An Austrian Law Student complained to the Data Commissioner that his Facebook data stored in the US isn’t safe. Edward Snowden, he says, shows Safe Harbour isn’t fit for purpose.
The 2000 Safe Harbour agreement means US companies can say to the EU that their data protection is up to scratch and data can flow freely. US based organisations must subscribe to the protection principles in the agreement, be transparent about their confidentiality rules and fall within the jurisdiction of the Federal Trade Commission.
The case has progressed from Irish courts to the European Court of Justice and is awaiting final judgment. In the meantime, the aptly named European Advocate General, Yves Bot, has issued a “non-binding” opinion (which the ECJ tends to follow).
In short, Bot agrees with the budding lawyer. Snowden blew the whistle on surveillance at the NSA. As a result, Safe Harbour facilitates the violation of fundamental EU data privacy rights and runs contrary to EU law. The US mission to the EU has hit back and accused the opinion of making inaccurate assertions about intelligence practices of the United States.
Some observers, including the Financial Times, have positioned the case within the broader US-EU spat over tech sector governance. The EU has accused US companies of everything from abusive and monopolistic market dominance to mishandling personal data. The US has hit back with accusations of a protectionist agenda. This marks round four.
Is there a political tone to Mr Bot’s opinion couched within the legalese? There are pejorative references to US intelligence as an exemplar of “mass and indiscriminate surveillance,” which “is inherently disproportionate”. According to Bot, “the evidence now available would admit of no other realistic conclusion.”
Some might say that’s a moot point. There is no heed to the anti-Snowden camp and no acknowledgement of the reforms introduced by the Obama administrations in the wake of the revelations. This includes a new Freedom Act, which requires national security justification to access telecoms records and the Judicial Redress Act, which for the first time allows EU citizens, the right to fight NSA access to their data.
You might also say what about France’s Data Retention and Investigatory Powers Act (Dripa), granted final approval by the country’s constitutional council in July, which gives the state the right to intercept the communications of anyone connected to a “terrorist” inquiry.
If European Court of Justice follows the decision, US tech companies fear the consequences could be dire. Barriers to the free movement of data out of Europe would necessitate expensive national data centres. The costs for global tech companies, and the image of Europe as a place to business, may be significant.
Are US spies at the top of data protection concerns or are you more interested in cyber attacks from Russian and Chinese bots? In truth, where you stand on Snowden, has probably got a lot do with your geo-political persuasion and whether you consider America to be an “inherently” benevolent or nefarious global actor – or somewhere in between.
But there is also an argument that transcends your taste for Henry Kissinger. More long term, the fear is that in attacking the US, Europe is pushing towards a fragmented Internet, which will harm its interests. Cumbersome national systems are at odds with an economy ever more driven by data analytics and the global exchange of data assets. National barriers, in short, are the very opposite of what a modernising tech economy should be looking to achieve.
US-EU animus aside, the data protection debate can be hard to pin town at the best of times. Concerns surrounding commercial misuse of data, enemy bots, terrorist hacks, state surveillance and let’s not forget fear of personal embarrassment (the terrain of a “right to be forgotten”) are all apparently jumbled together under the same heading.
Let’s be careful that a free and open Internet isn’t lost in the confusion.
Photo Credit: hack2world.com