Many privacy advocates cheered when Europe’s chief data protection watchdog rejected a proposed framework for allowing companies such as Facebook and Google to transfer Europeans' personal data to the US.
Transferring that data without additional protections renders it too vulnerable to US intelligence surveillance, Data Protection Supervisor Giovanni Buttarelli concluded last week in his formal opinion about the pending data agreement known as Privacy Shield.
Mr. Buttarelli’s disapproval – like the European Court of Justice’s earlier decision scrapping the preexisting US-EU privacy arrangement called Safe Harbor – reinforces a widespread belief that European countries are tough, and the US is lax when it comes to protecting personal privacy.
America’s failure to pass comprehensive privacy laws and Edward Snowden's revelations of unchecked National Security Agency surveillance have fueled this belief. For many, the US is a privacy pariah. The lack of a permanent data transfer framework is a blow to American companies – who’ve been portrayed as uniformly complicit in government surveillance activities – placing them at a strategic disadvantage worldwide.
We applaud Buttarelli for sending a strong message that privacy rules governing corporations and meaningful limits on government surveillance are paramount for any new data transfer agreement to work. But, more significantly, he's right that these are necessary to uphold Europe's fundamental human rights commitments.
Although his opinion puts the US in the hot seat to craft an agreement that will satisfy Europeans, it also recognizes that the issue of government surveillance is both an American and European problem. Rather than providing a rationale for limiting data transfers to the US, these concerns should prompt further privacy reforms on both sides of the Atlantic.
European privacy fallacy
Focusing only on the US would indulge two widespread fallacies about the relative levels of privacy protection in the US and the EU. Action based on these flawed ideas will increase rather than decrease the risks to personal privacy.
The first fallacy is that Europe uniformly better protects its citizens against intrusive government surveillance. It’s true that US intelligence agencies misused existing legal authorities, and both Congress and the special court that oversees foreign intelligence surveillance failed to stop it. But at least the US has a system of court oversight – which has started to make its decisions more public – and surveillance happens pursuant to publicly available laws.
By contrast, the EU’s sweeping new Data Protection Regulation, approved in April, does not limit government access to personal information for law enforcement or national security purposes. Country specific data protection laws in Europe often exclude law enforcement and national security from their provisions. A 2014 study found that many EU countries do not require court orders to access personal information in cases involving national security or foreign intelligence.
This lack of oversight has permitted widespread public surveillance. The practice of "upstreaming", which is intercepting all communications as they pass through major communication channels such as fiber optic cable, is a widely used surveillance tactic in several EU member countries. Britain's program, reported The Guardian, "produces larger amounts of metadata collection than the NSA."
Legislative efforts across Europe, moreover, seek to expand government surveillance powers, with less oversight. France has enacted a law permitting sweeping surveillance with few controls. An expansive British proposal – dubbed the "snooper's charter" by critics – is before Parliament. Recent changes to Poland’s newly amended Police Act allow authorities to access metadata without court approval. And the Hungarian government is seeking to criminalize communications service providers’ use of encryption-based applications or software, and require Internet service providers to build back doors to allow government access.
The second fallacy concerns the superiority of privacy protection accorded by the European regime. It’s true that Europe’s formal laws are more comprehensive, detailed, and generally more restrictive while the US has a patchwork of sector-specific legislation. But is the US truly a global laggard in protecting personal privacy?
Where the US gets it right
Our recent research comparing privacy protection in the US and four EU countries suggests not. Our five-year study – the first of its kind – goes inside corporations to examine how the people charged with protecting privacy actually do their work, and what kinds of regulation effectively shape their behavior. And the research yields a surprising result. The countries with more ambiguous regulation tied to dynamic agency enforcement – Germany and the US – had the strongest corporate privacy management practices. Corporations in more rule-bound countries such as France and Spain tended to comply formalistically with the law rather than to embed strong privacy practices in their business operations.
The US system has produced more meaningful corporate structures and processes for protecting privacy than we found in most European countries, except Germany. European privacy regimes generally emphasize compliance with detailed outside rules. This appears to reduce corporate investment in developing strong, internal corporate privacy leadership, practices and processes. Through corporate privacy officers, influenced by outside privacy advocates and professional associations, and sensitive to protecting the company’s public reputation, and active enforcement, American companies are often better at institutionalizing robust privacy practices.
US corporations, moreover, have demonstrated a willingness to protect user privacy against overreaching state action. Whether Yahoo’s 2007-2008 challenge to US surveillance laws in the secret Foreign Intelligence Surveillance Court – the final tranche of documents related to which were recently released – or Apple’s recent challenge to the US government’s attempt to require corporate hacking that undermines customer privacy, this sort of corporate privacy leadership has proven particularly important given the trends towards greater surveillance globally.
Firms worldwide must develop this sort of moral compass if privacy is to survive the expansion of state surveillance authorities occurring in the EU. The US privacy regime, while weaker on paper in important ways, has cultivated privacy leadership within firms, and a privacy consciousness in the US population.
This isn’t to say that US privacy protection doesn’t need improvement. It surely does. While practices in the large firms we studied were robust, the lack of clear rules can make privacy a thorny, and potentially expensive, issue for start-ups. More importantly, individuals need robust privacy protections across the whole economy more today than at any point in history. We hope that the next Congress will enact privacy laws to provide them.
Yet the European Court of Justice has framed the central question as whether a country offers essentially equivalent protections, focusing on intelligence surveillance. If we truly care about privacy, this assessment demands an inquiry into practices on the ground, not words on paper.
Currently, neither legal regime offers the privacy protection global citizens deserve. As American and European regulators reengage to respond to Buttarelli’s opinion, they have their work cut out for them. We need privacy reforms on both sides of the Atlantic.
In the meantime, we’d rather that our data and communications reside in the US, subject to publicly available legal frameworks, judicial oversight, and a strong tradition of civil society watchdogs. And where the corporate community, while imperfect, has shown an increasing appetite for challenging government demands for personal data.
Kenneth A. Bamberger is the Rosalinde and Arthur Gilbert Foundation Professor of Law at the University of California, Berkeley, and Deirdre. K. Mulligan is associate professor at the School of Information at the University of California, Berkeley. They are both faculty directors of the Berkeley Center for Law and Technology. Their recent book, "Privacy on the Ground: Driving Corporate Behavior in the United States and Europe," was published in November by MIT Press.