Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, International/EU Privacy

Hogan Lovells Column in Law360 on Post-Snowden Fallout in the EU and Its Impact on US Privacy Relations

The following piece, written by Hogan Lovells privacy director Christopher Wolf, was published on August 30th by Law 360 and is available in the Law 360 Privacy Section (subscription required). The article is reprinted in its entirety below with permission of the publication.

Post-Snowden Fallout Shouldn’t Cripple EU-US Safe Harbor

The bromide that people in glass houses should not throw stones comes to mind when one hears European Union authorities criticizing the U.S. privacy framework as a whole because of the recent National Security Agency revelations.

Earlier this summer, EU Vice-President Viviane Reding called EU data protection reform “the answer to PRISM [one of the Snowden NSA disclosures]” and called PRISM a “wake-up call.” Reding said that the EU-U.S. safe harbor “may not be so safe after all” and warned that the commission will present a “solid assessment” of the safe harbor by the end of the year, ominously suggesting that the withdrawal of an adequacy finding for the safe harbor (required under EU law for it to remain in effect).

Also this summer, the Conference of German Federal and State Data Protection Commissioners said they would consider suspending data transfers using safe harbor and model contract clauses. And just a few weeks ago, Jacob Kohnstamm, chairman of the Article 29 Working Party of Data Protection Authorities, published a letter containing a series of rhetorical questions asking how U.S. participants in the safe harbor simultaneously can comply with U.S. government requests for data under the USA PATRIOT Act and the Foreign Intelligence Surveillance Act and also satisfy the conditions of the EU-U.S. safe harbor agreement.

Kohnstamm acknowledged that the safe harbor contains a limitation for adherence to the principles “to the extent necessary to meet national security […] requirements,” but he also stated that the Article 29 Working Party has doubts about whether the “seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary.”

Kohnstamm appeared to give EU member states license to ignore the safe harbor now, noting that member states may suspend data flows under Article 3.1 (b) of the commission decision on the safe harbor principles “in cases where there is a substantial likelihood that the principles are being violated and where the continuing transfer would create an imminent risk of grave harm to data subjects.”

It is startling to see the Europeans use the NSA news as a springboard for passage of the previously mired-down proposal for an EU Data Protection Regulation by contending it is needed to keep Americans in check, and to see them threaten withdrawal of the long-existing EU-U.S. safe harbor agreement—presumably to replace it with a more rigid transfer mechanism or to keep data balkanized at home in the EU.

Europeans would be well-advised to consider the degree and scope of national security access in their own countries, as well as the privacy protections in place, before reflexively attacking the American privacy framework as a whole because of the NSA news.

In France, for example, no courts are involved in interceptions under its national security access-to-information law, and the interceptions are kept secret. The requests for interception are presented to the prime minister’s office, which grants the authorization. The authorizations later are presented to a special security commission that can evaluate the justification for the warrant and inform the prime minister of any concerns. The commission is comprised of three persons: one named by the French president upon recommendation by the French Conseil d’Etat and the Cour de Cassation, one member of the National Assembly and one member of the Senate. The commission provides an annual report to the French Parliament.

The French law is comparable to FISA in that it provides the government with broad authority to acquire data from phone and Internet providers for national security reasons. Unlike FISA, however, the French law does not involve a court in the process; instead, it only involves an independent committee that only can recommend modifications to the executive. In addition, France’s law is broader than FISA in that it permits interceptions to protect France’s “economic and scientific potential,” a justification that is lacking in FISA.

In Germany, the Federal Office of Criminal Investigation, the Bundeskriminalamt (BKA), has broad authority in investigations that concern national security or terrorism. For example, the BKA is permitted to use a computer virus, the so-called Bundestrojaner, or “Federal Trojan,” to search IT systems, monitor ongoing communications and collect communication traffic data without the knowledge of data subjects or service providers. While the BKA must obtain a court order to use the Federal Trojan, service providers are not aware of its deployment, as compared to FISA, through which service providers receive notice of and are given an opportunity to contest acquisition orders handed down by the FISC.

In the U.K., interception warrants relating to foreign intelligence are generally issued by the foreign secretary. Although a warrant issued under these provisions must be “proportionate” to the intended purpose, the courts play no role in the authorization or review of these interceptions, as they do in the United States. Moreover, while there is an Investigatory Powers Tribunal, composed of nine senior members of the legal profession, that hears complaints under the surveillance law, the absence of a requirement to provide after-the-fact notification to those who have been placed under surveillance suggests that many who might have cause to bring claims to the tribunal will not in practice do so.

While considering their own national security and privacy frameworks, EU officials should take note of the fact that here at home, we are taking the NSA revelations seriously. There have been concrete steps taken to address privacy issues implicated by the Snowden revelations, from declassification of FISA Court opinions (showing that it is far from a “rubber stamp,”) to the creation of new advisory groups, and the reinvigorations of the Privacy and Civil Liberties Oversight Board, and including proposals for limiting the scope of NSA surveillance.  Moreover, according to recently released NSA analysis of its information-gathering, it appears that given the volume of traffic the NSA “touches” and the limited traffic actually reviewed, only 0.00004 percent of Internet traffic actually is reviewed. Europeans are not significantly at risk of privacy violations because of NSA surveillance.

Still, EU privacy officials are unrestrained in their attack of U.S. national security practices, even though those same officials rarely if ever criticize the national security access situation in the EU, nor do they have jurisdiction to do so under current or proposed EU law. You don’t see U.S. privacy officials from the Federal Trade Commission and state attorneys general offices critique EU national security access to data. That is not part of their remit. Indeed, the American focus has been on building bridges and finding common ground with the Europeans. The buzzword on the U.S. side has been “interoperability,” shorthand for finding ways for the EU and U.S. frameworks (both built on the same Fair Information Practice Principles) to mesh.

It is time for the Europeans to come back to the interoperability discussions and to stop using the NSA revelations as a wedge. Not because their glass house might be attacked retaliatorily—but because it is the right thing to do, for the sake of international commerce and the development of a durable cross-border framework to protect personal privacy based on common principles.