Privacy's new clothes
Timothy Edgar suggests that the new Privacy Shield set replace the US-European Union Safe Harbour framework, is no shield at all and will not protect the privacy of European data held in the US.
Timothy Edgar, academic director, law and policy, executive master in cyber-security, Brown University
Last month, the European Commission and the United States announced what officials described as a 'Privacy Shield' for transatlantic transfers of personal data to address concerns about NSA surveillance. To believe that the Privacy Shield will protect privacy requires a powerful imagination. The arrangement will be as effective in shielding personal data from the prying eyes of US intelligence agencies as the Emperor's new clothes were in concealing his naked body.
Promises from the European Commission and the US Department of Commerce of new protections for personal data, including a State Department 'ombudsman' to address complaints of unjustified spying, do not stand up to scrutiny. While the 'Privacy Shield' arrangement is embodied in lengthy legal documents, one looks in vain for the substance of the new privacy commitments. This is not surprising. Intelligence officials cannot alter US surveillance law – only Congress can do that.
The Privacy Shield is intended as a replacement for the US-European Union 'Safe Harbour' framework. Safe Harbour allowed more than 4,000 companies to transfer personal data belonging to EU citizens into the United States without fear they would run afoul of European privacy rules. In October 2015, the Court of Justice of the European Union struck down Safe Harbour. The court's decision was a result of revelations about NSA spying. According to the court, the NSA's broad access to personal data inside the United States, and the inability of Europeans to challenge the use of their data, rendered hollow whatever promises companies made to respect privacy.
The Privacy Shield gives lip service to concerns about NSA surveillance. Robert Litt, the top lawyer for the US intelligence community, has provided Europeans with a written description of “the multiple layers of constitutional, statutory, and policy safeguards that apply” to intelligence operations. To be sure, there is some value in documenting the privacy safeguards required by US law, which have been tightened in response to the NSA controversy. Europeans have not given due credit to the oversight to which the NSA is subject, including judicial review.
Most European countries have much weaker rules. French aristocrat François de la Rochefoucauld once said, “Hypocrisy is the tribute that vice pays to virtue.” There is considerable hypocrisy in European criticism of American surveillance practices. The hypocrisy is only getting more stark as Europe's governments adopt ever more sweeping surveillance powers themselves.
Still, it is hard to see how a description of how US law limits surveillance will satisfy the broader objections of the European Court. The European Court of Justice urged narrow standards for intelligence surveillance in its decision striking down Safe Harbour. According to the court, European law requires an 'objective criterion' for intelligence collection, one that is 'based on considerations of national security or the prevention of crime . . .' With all its safeguards, US law still permits access to data about foreign citizens on a much broader standard of 'foreign intelligence,' which includes not only terrorism and other national security threats, but any information relating to US foreign affairs. The US has not restricted intelligence collection to genuine security threats, as a fair reading of the decision of the Court of Justice would appear to require. In any event, for such a promise to be genuinely binding, it would need to be written into US law.
The European court also objected to the lack of meaningful redress for victims of unlawful surveillance. The Privacy Shield promises 'several redress possibilities,' but the only one that responds to the court's concerns is a new ombudsperson in the US Department of State. The ombudsperson will hear European complaints, but is unlikely to offer real redress.
US law makes it quite difficult to obtain redress for intelligence surveillance. Congress is considering a law that could extend the Privacy Act to EU citizens – the Judicial Redress Act. It would do nothing to modify existing exemptions for the NSA and other intelligence agencies. Constitutional challenges to intelligence surveillance also face major obstacles. Secrecy makes it difficult, if not impossible, for people who suspect they are under surveillance to have a real day in court.
Hans Christian Anderson's tale of the Emperor's new clothes delights children because it skewers adults for their limitless capacity to indulge in pretence. When the truth embarrasses the powerful or upsets the status quo, Anderson is saying, we can convince ourselves of anything.
Reforming government surveillance requires difficult trade-offs. The United States and Europe have strong interests in pretending an arrangement that ignores these trade offs has substance when it does not. We should summon our inner child and state the obvious: the Privacy Shield is simply not there!
Contributed by Timothy Edgar, academic director, law and policy, executive master in cyber-security, Brown University