A new deal announced this week between American and European negotiators is a big deal, as it addresses privacy concerns faces by Internet giants Google, Facebook and Amazon.
On February 2nd, the negotiators announced the details of the newly negotiated “Safe Harbor” data deal, under which American-based Internet companies will be allowed to handle and transfer the electronic data of consumers from European Union member states to servers in America. These negotiations were initiated after the high court of the European Union struck down the EU’s previous agreement with the United States dealing with electronic data transfers in 2015.
The history and content of these agreements has implications for online business, commerce, and development, and highlights the different ways in which the United States and the European Union treat online privacy and data security.
The origin of the European Union’s policies dealing with the transfer of private electronic data goes back to 1995, when the EU “Data Directive” was adopted by member nations. As Internet communication and commerce was in its infancy, the Directive acknowledged the importance of allowing the flow of data across borders for international trade and economic development. If this sort of data flow were prohibited, massive impediments to electronic commerce and communication would stymie Internet activity, as personal data would be confined to servers only within a given country.
While the Directive permitted the transfer of personal electronic data across borders, it also articulated the European Union’s commitment to securing personal data and privacy. It prohibited the transfer of such data to countries that do not provide an “adequate level of protection” to consumer data, and established that data-processing systems and Internet activity are “designed to serve man”. In light of this, the handling of private data must not infringe on an individual’s right to privacy, which was acknowledged as a “fundamental right and freedom”.
The previous Safe Harbor agreement between the EU and the United States, first negotiated in 2000, seemed to be in accordance with the guidelines laid out in the 1995 Data Directive until the Snowden revelations of 2013.
Among the information made public by NSA contractor Edward Snowden was the existence and extent of the National Security Administration’s PRISM program. Under this dragnet data collection program, companies in the United States like Facebook and Google were legally obligated to turn over private user data to the NSA.
Under the FISA Amendments Act, the Federal government had the authority to collect data from these companies belonging to foreigners abroad. The ACLU described that the Act is “predicated on the theory that foreigners aboard have no right to privacy”, and while public outcry in the U.S. mostly focused on the collection of private data belonging to American citizens, EU officials were forced to reexamine whether this treatment of their citizens’ data by the United States was permissible.
In 2015 the European Court of Justice struck down the Safe Harbor agreement from 2000 because of the access the American government had, through American Internet companies, to private data originating in EU member countries. The 2015 ruling marked the end of a prolonged legal battle by European privacy activists who first initiated action against the data agreement after the June 2013 revelations.
The newly negotiated agreement contains what privacy advocates see as important safeguards against infringement by the United States government. First, American companies handling European private data must publish public, robust commitments articulating how they will ensure that data originating from the EU is kept safe. These commitments will be enforceable under US law and monitored by the Department of Commerce.
The American government has agreed to rule out all indiscriminate mass surveillance and data collection, and has agreed to make exceptions to this rule only to the extent “necessary and proportionate”. To ensure that these guidelines and followed, the European Commission and U.S. Department of Commerce will conduct annual joint reviews of data handling practices. Finally, the agreement provides EU citizens with several routes to seek redress for grievances, should they feel that their rights are being compromised.
Because of these negotiations, potential disruptions of American Internet company activity in Europe were avoided and rights recognized by the European Union will be protected in the international arena. The source of this conflict in the first place, however, seems to stem from the disparate ways in which EU member countries and the United States view the right to privacy with regards to personal electronic data.
As previously noted, the EU Data Directive employs strong language when discussing electronic data privacy rights, treating it as a fundamental right and freedom analogous to free speech. The European Union’s dedication to this ideal has been elucidated in other ways, including their “right to be forgotten” with regards to online data and other regulations mandating that companies provide consumers with insight into how their data is being used.
The United States does not currently recognize either of those protections that the European Union has embraced. The most striking difference, perhaps, between US and EU treatment of electronic data lies in how American courts have treated private data that is held by third-parties, like Internet and telecommunication companies.
The “third-party doctrine”, developed in the Supreme Court cases of Smith v. Maryland and United States v. Miller, says that when an individual voluntarily provides their private information to a third-party, that individual has no reasonable expectation that the data in question will remain private. In light of this, the Court has granted the government the authority to collect personal data from third-parties without a warrant, a power that makes civil libertarians and Fourth Amendment activists uneasy.
In her concurring opinion in a 2012 case involving the Fourth Amendment, Justice Sonia Sotomayor questioned whether the third-party doctrine ought to be reexamined. Both the Smith and Miller cases, which established the current precedent, were decided in the 1970’s and caused Justice Sotomayor to wonder whether the current doctrine was suited for the digital age.
Despite these differences, the United States and the European Union were able to successfully iron out a deal that seems to conform to the values of both parties. While the right to privacy with regards to electronic data has been a robust and fully developed right in the EU, the “third-party doctrine” is still reigning precedent in American jurisprudence, and perhaps will be reassessed as the digital age continued to evolve.
Jonathan Stahl is regular contributor to the National Constitution Center's Constitution Daily blog.
