wake of the Snowden NSA revelations, and a war that threatens progress in international cooperation on privacy.
As the EU Data Protection Regulation reaches the final stages of its consideration by lawmakers, and as the Transatlantic Trade and Investment Partnership negotiations get underway in earnest (where cross-border data flows will be a focus), rhetorical bombs about the primacy of EU privacy and the inferiority of the U.S. framework need to go back to the bunker. And if some of the overheated rhetoric is to be believed, cross-border data flows soon may be thrown into chaos by unilateral EU suspension of long-established mechanisms. Such precipitous action would be disruptive and harmful for citizens, and would be a huge setback in transatlantic cooperation.
The war of words has escalated over the summer. Indeed, some in Europe are threatening the privacy equivalent of the “nuclear option”—the withdrawal of the adequacy finding for transfers of personal data pursuant to the EU-U.S. Safe Harbor.
On July 19, EU Vice-President Viviane Reding called EU data protection reform “the answer to PRISM [one of the Snowden NSA disclosures]” and called PRISM a “wake-up call.” Ms. Reding said that the EU-US Safe Harbor “may not be so safe after all” and warned that the Commission will present a “solid assessment” of the Safe Harbor by the end of the year, ominously suggesting the withdrawal of an adequacy finding for the Safe Harbor (required under EU law for it to remain in effect).
On July 24, the Conference of German Federal and State Data Protection Commissioners said they would examine whether to suspend data transfers using the Safe Harbor and model contract clauses.
To similar effect, on August 13, Jacob Kohnstamm, Chairman of the Article 29 Working Party of Data Protection Authorities, published a letter containing a series of rhetorical questions asking how U.S. participants in Safe Harbor simultaneously can comply with U.S. government requests for data under the USA PATRIOT Act and the Foreign Intelligence Surveillance Act and also satisfy the conditions of the EU-U.S. Safe Harbor Agreement. Although Mr. Kohnstamm acknowledged that the Safe Harbor contains a limitation for adherence to the Principles "to the extent necessary to meet national security […] requirements," he also stated that the Article 29 Working Party has doubts about whether the “seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary.”
Mr. Kohnstamm appeared to give EU Member States license to ignore the Safe Harbor now, noting that Member States may suspend data flows under Article 3.1 (b) of the Commission Decision on the Safe Harbor principles “in cases where there is a substantial likelihood that the Principles are being violated and where the continuing transfer would create an imminent risk of grave harm to data subjects.”
At the recent Aspen Conference of the Technology Policy Institute on August 19 and 20, Commissioner Brill observed that "before these revelations about government collection of data here in the United States, we’d received assurances from [EU officials] that the Safe Harbor would remain largely the same as it is when the proposed regulation goes through. I don’t think it can be overemphasized that things have changed.”
The Commissioner also observed that there is much on which the EU and U.S. agree with respect to the evolution of privacy protections in the face of technological advances, from consumer control to increased transparency to data accuracy to the protection of children, and including “Privacy by Design.” FTC Chairwoman Edith Ramirez gave a speech at the Aspen Conference that detailed the broad FTC privacy agenda, an agenda that parallels in many ways the work on the EU side of the Atlantic.
Despite the differences in the EU and U.S. frameworks, there is indeed much common ground and prospects for greater interoperability. There also is substantial evidence that the Safe Harbor is an effective tool for the protection of data transferred from the EU to the US, and that participants obey its principles. The prospects for greater cooperation on privacy will be severely jeopardized if the Europeans seize on the NSA surveillance issue as a lever to try to impose their singular approach to the protection of privacy on the US. Such an approach completely ignores the fact that national security access to data held by third parties in the EU is, in many places and in many ways, unchecked and itself a threat to the privacy of EU individuals.
National security access to data is not a trivial issue, and steps are being taken in the U.S. to address the privacy issues. The recent disclosure of a FISA Court opinion reigning in the NSA actually shows the effectiveness of the oversight framework in the United States. President Obama has proposed a series of improvements in NSA oversight and privacy advocacy. The Privacy and Civil Liberties Oversight Board actively is engaged on the issue. Suffice it to say that pressure, rhetorical or otherwise, from EU DPAs on commercial transfers of data, or to toughen the rules affecting U.S. businesses operating in Europe, will have little impact on U.S. national security operations. Similarly, the opinions of FTC Commissioners on EU national security activities probably would be to no avail, even if they were in the habit of offering such opinions — which they are not, as the FTC officials stay within their remit and do not provide opinions on other countries' national security practices (unlike their European counterparts).
The focus, therefore, should be on how U.S. and EU privacy officials, and stakeholders, can productively address the many current and looming commercial privacy issues. A war of words and threats to disrupt agreed-upon mechanisms is not constructive. To the contrary, it could well cause a set-back in international privacy advances. It is time for a cease fire, and let’s hope for privacy peace talks in Brussels and Warsaw.
About the Author
Christopher Wolf leads the global privacy practice at Hogan Lovells US LLP and has practiced privacy law since the earliest days of the discipline. Wolf also is the founder and chair of the Future of Privacy Forum. He was the editor and lead author of the first PLI treatise on privacy law and is a frequent author and speaker on privacy and data security issues. Wolf was the first privacy lawyer to testify before the Senate Judiciary Privacy Subcommittee and is a member of a group advising the OECD on the OECD privacy guidelines.
Wolf is a cum laude graduate of Bowdoin College and graduated magna cum laude Order of the Coif from the Washington & Lee University School of Law. He participated in the general course at the London School of Economics. Following law school, he clerked for U.S. District Judge Aubrey E. Robinson Jr. in Washington, DC. He has practiced law for 32 years. Wolf is active in charitable organizations and serves on the boards of the Anti-Defamation League, WETA Public Broadcasting, Food & Friends (a social services agency), the George Washington University Hospital and Young Concert Artists.