The US privacy framework is under attack from officials in the EU following revelations about NSA surveillance. Yesterday, US Department of Commerce General Counsel Cameron Kerry delivered his valedictory address before his departure from his position next week, and focused both on the progress made by the Obama Administration in privacy and offered the strongest push-back to date on the attacks leveled against the US framework from the EU, including threats to nullify the EU-US Safe Harbor Agreement.
Mr. Kerry was direct in stating that the US approach to privacy achieves privacy practices outcomes that are comparable to those in the EU; he emphasized that “[p]rivacy is deeply embedded in American values and laws and the United States is the source of many of the privacy principles that underlie modern privacy regimes around the globe”:
[T]he United States has developed a strong privacy system, building on robust protection in sectors with significant privacy concerns like financial and healthcare information and for vulnerable groups like children, and active enforcement by the FTC and state attorneys general to protect consumers from unfair and deceptive trade practices and data breach laws in most states. This approach seeks to achieve benefits like those in other jurisdictions, most notably Europe, and achieves outcomes – privacy practices – that are comparable.
On the criticisms about US privacy based on NSA surveillance, Mr. Kerry said:
I do not take European concerns about privacy protection lightly….[But] [i]f we are going to have a discussion about the United States, let’s also look at how other countries compare. How many other countries have an independent Privacy and Civil Liberties Oversight Board to review their intelligence-gathering? How many other countries have Privacy and Civil Liberties Officers within their intelligence and law enforcement agencies? How many other countries subject their intelligence-gathering to audits? How many other countries have a body like the FISA Court that supervises some form of foreign intelligence collection directed at citizens of other countries?
Related to this is the White Paper published by Hogan Lovells in May of this year on national security access to data in multiple jurisdictions, and the due process protections offered. In his speech yesterday, Mr. Kerry expressly mentioned a more recent Hogan Lovells White Paper on law enforcement access to data:
A White Paper released yesterday by the Hogan Lovells law firm analyzed the published transparency reports of companies that have received government requests for information and found that, taking into account differences in population and Internet usage, “the U.S. government requests information from these providers at a rate comparable to – and sometimes lower than – that in other countries, including many European Union member states.”
The Commerce General Counsel also put the surveillance issues in context with respect to the privacy framework generally:
The issues relating to surveillance are part of a broader discussion about global norms online. Most trade agreements carve out actions taken to further the national security of the parties and both the 1995 European Privacy Directive and draft Regulation include exemptions for national security data processing activities. The United States does not use its intelligence capabilities to repress citizens of any country because of their political, religious, or other beliefs. It does not use intelligence capabilities to steal trade secrets of foreign companies and enable our companies to compete unfairly in the global marketplace.
With respect to the Safe Harbor, which he described as the “fundamental building block of the trade relationship” between the EU and US, Mr. Kerry said that “[a]ny step back from Safe Harbor would send the trading relationship between the U.S. and the EU backward, just as the U.S. and Europe are trying to find common ground toward reducing regulatory barriers and increasing regulatory cooperation.
Finally, Mr. Kerry called for a cooling of the heated rhetoric:
As this discussion continues, I hope that heated and disproportionate rhetoric, protectionism, and politics will not crowd out a thoughtful discussion of evolving norms. We cannot let that vital debate devolve into mutual recriminations that undermine the free flow of information over global communications networks and technology that are bringing extraordinary progress to economies, societies, and freedom around the globe.
It would be a sad outcome of the surveillance disclosures if they led to an approach to Internet policy making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located. The digital world does not need another Great Firewall – in Europe or anywhere else.
Today, a Hogan Lovells piece appearing in the IAPP Privacy Perspectives makes a similar plea for a cease fire in the war of words launched from the EU:
As the EU Data Protection Regulation reaches the final stages of its consideration by lawmakers, and as the Transatlantic Trade and Investment Partnership negotiations get underway in earnest (where cross-border data flows will be a focus), rhetorical bombs about the primacy of EU privacy and the inferiority of the U.S. framework need to go back to the bunker. And if some of the overheated rhetoric is to be believed, cross-border data flows soon may be thrown into chaos by unilateral EU suspension of long-established mechanisms. Such precipitous action would be disruptive and harmful for citizens, and would be a huge setback in transatlantic cooperation.