Battle over spying versus legitimate data transfer heats up in Congress

On Data Protection Day, members of the Senate Judiciary Committee voted 19-1 in favor of the Judicial Redress Act, which would extend to European citizens the right to sue particular US government agencies if their electronic data is mishandled in a law enforcement investigation. The bill points to distinction between data rights in the US and Europe.

As negotiators from the US and the European Union work to forge a new deal on the movement of electronic data across the Atlantic, US lawmakers took a more decisive step on Thursday to assert control over a related provision that would allow European citizens to sue in US courts if their data — such as social media postings — is mishandled in an international law enforcement investigation.

In October, the European Court of Justice struck down the 15-year-old Safe Harbor data transfer agreement, used by thousands of US companies, amid concerns about how the act could be used to further US government surveillance programs.

In the wake of that decision, originally filed against Facebook’s European arm in Ireland, attention has shifted to several related proposals to restore cooperation between the two regions.

Lawmakers and tech companies have particularly focused on the Judicial Redress Act, which extends the right to sue for data misuse — currently provided to US citizens under European law — to European citizens in US courts. It isn't seen as essential to renegotiating the Safe Harbor pact, but European regulators have said passing the bill would be significant as a sign of good faith.

“From an industry perspective we’ve been supportive of it, I think it is sort of a brick in the wall to rebuild trust across the Atlantic from the Internet user’s perspective, not so much from the political [angle],” said Bijan Madhani, public policy and regulatory counsel at the Computer and Communications Industry Association, a trade group that includes Google, Facebook and Microsoft, at a conference in Washington earlier this week.

On Thursday, which is Data Privacy Day in the US, known as Data Protection Day in Europe, lawmakers from the Senate Judiciary Committee voted 19-1 in favor of the bill. The committee will also hold hearings on two of the surveillance programs disclosed by former NSA contractor Edward Snowden next week.

The bipartisan group — which includes presidential candidate Ted Cruz, who was not present at the meeting — also accepted an amendment to allow the US Attorney General to limit the right to sue to only citizens of countries that were participating in an international data-sharing deal such as Safe Harbor.

“The Obama administration believed it needed to make concessions in order to share law enforcement info with the European Union,” said Sen. John Cornyn (R) of Texas, who proposed the amendment. “Today, when Europe and the United States face common threats like radical Islamic terrorism, sharing law enforcement information should be a matter of common interest, period. We shouldn’t have to barter for it."

But citizens could also see those rights to sue revoked if a country “impedes” the transfer of information related to criminal conduct of a person or private company, according to a draft of the amendment.

Privacy groups have expressed concerns that the bill — which allows the Attorney General to set which agencies are covered — doesn’t provide sufficient safeguards for European citizens concerned about how their data could be used.

The Electronic Privacy Information Center has been pushing lawmakers to delay consideration of the bill until regulators make public the larger “umbrella agreement” between the US and Europe that would further define how the two sides share information.

On Tuesday, the group said, the Justice Department responded to its public records request, revealing a draft of the agreement for the first time.

Privacy groups also point to distinctions between US and European law – which has traditionally held privacy protection, including for electronic communication – as an fundamental human right.

That’s even reflected in the naming conventions for Thursday’s celebration, which was first proposed in Europe in 2006.

“The idea of ‘celebrating’  the expansion of an individual's right to include his or her data is a radically European idea. The notion that government – specifically, the EU – should do something about enforcing that right is also deeply European,” writes Jim Kinsella, a former Microsoft executive who founded a European cloud data storage firm called Zettabox, in a blog post. “On the other side of the Atlantic, the concept is reversed: that is, the individual is expected to take responsibility for his or her own privacy. Informing the individual about risks, about tools they can use and about the state of cybersecurity is thought of something the government can legitimately do."

Mr. Kinsella points to the General Data Protection Regulation, a set of rules being developed by the European Commission that would require all companies that store data in Europe to follow European law, as a more robust protection for citizens concerned about how their data could be used. The regulations up the stakes for businesses by fining them up to 4 percent of their global revenue if they fail to protect their customers’ data, he notes.

But as the deadline set by the European high court looms – regulators have said they hope to release a new Safe Harbor agreement by Feb. 2 – lawmakers in the US are taking a different approach.

“I'm going to make sure ... that we don't just try to do something to help them out and we don't protect our interests,” Senator Cornyn, the Senate’s number two Republican, told Reuters, referring to the European Union.

“US companies should not have to endure regulatory threats in an attempt to change our policies or laws,” he added on Thursday, just before the Judiciary Committee voted to adopt the bill.