I accept the terms and privacy policy. The instant that my browser connected to a wifi network in London, I mindlessly proceeded to check this box as I had done countless times before. What could be so different between my consent to a privacy policy in the Harvard Square Starbucks and in London’s Heathrow Airport? A lot in fact. Protection of individual privacy in the United States and Europe are very different. Contrary to popular belief, physical location still matters with respect to the Internet. “The cloud” is often portrayed as an extra-geographical space, but data follows unique laws in distinct parts of the world.
Put simply, the major difference between the European Union and the United States is that privacy takes precedence in European law. This precedence was reaffirmed in October 2015 when the European Court of Justice decided Maximillian Schrems v. Data Protection Commissioner. Schrems, an Austrian privacy activist, filed a complaint that the laws of the United States did not adequately protect the privacy of his data on Facebook against American authorities. The European Court of Justice agreed with Schrems and invalidated the Safe Harbor framework that had been established to govern data transfers between the United States and the EU for the previous 15 years. The ruling illuminates the growing discrepancies in individual privacy between the two regions and the resulting challenges in cross-continental data regulation.
Continental Discrepancies
The overturned Safe Harbor privacy principles allowed American businesses to move data from the EU to the United States and self-certify that the data would be protected according to European privacy principles. But in light of the admissions of Edward Snowden against the National Security Agency, this self-certification process came under scrutiny, and many began to fear that data transferred to U.S. businesses was insufficiently protected against national surveillance. Now, American officials will have to craft updated privacy laws that adequately protect EU citizens against privacy violations.
The invalidation of Safe Harbor arose from a mounting concern in the EU regarding unbridled American surveillance. Due to events of the previous decade—from 9/11 to Charlie Hebdo—today’s legislators face the challenge of balancing individual privacy with national security. The Patriot Act of 2001 gave U.S. surveillance agencies access to virtually uninhibited data about Americans. And although the Freedom Act of 2015 prevented these surveillance agencies from gaining access to the data without permission from a federal court, many activists in the United States and Europe remain unsatisfied.
The historical precedent for the deep-rooted respect of citizen privacy in the EU can be traced back to the Organization of Economic Cooperation and Development guidelines on the protection of privacy and trans-border flows of personal data in 1980. The principles, which were updated in 2013, include collection limitation, purpose specification, use limitation, security safeguards, and accountability. These guidelines still form the foundation by which all OECD participating nations evaluate any piece of data and its privacy. In 1995, the EU instituted the Data Protection Directive, which sought to safeguard these principles via the empowerment of data protection commissioners—public servants tasked with monitoring compliance with data protection legislation. Schrems was able to bring his suit against Facebook through such a commissioner. Though the original intent of the OECD principles was to protect accidental disclosure or loss of data, their interpretation has now expanded to include protection against the purposeful disclosure of personal information.
But what is the nature of privacy in the United States? In the EU, privacy is recognized as a fundamental right. In the United States, it is treated as secondary in importance. The most current legislation in the United States that safeguards privacy is from 1974 and thus understandably outdated. The Privacy Act “[established] a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.” But the protections that the act provided proved to be clearly insufficient after the Snowden leaks. There are several key exceptions to the data collection provisions, including dissemination of information for “law enforcement purposes.” Additionally, according to the Electronic Privacy Information Center, a routine exception “[allows] government agencies to disclose individually identifiable information simply by stating their plans to disclose that type of information.”
The right to privacy in the United States is abstracted as a right from the Fourth and 14th Amendments. There is nothing in the Constitution that explicitly grants the right to privacy, especially not in the digital world. However, many Americans do care about their privacy. According to a Pew research study published in March 2015, 93 percent of American adults said that being in control of who can get information about them is important. It is increasingly clear that the United States needs to update the American model of privacy safeguards to reflect public opinion.
In an interview with HPR, President Marc Rotenberg of the Electronic Privacy Information Center added that “The European model is the U.S. model. The problem is that we have not updated U.S. privacy law in many years. That is why there is an increasing divide between legal safeguards.” In other words, citizens from both regions desire similar safeguards for their privacy. European law has reflected that desire while American law has not. Bridging the gap is thus the necessary next step.
Bridging the Gap
It is becoming increasingly important to have shared data policies across regions. Not only would this lessen confusion between states, but it would also increase the effectiveness of digital policy. For instance, one new policy on electronic data that was recognized by EU authorities in 2006 is the right to be forgotten, which requires companies like Google to remove links to posts about EU citizens if they deem them to be “inadequate” or “irrelevant.” But no such protection exists across the Atlantic, and guaranteeing the right to be forgotten in the EU becomes a moot point if the same data can show up in the United States. As Brad Smith, the President and Chief Legal Officer of Microsoft put it in his most recent press release, it is time that “new laws adapted to a new technological world.” With data untied to any physical location, the laws governing said data must be similarly expansive. The invalidation of Safe Harbor in the Schrems case was a response to the ineffectiveness of American authorities in safeguarding citizen privacy with outdated privacy laws. In an interview with the HPR, Center for Digital Democracy Executive Director Jeff Chester commented: “the decision underscored how important privacy is as a right. The end of Safe Harbor was a long time coming. It was supposed to be a temporary program but the self-certification process never had any effective enforcement.”
U.S. NGOs and the EU have made clear recommendations for an enhanced Safe Harbor agreement. Among the suggestions is the termination of self-certification so that authorities are able to ensure that companies adhere to privacy guidelines. More general policies towards stronger encryption and the end of mass surveillance are discussed. Finally, in order to evaluate the progress towards goals of citizen privacy, the NGOs recommend an annual summit with full participation from both the EU and United States. However, according to Rotenberg, a commitment will have to come from Capitol Hill. “We are looking for changes in U.S. law. That can’t be accomplished in a negotiation with the Department of Commerce or the Federal Trade Commission. It needs to be accomplished in the U.S. legislative process.”
At the moment, the EU Commissioner for Justice Vera Jourova and U.S. legislators are deciding what Safe Harbor 2.0 will look like. Their decisions will play an important role in how data is treated. As Director Chester put it, “Privacy is a right. The new Safe Harbor should create clearly established limits on what companies can do in terms of data profiling and data trafficking. In Europe the individual is in control, and in the [United States] companies are in control.”
Image Source: Pixbay/geralt