The President’s Comments on European Privacy Claims and A Look Back at the LIBE Committee Report on Government Surveillance

President Obama made a refreshing observation during an interview with Re/Code at the White House Summit on Cyber Security and Consumer Protection in Silicon Valley last week. Following an exchange regarding the need for greater privacy for students using the Internet for educational purposes, the discussion turned to European scrutiny of U.S.-based technology companies, and how they handle personal information. From the Re/Code interview :

Q. But does it have any teeth, really? I mean, Europe is very strong on these things, and doing a lot of investigations into Google and Facebook and other companies. In defense of Google and Facebook, sometimes the European response here is more commercially driven than anything else. As I’ve said, there are some countries like Germany, given its history with the Stasi, that are very sensitive to these issues. But sometimes their vendors — their service providers who, you know, can’t compete with ours — are essentially trying to set up some roadblocks for our companies to operate effectively there. Q. Interesting. We have owned the Internet. Our companies have created it, expanded it, perfected it in ways that they can’t compete. And oftentimes what is portrayed as high-minded positions on issues sometimes is just designed to carve out some of their commercial interests.

A critique of the President’s comments in the Washington Post suggests that the real issue for Europe is that U.S. consumer privacy law is far weaker than European privacy law. The critique notes, for example, that U.S. privacy law protects only “a few kinds of data” like video rental records. While it is widely understood that the United States’ sectoral approach to privacy imposes less restrictions on the private sector than Europe’s comprehensive model that recognizes a fundamental right to privacy, U.S. law does regulate important categories of personal information, including financial and health records. But consumer privacy may not have been all the President had in mind. The European pressure on U.S. companies following the Snowden disclosures has, as the President alluded, taken advantage of the situation by conflating consumer privacy laws and policies with national security laws and policies. The President’s apparent acknowledgement of the European game playing provides a useful opportunity to highlight how European officials used the response to the Snowden disclosures to bolster European industry and limit U.S. industry’s ability to do business: Immediately following the unauthorized disclosures in June 2013, the European Parliament tasked its Committee on Civil Liberties, Justice and Home Affairs (LIBE) with conducting an in-depth inquiry into the NSA’s activities, Member States’ surveillance activities, and their “impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs.” The “Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens fundamental rights and on transatlantic cooperation in Justice and Home Affairs” was a result of a six month review that included fifteen hearings and testimony from a wide range of both governmental and non-governmental participants. The report was issued one year ago. The LIBE Report’s overall outcome encouraged an agenda, led by the European Parliament, of reforming international surveillance activities, oversight and transparency.  In addition, and, perhaps given equal footing in the report, are numerous recommendations aimed at decreasing the European Union’s reliance on U.S.-based communications and technology companies. To that end, the report offered a number of proposals aimed towards first, reviewing the European Union’s information technology and security practices, and second, improving the union’s competency at providing for its own technology and communications infrastructure and needs. The LIBE Report cited the unauthorized disclosures as causing a variety of concerns, including: the extent of the surveillance systems revealed both in the US and in EU Member States;

the violation of EU legal standards, fundamental rights and data protection standards; the degree of trust between the EU and the US as transatlantic partners; the degree of cooperation and involvement of certain EU Member States with US surveillance programmes or equivalent programmes at national level as unveiled by the media; the lack of control and effective oversight by the US political authorities and certain EU Member States over their intelligence communities; the possibility of these mass surveillance operations being used for reasons other than national security and the fight against terrorism in the strict sense, for example economic and industrial espionage or profiling on political grounds; the undermining of press freedom and of communications of members of professions with a confidentiality privilege, including lawyers and doctors; the respective roles and degree of involvement of intelligence agencies and private IT and telecom companies; the increasingly blurred boundaries between law enforcement and intelligence activities, leading to every citizen being treated as a suspect and being subject to surveillance; [and] the threats to privacy in a digital era[.][i]

Following up on these concerns, the report provided observations and recommendations concerning a variety of areas demonstrating the breadth of issues that the unauthorized disclosures raised. These included discussion of: the impact of mass surveillance; developments in the U.S. on intelligence reform efforts; legal framework and privacy principles; international transfers of data, both for governmental and commercial purposes; need for data protection reform in the European Union;  efforts to improve European Union-based IT and cloud industries; and principles that should govern democratic oversight of intelligence services. The report thus called for the adoption of the following eight actions:

Action 1: Adopt the Data Protection Package in 2014; Action 2: Conclude the EU-US Umbrella Agreement guaranteeing the fundamental right of citizens to privacy and data protection and ensuring proper redress mechanisms for EU citizens, including in the event of data transfers from the EU to the US for law-enforcement purposes; Action 3: Suspend Safe Harbour until a full review has been conducted and current loopholes are remedied, making sure that transfers of personal data for commercial purposes from the Union to the US can only take place in compliance with highest EU standards; Action 4: Suspend the TFTP agreement until (i) the Umbrella Agreement negotiations have been concluded; (ii) a thorough investigation has been concluded on the basis of an EU analysis, and all concerns raised by Parliament in its resolution of 23 October 2013 have been properly addressed; Action 5: Evaluate any agreement, mechanism or exchange with third countries involving personal data in order to ensure that the right to privacy and to the protection of personal data are not violated due to surveillance activities and take necessary follow-up actions; Action 6: Protect the rule of law and the fundamental rights of EU citizens, (including from threats to the freedom of the press), the right of the public to receive impartial information and professional confidentiality (including lawyer-client relations) as well as enhanced protection for whistleblowers; Action 7: Develop a European strategy for greater IT independence (a ‘digital new deal’ including the allocation of adequate resources at national and EU level) to boost IT industry and allow European companies to exploit the EU privacy competitive advantage; [and] Action 8: Develop the EU as a reference player for a democratic and neutral governance of the internet[.][ii]

Accordingly, many of the recommendations for action had less to do with curtailing foreign intelligence collection programs, and more to do with fostering EU technological independence. The recommendations used the disclosures as a vehicle for re-opening prior areas of concern for the European privacy community, and industry, such as the Terrorist Finance Tracking Program (TFTP) program, international sharing of Passenger Name Records (PNR) data for counterterrorism purposes, and Safe Harbor. For example, the European Parliament adopted a resolution to suspend the TFTP, a program that provides intelligence access to the Belgium-based Society for Worldwide Interbank Financial Telecommunication (SWIFT).[iii] SWIFT is a global financial messaging service. Although it has been of concern to European Members in the past, given the structure of the program, including the significant and tailored oversight and accountability structure, the TFTP continued. As a result of the Snowden disclosures, the European Commission re-opened a review of the TFTP program. The Commission, after initial investigation and consultation with the U.S. Government, determined that there are no indications that the U.S. violated the TFTP agreement.[iv] According to the LIBE Committee Report, “..the US has provided written assurances that no direct data collection has taken place contrary to the provisions of the TFTP agreement…”[v] Despite this determination by the Commission, however, the LIBE Report took the position that the TFTP should be suspended.[vi] In May 2014, Belgian and Dutch data protection authorities issued a joint statement finding that their investigation “’did not find any violations of legal security requirements.’”[vii] Although US authorities had previously tried to reassure European authorities that the TFTP was the only program through which the U.S. Government sought access to SWIFT data, Edward Snowden’s prepared testimony before the LIBE Committee on March 7, 2014 stated that NSA had inappropriately targeted SWIFT.[viii] The LIBE Report also included significant treatment of the PNR data agreements between U.S. and E.U.; a program that has no relation to the NSA surveillance activities of most concern in the public debate.[ix] The most recent EU-US PNR agreement became effective in July 2012. PNR data in the U.S. is handled by the Department of Homeland Security; it is not a signals intelligence collection activity conducted by NSA. Following the disclosures, the European Commission implemented a review to ensure that the agreement was being followed. According to a Memo released by the Commission on November 27, 2013, “Following a review by EU and US experts, the Commission found that the US authorities have been implementing the agreement in accordance with the standards and conditions it contains.”[x] The LIBE Committee Report, however, expresses concerns that PNR data is not protected once it is in U.S. retention, because it is saved “on US soil under US law, which lacks data protection adequacy.”[xi] This is a useful example of where the report draws incorrect conclusions regarding U.S. law. U.S. law is more protective than many EU Member States’ laws, with respect to government access to data for national security purposes.[xii]  Because the PNR data is retained by the government, it is subject to restrictions on government access to data under law enforcement or national security authorities. The LIBE Report pivoted from issues regarding government surveillance and national security activities to consumer data protection issues. Many of the recommendations for action were aimed at taking out the committee’s unhappiness with U.S. Government surveillance activities, on U.S. industry. The report stated that “… the US data protection legal framework does not ensure an adequate level of protection for EU citizens[.]”[xiii] As a result, the report put on the table the Safe Harbor framework. The U.S.-E.U. Safe Harbor framework enables companies to self-certify that they are compliant with privacy protections of the countries within which they do business. Safe Harbor, which is administered on the U.S. end by the Department of Commerce, is a critical enabler of cross-border data transfer. In addition to drawing further attention to the Safe Harbor framework, the LIBE Report further shifted away from government intelligence activities to proposals to wean the EU off of U.S. communications and cloud providers. Here, the report did not attempt to shield its objective of using the unauthorized disclosures as a catalyst for bolstering EU technological development and industry growth. The LIBE Report stated that the European Parliament’s “resolution of 10 December emphasizes the economic potential of ‘cloud computing’ business for growth and employment; whereas the overall economic value of the cloud market is forecast to be worth USD 207 billion a year by 2016, or twice its value in 2012[.]”[xiv] The report suggested that “…development of European clouds as an essential element for growth and employment and trust in cloud computing services and providers and for ensuring a high level of personal data protection.”[xv] The fundamental flaw in the international community’s reaction to the disclosures is that the public discussion has interposed U.S. law, policies and procedures for national security surveillance and intelligence collection, with U.S. law on consumer data protection. It has also capitalized on the lack of information available (and available for analysis, based on ease of access and language barriers) regarding the rest of the world’s national security surveillance laws and practice. Where the U.S., as generally understood, does have less regulation and restrictions on the use of data in the consumer context, there is a significant legal and policy structure restricting government’s access to data for national security and law enforcement purposes. For many other countries, the inverse is true. The LIBE Report calls for technologic and economic innovation and expansion inside the European Union, under the veil of the values of international human rights, privacy and freedom. The LIBE Report therefore serves as useful example in demonstrating the European shift from outlining principles of privacy reform and describing a vision for worldwide privacy protections, to taking advantage of the 2013 disclosures for generating European interest in developing areas of its economy.[xvi] The result is an invigorated European effort to enhance its attention to IT, cloud computing, security-consciousness, education and training, with the purpose of not necessarily advancing the philosophical goal of protective privacy, but in large part with the pragmatic goal of driving economic growth, and, creating jobs.[xvii] [i] LIBE Report at 8. [ii] LIBE Report at 50 [iii] LIBE Report at 16. [iv] LIBE Report at 16. [v] LIBE Report at 16. [vi] LIBE Report at 7. [vii] Belgian, Dutch DPAs Find No Evidence of Unlawful Surveillance of SWIFT System, BNA Privacy & Security Law Report (May 12, 2014). [viii] Belgian, Dutch DPAs Find No Evidence of Unlawful Surveillance of SWIFT System, BNA Privacy & Security Law Report (May 12, 2014). [ix] LIBE Report at 16. [x] Press Release, European Commission, EU-US agreements: Commission reports on TFTP and PNR, (November 27, 2013), available at http://europa.eu/rapid/press-release_IP-13-1160_en.htm.  A U.S. Department of Homeland Security privacy assessment of the PNR information sharing program was issued in July 2013.  See A Report on the Use and Transfer of Passenger Name Records Between the European Union and the United States, available at http://www.dhs.gov/sites/default/files/publications/dhs-pnr-privacy-review-20130703.pdf. [xi] LIBE Report at 29. [xii] Christopher Wolf PCLOB Testimony, Hogan Lovells US LLP Director, Global Privacy and Information Management Practice, “A Transnational Perspective on Section 702 of the Foreign Intelligence Surveillance Act,” (March 19 2014), available at http://www.pclob.gov/Library/Meetings-Events/2014-March-19-Public-Hearing/Testimony_Wolf.pdf. [xiii] LIBE report at 13. [xiv] LIBE Report at 18. [xv] LIBE Report at 18-19. [xvi] However, at the same time for calling for economic development in the IT and technology areas, the report also recommends a variety of regulatory frameworks that could hamper innovation and rapid development in this area, by calling for regulatory “disincentives,” “legal liability” and a “certification or verification scheme.”LIBE Report at 39. [xvii] Specifically, the report calls “for the promotion of:  EU search engines and EU social networks as a valuable step in the direction of  IT independence for the EU; European IT service providers; encrypting communication in general, including email and SMS communication; European IT key elements, for instance solutions for client-server operating systems, using open-source standards, developing European elements for grid coupling, e.g. routers[.]” LIBE Report at 39. Note also that Dean Garfield, president and CEO of the Information Technology Industry Council (ITI) before the House Judiciary Committee in February 2014 (based on a study by the International Data Corporation), “cloud computing will create almost 14 million jobs worldwide from 2011 to 2015, including nearly 1.2 million new positions in the U.S. and Canada.”