Henry Farrell and Abraham Newman in Foreign Affairs: "The Transatlantic Data War: Europe Fights Back Against the NSA"

Network member Abraham Newman (Georgetown) has published an article (with Henry Farrell of George Washington University) in Foreign Affairs entitled "The Transatlantic Data War: Europe Fights Back  Against the NSA". The first paragraphs are below and you may read the remainder here.

* * *

Last October, the European Court of Justice struck down the Safe Harbor Agreement, a 15-year-old transatlantic arrangement that permitted U.S. companies to transfer data, such as people’s web search histories or personnel records, outside of the EU. In invalidating the agreement, the ECJ found that the blurry relationship between private-sector data collection and national security in the United States violates the privacy rights of EU citizens whose data travel overseas. The decision leaves U.S. tech companies with extensive international operations on shaky legal ground.

Although some informed American observers anticipated the decision, most were caught flat-footed; some seemed downright bewildered. The vice president of the US Chamber of Commerce, Myron Brilliant, responded in shock that “it is particularly alarming that this long-standing agreement has been invalidated with no discussion of a transition period or guudence regarding how companies should comply with the law…” Critics of the decision, including Commerce Secretary Penny Pritzker, argue that it will devastate the transatlantic digital economy, costing U.S. firms billions of dollars. Without a new agreement, there is a significant risk that personal data will have to be quarantined within Europe, creating, as Alphabet Chairman Eric Schmidt warned in his response to the decision, “per-country-Internets”. If that occurred, he continued, it could risk destroying “one of the greatest achievements of humanity.” Critics charge that the EU is acting unilaterally to protect its businesses against foreign competition, damaging the open, democratic nature of the Internet.

But the main reason that U.S. companies and officials are flustered is that they are used to being the ones who make the rules. Over the past 70 years, the United States has built a global system in which trade, investment, and information move quickly and easily across borders. That openness has created an interdependent world in which the national rules and preferences of one country can shape the rules and preferences of others. The outsized power of the U.S. economy usually gives that role to the United States.

In the aftermath of the 9/11 attacks, the United States began to exploit interdependence, deliberately using its economic power as an instrument of national security. Despite advocating for free flows of capital, it has systematically used sanctions to oblige foreign banks and financial actors to isolate people, businesses, and states from the global financial system. Despite publicly promoting an open and secure Internet, it has privately undermined online communications and surreptitiously created vast international surveillance systems in cooperation with close allies including the United Kingdom. In short, the United States has leveraged the world’s reliance on its economy to influence and spy on foreigners.

This strategy is reaching its limits, and the Safe Harbor decision powerfully demonstrates that Washington needs to wake up to its costs… [continue reading here]

Herwig Hofmann on the Schrems Decision

Few recent decisions of the Court of Justice have attracted as much comment -- or controversy -- as the Schrems decision on the data protection "safe harbor."  As part of our ongoing series of posts regarding the case, we are delighted to publish here an analysis and comment by network member Herwig Hofmann (Luxembourg).  Herwig's perspective is of particular interest, as he represented Max Schrems before the Court of Justice in the case.  In the post below, he explores some of the broader implications of the decision.

* * *

The Essence of EU Fundamental Rights and their Global Reach 

Herwig C.H. Hofmann[1]

The CJEU ruling in Schrems v Data Protection Commissioner[2] will be subject to many discussions on constitutional matters for the time to come. It is a landmark case not only for clarifying and applying the basic conceptual understanding of fundamental rights in the EU. The Schrems case clarifies therein many further aspects of conditions for effective protection of a right, supervision by Member State authorities as well as the global reach of EU fundamental rights, at least regarding information rights and their protection. As is typical for many essential developments in public law, these developments originate from the very specific structural and substantive context of a specific policy area’s administrative law details. But the consequences will radiate also into debates on pluralism of multi-level legal orders in an inter-connected world.

The background to Schrems v DPC is as follows: Supervision of compliance with EU data protection rules takes place by national authorities vested with “complete independence”[3] within the territory of each Member State. Transfer of data from the EU to a third country is possible only if that country has an “adequate level” of data protection, a fact the European Commission may certify by means of a decision.[4] In 2000, the Commission had taken an adequacy decision with respect to the United States of America, a decision became known as the “Safe Harbour Decision”.[5] The Court of Justice of the European Union (CJEU) had the opportunity to review the compliance of the various elements of the data protection regime, especially the conditions of the Commission decisions declaring a third country to maintain an adequate level of protection, upon request for preliminary reference by the High Court of Ireland in a judicial review procedure of a decision of the Irish Data Protection Commissioner (DPC) not to accept a complaint about Facebook Ireland transferring personal data to Facebook servers in the US.

More on Schrems/Safe Harbor: Jean Monnet Center-NYU to hold lunchtime seminar on Thursday October 22 (RSVP req'd)

The Jean Monnet Center for International and Regional Economic Law & Justice at NYU Law School is organizing lunchtime seminar on the recent and high-profile Schrems/Safe Harbor judgment of the EU Court of Justice.  The Court’s ruling invalidated the arrangements for transatlantic data flows, on the ground that US law does not offer adequate protection of Europeans' right to privacy.  It raises a range of important questions concerning international jurisdiction, surveillance oversight, privacy standards, transatlantic commerce, and internet regulation.

The seminar will take place on Thursday October 22 from 1:00-2:30 pm in the 1st Floor Lounge at 22 Washington Square North in New York City.  The discussion will be introduced by a panel, consisting of Hauser Global Scholar Thomas Streinz, Senior Global Emile Noël Fellow Professor Piet Eeckhout, Professor Richard Epstein, and Zachary Goldman of the Center on Law and Security.  Professor Gráinne de Búrca will moderate.

If you are interested in attending, please RSVP by email to jeanmonnet@nyu.edu.  Lunch will be served from 12:30 PM and the presentation will begin at 1:00 PM.

Schrems/Safe Harbor Forum: A Sample of Some Critical US Commentary

With network member Herwig Hofmann (Luxembourg) representing the plaintiff, Max Schrems (Vienna PhD candidate in law), in the action that led to the CJEU judgment invalidating the US-EU data-sharing agreement known as 'safe harbor', a flood of commentary is to be expected.  We at Europaeus urge network members to send us their thoughts for posting or cross-posting.  In the interim, to give a sense of how the judgment has been received in some quarters on this side of the Atlantic, we publish excerpts from some critical US commentary below, and we look forward to posting views on all sides of the debate in the future.

* * *

Timothy Edgar (Brown), writing in Lawfare ("Schrems v. Data Protection Commissioner: Some Inconvenient Truths The European Court of Justice Ignores"), notes that the judgment fails to take into consideration at least two crucial facts:

First, Max Schrems’s Facebook data actually has more protections in US law when it is on a server in the US than when it is in the EU.  As I explained earlier this year in TechCrunch, offshoring data won’t protect it from the NSA, and neither will keeping data in Europe.  When content is located inside the United States, it cannot be collected except by order of the Foreign Intelligence Surveillance Court (FISC). The court imposes detailed oversight and auditing requirements, and has enforced those rules with threats of contempt of court....

Second, for the NSA to obtain Max Schrems’s Facebook data in the US, the NSA will face more legal scrutiny under US law than most intelligence services in the world, including in EU countries, ever will.  As I’ve explained before on this site, many European countries do not require judicial orders for intelligence surveillance....

The bottom line is that, if the fact that a country provides broad legal authority for national security surveillance means that the EU doesn’t consider it a safe jurisdiction for storing data about its citizens, it might want to take a good long look at the laws of its own member states....

And that’s where this decision by the ECJ offers an extraordinary opportunity for global surveillance reform.  If the ECJ is serious about subjecting national security surveillance laws to real scrutiny, it could build serious momentum for reform of those laws – and not just in the United States.

Edgar's suggestion is echoed by Evgeny Morozov, a senior editor at The New Republic.  Writing in the Financial Times, ("Worldwide fight over personal data has barely begun"), Morozov notes:

Alas, Europe’s own record on surveillance is disappointing. One would be hard pressed to find the differences between core provisions of the new surveillance law in France ... and those at work in America.... 

In this instance, one can’t blame Americans for complaining about hypocrisy when Europe’s stance on surveillance is full of contradictions. 

Finally, Richard Epstein (NYU), writing in Politico ("Europe’s top court goes off the rails"), criticizes several "astonishing" features of the Court's judgment, notably "that it paid no heed whatsoever to the reliance-interest of thousands of companies," and "that the ECJ attached no weight whatsoever to the massive dislocation that its decision would impose on all the companies in question."  He concludes:

Normally, decisions to shut down major programs require some balance of the equities on both sides. That was wholly ignored by the ECJ. Starting from its dubious premises, the ECJ has ripped apart a system that will take a great deal of effort to put back together. In the interim, virtually all the companies in question are left adrift on the question of whether they should shut down their networks immediately or risk serious civil and criminal penalties for moving further forward in this direction. It takes years to put into place successful complex systems of data transmission. It takes only one arrant complaint and a dubious decision of the ECJ to rip it all apart.

No doubt others will have different opinions.  We look forward to posting more commentary from the network on this important decision in the near future.

Bilyana Petkova, "Data Protection in the US and the EU: the Case for Federal Solutions"

Bilyana Petkova (Yale-NYU, soon to be Max Weber Fellow at EUI) has forwarded the contribution below, cross-posted from Verfassungsblog, which builds on her article recently posted on SSRN entitled "The Safeguards of Privacy Federalism."  An earlier version of this paper won a Young Scholars Award at the 8th Annual Privacy Law Scholars Conference at Berkeley in June 2015.

* * *

Which level is better placed to provide efficient data protection – the federal or the state level? This question is topical both in the United States and in the European Union. In the US, there are concerns regarding the increased fragmentation of American data privacy law and the lack of relevant federal consolidation. In the EU, the proposed General Data Protection Regulation (GDPR) supposed to replace the Directive of 1995 was met with opposition regarding the “over-centralization of powers” in the European institutions.

Where do we stand with data protection in the EU and in the US now? We are five years in after the EU Commission first announced its initiative to work toward updating the framework European data protection law, and over 207 amendments to the Commission’s proposal later (introduced only in the version of the European Parliament; if we add the ones tabled by the different Presidencies of the Council, the count would reach several thousands). In an unprecedented move, at the end of July the European Data Protection Supervisor issued his own amended version of the Regulation ahead of the upcoming institutional trialogue…

In the meantime, the US has been drifting further away from a comprehensive statutory scheme after a federal proposal for a Consumer Bill of Rights failed to muster agreement twice, first in 2012 and then in 2015. Current attempts to regulatestudent privacy and to consolidate state data breach notification laws on the federal level remain uncertain.

In short, the GDPR and US federal initiatives are seemingly not winning hearts and minds. But they should have at least provoked your curiosity by now. Here is how federal or EU regulation has the potential of bringing a level of legal certainty beneficial to individuals and businesses alike:

The Evils of Centralizing Data Protection: Myth or Reality?

Myth 1: The procedure for enacting US federal or European law is slow and burdensome. Hence, the main fear of centralizing data protection law is that it would bring regulatory ossification that stymies innovation.

Myth 2: Industry lobbies mobilize better on the federal or the EU level. They push Congress or the EU institutions toward the establishment of weak centralized legislation vis-à-vis private sector regulation. The phenomenon, dubbed “defensive preemption”, has been described regarding policy developments in the US environmental field back in the 1980s. Strong lobbies tried to preempt environmental-friendly US state laws by institutionalizing a low bar of federal protection.

The conventional wisdom is not entirely wrong. But it is simplified and too often incomplete. Precisely because of the checks and balances that slow down US federal or EU lawmaking, state regulation is a necessary backstop for data protection law. The state legislatures can react promptly to what are perceived by their constituents as digital threats. Some of the state laws will provide imperfect protection and will possibly be too inflexible. Federal or EU law oversight can evaluate and fix such regulatory failures.

In turn, centralized oversight does not need to translate into weakening of the privacy protections. Federal or EU law can introduce mechanisms that allow the law to respond to ongoing challenges. For example, the GDPR establishes a one-stop-shop mechanism that aims to avoid forum shopping. According to the one-stop shop principle, only one national Data Protection Authority (DPA) is responsible for taking legally binding decisions against a company (the responsible DPA is determined by the company’s main establishment in the EU). However, some were concerned that businesses would locate their main establishment in countries with a less onerous enforcement approach. Despite question marks about the practical implementation of this principle, the GDPR introduces a requirement for co-operation between the national DPAs that significantly minimizes the risk of a “race to the bottom”.

One way to avoid ossification is therefore by relying on state standards and institutions to act as catalysts. An often-quoted example is the first Californian law on breach notifications, now adopted under one form or another in 47 of the US states. A similar case is the French idea of a “droit à l’oubli” that now forms part of the case law of the European Court of Justice and is a feature of the GDPR. If the federal government or the EU legislator refrain from preempting state law for a period of time, at least some of the higher standards of consumer or fundamental rights protection introduced in at least some of the states are likely to be voluntarily taken up by other states but also by the industry. Privacy federalism can offer protections in the long run.

The Network on SSRN: Richard Peltz-Steele on "Differences in the U.S.-EU Data Protection/Safe Harbor Negotiation"

Network member Richard Peltz-Steele (UMass-Dartmouth) has posted a new piece on SSRN, entitled "The Pond Betwixt: Differences in the U.S.-EU Data Protection/Safe Harbor Negotiation," which recently appeared in the Journal of Internet Law.  The abstract is below and the full article can be found here.

* * *

This article analyzes the differing perspectives that animate US and EU conceptions of privacy in the context of data protection. It begins by briefly reviewing the two continental approaches to data protection and then explains how the two approaches arise in a context of disparate cultural traditions with respect to the role of law in society. In light of those disparities, Underpinning contemporary data protection regulation is the normative value that both US and EU societies place on personal privacy. Both cultures attribute modern privacy to the famous Warren-Brandeis article in 1890, outlining a "right to be let alone." But decades passed before the impact of the article was felt. Both privacy and data protection are today part of the fundamental rights system of Europe, a component of the amalgamated constitution of the European Union. Both are part of the legislative and regulatory state at the national and federal level.

Peter Swire on the USA Freedom Act and European Concerns about NSA Surveillance

Network member Alasdair Young (Georgia Tech) has alerted us to the publication of the first Working Paper from Georgia Tech's Jean Monnet Center, entitled "The USA Freedom Act: A Partial Response to European Concerns about NSA Surveillance," and authored by privacy expert Peter Swire (Georgia Tech).  Alasdair's announcement is below; the full text is available here.

* * *

Georgia Tech’s Jean Monnet Center of Excellence is proud to announce the publication of its first working paper, written by Center member and Huang Professor of Law and Ethics at the Georgia Tech Scheller College of Business and Senior Counsel at Alston & Bird LLP Peter Swire.  Swire, who served on President Obama’s Review Group on Intelligence and Communications Technology and who, under President Clinton, helped to negotiate the U.S.-E.U. Safe Harbor agreement for trans-border data flows, reflects on how recent changes in U.S. surveillance policy, including the 2015 USA Freedom Act.  He contends that the Act, to a significant extent, reflects recommendations suggested by the Review Group. It also follows on from a series of pro-privacy reforms adopted by the Administration.  Collectively, Swire argues, these reforms go a considerable way towards addressing European concerns about U.S. surveillance practices, although there is still a considerable way to go.  The USA Freedom Act, although focused on domestic surveillance, provides encouragement that U.S. surveillance policy will continue to be reformed in a pro-privacy direction. The working paper is available at: http://inta.gatech.edu/jmce/working-papers.

EU Reform and Trans-Atlantic Cooperation in Data Protection (Richard Peltz-Steele, UMass)

In this post, network member Richard Peltz-Steele (UMass) reviews the state of EU data protection reform, US-EU cooperation on compliance and enforcement, and the prospects of a successful compromise in a time of legislative gridlock, government surveillance, and public controversy.  

Reflecting on discussions last month in Madrid in which he took a role, he argues that—despite continued European skepticism and the difficulties of reconciling regulatory ideals with commercial realities—solid grounds for optimism remain.

* * *

For the last couple of years, the EU has been in the throes of birthing a General Data Protection Regulation (GDPR).  The GPDR will replace the existing 1995 Data Protection Directive (DPD), which is showing its age in the struggle to confront problems of global electronic communication.  The impending changes were the subject of a program of the Union Internationale des Avocats (UIA) in Madrid April 17 and 18, in which I participated.  In light of those discussions, it seems a good moment to review the expected changes and their implications for the complex relationship between the United States and European Union in matters of data protection.

I.          From DPD to GDPR – A New Regime for Data Protection

Under EU law, the transition from a directive (the DPD) to a regulation (the GDPR) is a significant change in legal form.  A directive calls on Member States to legislate themselves into compliance by enacting compliant national laws, while a regulation constitutes self-executing Union law.  Accordingly, under the DPD, data protection law has evolved largely in the province of national legislatures, national courts, and quasi-independent national data protection authorities.  But the EU institutions have not been altogether excluded: for example, the EU Court of Justice (CJEU) has the power to construe the DPD, and the court has decided questions referred from Member States—notably including last year’s bombshell, Google Spain, in which the court ordered Google to de-link search results deemed untimely and unfair to a data subject.  And the DPD’s “Article 29 Working Party,” a body primarily comprising national data protection officers and officials of the European Commission (EC), has been influential in harmonizing data protection law across Member States.  In sum, the system that has evolved under the DPD has been a process of cooperation or dialogue between national and Union institutions, and one in which the national participants have played a leading role.

Henry Farrell and Abraham Newman: Forget Me Not: What the EU’s New Internet Privacy Ruling Means for the United States

Network member Abraham Newman (Georgetown) has published an article (with Henry Farrell of George Washington University) in Foreign Affairs which may be of interest to readers. The first two paragraphs are below and you may read the remainder here.

***

The modern innovators of Internet human rights are not U.S. leaders, or bold Silicon Valley entrepreneurs. They’re stodgy bureaucrats, politicians, and lawyers in Brussels, Berlin, and Strasbourg. As the National Security Agency (NSA) and American firms have relied on sucking up massive amounts of data to observe citizens and create and serve consumers, the European Union has fought to establish privacy rights for its citizens. Over the last ten years, however, the EU initiative seemed to be on the ropes as the United States pressed Europeans to water down privacy protections in a number of key sectors. But now, the tables are turned.

This month, the European Court of Justice, Europe’s closest equivalent to the Supreme Court, has ruled that Google must delete search results for a Spanish citizen that the citizen had found outdated and upsetting. The ruling obliges Google and other Internet firms to respect a limited version of the “right to be forgotten” --the right to have certain kinds of information, such as former debts or inappropriate photos, removed from the public sphere. The right will be enforced by national data protection authorities, for example the Federal Commissioner for Data Protection and Freedom of Information in Germany or the Information Commissioner in the United Kingdom, which can require e-commerce firms to remove embarrassing, misleading or outdated information about EU citizens where they think it appropriate. In its most extreme form, an individual could request that search engines remove all links to their name, making them virtually anonymous in the Internet. [continue reading here]

EU Data Privacy Reform (Francesca Bignami)

This past weekend, the new European Law Section took its first step toward formal establishment by holding an "open program" on "The Globalization of European Data Privacy Law" at the AALS Annual Meeting in New Orleans.  Thanks to everyone in attendance as well as to the guest panelists Joel Reidenberg and Peter Swire for their incisive remarks.  But special thanks must go to Daniela Caruso for moderating and, more importantly, to Francesca Bignami for organizing the panel.  Francesca was unable to attend the meeting but provided the remarks below, which Peter Lindseth read to kick off the session.  Francesca has graciously agreed to have her remarks reproduced here.

* * *

A major reform of the EU data privacy framework is underway.  In these remarks I will focus on two sets of changes contained in the proposed legislation, one of which is specific to EU governance and the other of which is relevant for data privacy policy generally.   On the first score, the most important trend is the centralization of power at the EU level, with a corresponding loss of power for national legislatures and national data protection authorities.  On the second score, most of the changes that have been made to data privacy policy have brought the EU framework closer to the US one.  In other words, EU and US regulatory policy are converging in important respects.

Background

The new EU privacy legislation was proposed in January 2012.  There are two pieces of legislation:  a Directive, which covers law enforcement activities by the police and judiciary; and a Regulation, which covers everything else.  The most important is the Regulation and the bulk of my remarks will focus on that.  These two pieces of legislation are now winding their way through the EU legislative process.   They are to be adopted under the “ordinary legislative procedure”, formerly known as “co-decision”, under which the Commission proposes and the Council of Ministers and European Parliament each have an equal vote.  The process is anticipated to take at least 2 years.  As of yet, the legislation has been considered by committees of the European Parliament and the Council but has not been voted on in either body.  After the legislation is passed, there is a two-year window for implementation, at which time it will come into force in the Member States.  The best guess is that it will come into force in either 2015 or 2016. 

Move to the Front: "The Globalization of European Privacy Law" at AALS Annual Meeting

We're moving to the front this reminder for those members of the network who will be attending the Annual Meeting of the Association of American Law Schools (AALS) this weekend in New Orleans.  The “open program” and initial administrative meeting of the (currently in formation) Section on European Law of the AALS will take place Sunday, January 6, in the Fountain Room, Third Floor, Hilton New Orleans Riverside, from 4:00-5:45 pm.  The open program will feature the following panel discussion:

The Globalization of European Privacy Law?

Moderator:

Daniela Caruso, BU Law School
Speakers:

Peter L. Lindseth, UConn Law School (substituting for Francesca Bignami, GW)
Joel R. Reidenberg, Fordham Law School
Peter P. Swire, OSU/Moritz College of Law

The Annual Meeting program (here, p.109) describes the substantive focus of the panel as follows:

Global privacy law is in flux. The European Commission has proposed a new data privacy regulation that contains a number of far-reaching innovations, including the right to be forgotten, the right to data portability, the duty to give consumers notice of data breaches, sweeping new regulatory powers for the European Commission, and unprecedented administrative fines amounting to as much as 2% of a corporation’s annual worldwide revenue. In the United States, the Obama Administration has announced its support for a Do Not Track mechanism, limitations on the collection and use of personal data, and greater oversight of data brokers. Will these changes mitigate or exacerbate the deep and longstanding transatlantic dispute over privacy law? How will they affect European and American efforts to export their models of data privacy to the rest of the world? Will Europe remain a leader in setting global privacy standards? The panelists will discuss these and other issues of significance for transatlantic relations and global privacy regulation.

Following the panel discussion, we'll have our first administrative meeting, at which we'll collect additional signatures on the petition to establish the section and vote on the opening slate of officers and executive committee.  We hope to see as many of you there as possible.  If you intend to come, please send a courtesy RSVP to Daniela Caruso, just so we can get a sense of our likely numbers.

Section Reminder: "The Globalization of European Privacy Law" at AALS Annual Meeting

This is a reminder for those members of the network who will be attending the Annual Meeting of the Association of American Law Schools (AALS) from January 4-7, 2013, in New Orleans.  The “open program” and initial administrative meeting of the (currently in formation) Section on European Law of the AALS will take place Sunday, January 6, in the Fountain Room, Third Floor, Hilton New Orleans Riverside, from 4:00-5:45 pm.  The open program will feature the following panel discussion:

The Globalization of European Privacy Law?

Moderator:

Daniela Caruso, BU Law School
Speakers:

Peter L. Lindseth, UConn Law School (substituting for Francesca Bignami, GW)
Joel R. Reidenberg, Fordham Law School
Peter P. Swire, OSU/Moritz College of Law

The Annual Meeting program (here, p.109) describes the substantive focus of the panel as follows:

Global privacy law is in flux. The European Commission has proposed a new data privacy regulation that contains a number of far-reaching innovations, including the right to be forgotten, the right to data portability, the duty to give consumers notice of data breaches, sweeping new regulatory powers for the European Commission, and unprecedented administrative fines amounting to as much as 2% of a corporation’s annual worldwide revenue. In the United States, the Obama Administration has announced its support for a Do Not Track mechanism, limitations on the collection and use of personal data, and greater oversight of data brokers. Will these changes mitigate or exacerbate the deep and longstanding transatlantic dispute over privacy law? How will they affect European and American efforts to export their models of data privacy to the rest of the world? Will Europe remain a leader in setting global privacy standards? The panelists will discuss these and other issues of significance for transatlantic relations and global privacy regulation.

Following the panel discussion, we'll have our first administrative meeting, at which we'll collect additional signatures on the petition to establish the section and vote on the opening slate of officers and executive committee.  We hope to see as many of you there as possible.  If you intend to come, please send a courtesy RSVP to Daniela Caruso, just so we can get a sense of our likely numbers.