Europe is being hypocritical by derailing the Safe Harbour data protection agreement - because its own protections for citizens against indiscriminate surveillance are worse than the USA’s.
That’s the view of one expert on international data protection law at a meeting held by European competition group iComp today.
Dr Ian Walden, Professor of Information and Communications Law, Queen Mary University of London, said that US citizens had greater safeguards against fishing expeditions than European citizens, and European law enforcement opted for blanket surveillance far more readily than US law enforcement.
“Reading the description of the USA in the Schrems verdict reminded me of UK legal framework. We allow mass and indiscriminate legal surveillance. The ways the law enforcement bodies gain access to our data remain highly secret. And UK law has extra-territorial reach.”
Asked if Europe was being hypocritical, Walden replied bluntly: “Yes”.
Austrian Max Schrems put a bomb under US-European trade recently. Data protection is a fundamental right in the EU, quite apart from the right to a private life. In 2000 the superstates allowed companies exporting data to “self certify” that their data flows between the EU and countries provided adequate data protection for European citizens. These are known as “Safe Harbour” agreements.
Responding to an appeal by Schrems, the European Court of Justice recently ruled that each member state’s Information Commissioner now had to judge whether the data transfers to the USA were compatible with EU law, in a decision that shot the Safe Harbour agreement so full of holes, it may as well be regarded as a worthless.
It’s left businesses feeling that they are collateral damage in a wider war.
SAP’s public affairs chief Chris Francis said that many companies that are not consumer data harvesting and processing operations like Facebook or Google had been caught in the crossfire.
“It’s worth bearing in mind for many organisations in the B2B space and less data-driven organisations in more physical markets, there are compliance issues that are incidental to business.”
Summing up the views of his business clients, Dan Cooper of law firm Covington and Burling said that “surprise and shock” greeted the European Court’s decision.
The Schrems decision had created a maelstrom of uncertainty, as any business anywhere in the EU was now vulnerable to a legal challenge from one of its citizens.
As one software CEO explained recently:
“When a customer sues me, I go to court and find that agreement isn’t worth a dime. Google cannot guarantee what they’re guaranteeing.”
The alternatives to Safe Harbour weren’t particularly attractive, Cooper pointed out.
“The 'Model Contractual Clauses' are not really designed for today’s economies, with ubiquitous data flows,” said Cooper. Hoping they’d provide a patch for Safe Harbour was “stretching them and torturing them to fit scenarios where they don’t fit. They’re not just a square peg in a round hole, but a hexagon in a round hole.”
“Businesses felt like the rug had been pulled out from under them,” said Cooper, “The uncertainty is bad for business”
Speaking for the ICO, Jonathan Bamford advised: “Don’t panic. Don’t rush to less than ideal mechanisms.”
He was keen to stress the ICO wouldn’t add to the uncertainty - “We didn’t reach for our pad of Enforcement Notices,” he boasted, adding, “We don't intend to use our regulatory powers in a pre-emptive way.”
What Schrems had shown was that post-Snowden, “proportionality, justification, and need .... were all found wanting”.
One under-reported aspect of the Schrems decision is that power has shifted from the Commission to the individual information commissioners - like the UK’s ICO. Anything, anywhere is now vulnerable to challenge.
That not only increases the uncertainty, as they interpret data protection in different ways, but it makes a lasting, bilateral Safe Harbour 2.0 far less certain. The Commission may well be writing a cheque that will bounce.
Walden thinks we’ll get there - with a new framework rather than via patchwork directives - but it’ll take time.
Neither Cooper nor Walden thought much of the arguments underpinning the Schrems decision, arguing that the logic was suspect, and occasionally absent altogether. Walden mused: "The Judge thinks that 'National Security' is defined with sufficient precision. Really? Since when has 'National Security' had clear and definable boundaries?" ®
Sponsored: Webcast: Simplify data protection on AWS