Passage of Comprehensive Privacy Bill in US Crucial After Safe Harbor Ruling, FTC’s Brill Says
There are different layers of meaning in the European Court of Justice’s ruling that invalidated safe harbor, FTC Commissioner Julie Brill said Tuesday during a fireside chat with European Institute President Joёlle Attinger. On a surface reading, the decision focuses on what the court perceived as problems in the U.S. government surveillance system and a lack of judicial redress rights for Europeans, Brill said. A broader reading of the court’s opinion encourages changes not just with government privacy and surveillance law, but for commercial commitments as well, Brill said.
Now that safe harbor is no longer, companies need to migrate to other data transfer systems, Brill said, and make the change as soon as is practical. It’s estimated 60 percent of companies that transferred data via safe harbor were small and medium-sized businesses, she said. It’s easy for larger companies to migrate data, and many did so before the ruling came out, Brill said. But many companies are now scrambling, she said.
During an Internet Association (IA) event in California last week, Rep. Anna Eshoo, D-Calif., said the decision sent a magnitude-7.8 earthquake through Silicon Valley, Brill noted. The 1906 earthquake in San Francisco that killed thousands of people and destroyed about 80 percent of the city registered magnitude 7.8, Brill said. “It’s a pretty big deal,” she said. Google Executive Chairman Eric Schmidt, who was also at the IA event, said he was concerned the ruling would compel countries to develop their own Internets, Brill said.
Alternative data transfer options are available without a safe harbor agreement. Binding corporate rules are an alternative only for intracompany data transfers, but are costly and take a long time for a data protection authority (DPA) to approve, Brill said. Model contract clauses are a more immediately available option, she said. Consent is also an option, but consent can't be used for human resources-related data because the European Commission's (EC) Article 29 Working Party has said consent can’t be forced, Brill said. In the eyes of Europeans, an employee can’t freely give consent to an employer, she said. Consent also must be specific and the consumer must be informed, meaning consent can’t be given through acceptance of a privacy policy, Brill said.
Americans need to realize that privacy for Europeans is like the American debates on abortion and gun control bundled into one issue, Brill said. In the U.S. privacy is important to a small part of the political spectrum, she said. Technology has put cracks in the way the U.S. has siloed privacy law, Brill said. The U.S. needs to re-examine what we can do to improve privacy practices, she said. Congress needs to pass the Judicial Redress Act, Brill said. She said congressional staffers told her part of the reason the bill hasn’t yet passed is because some members of Congress don’t understand that the redress rights that the bill grants to residents of certain countries are equal to, not more than, those granted to Americans, Brill said.
The Commerce Department is in talks with the EC on an alternative to safe harbor, Brill said. The FTC isn't a key negotiator, but the Commerce Department has consulted with it to ensure robust standards, and the FTC has the ability to enforce the new agreement, Brill said.
Electronic Privacy Information Center Executive Director Marc Rotenberg said the court had to rule safe harbor invalid because of the adoption of Articles 7 and 8 into European Law, recognizing privacy as a fundamental human right. Rotenberg said he took issue with Brill's not mentioning that privacy groups celebrated the court’s ruling, reasoning that U.S. companies are failing to safeguard data as evidenced by the number of data breaches and instances of identity theft. It’s time for the U.S. to update its privacy laws and implement a comprehensive privacy framework, Rotenberg said.
In a blog post Tuesday, Microsoft President-Chief Legal Officer Brad Smith wrote that the court’s decision “made clear what many have been advocating for some time: Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud.” A solution needs to work for large tech companies, for small companies and most importantly consumers, Smith said. “Privacy really is a fundamental human right,” and the “collapse of Safe Harbor reflects the remarkable evolution of privacy issues,” he said.
It’s a mistake for Americans to think the European Court has a different legal approach to the protection of personal data, Smith said. Last year the U.S. Supreme Court unanimously ruled police must obtain a judicial warrant before searching the contents of a phone, he said. And before the European Court’s decision was made public, Apple CEO Tim Cook “recognized explicitly that privacy is a fundamental human right,” Smith said. The principle of the European Court’s decision is that individuals “should not lose their fundamental rights simply because their personal information crosses a border,” and Microsoft agrees, Smith said. The law must ensure people’s legal rights move with their data, he said.
While Smith backed passage of the Judicial Redress Act and the modernization of U.S. laws, Rotenberg said the bill doesn’t provide rights equal to Europeans as it claims and that it’s only a matter of time before the Europeans figure that out and another agreement is deemed invalid.
Rotenberg said the European Court of Justice also raised concerns with the FTC’s lack of authority to review law enforcement or intelligence agencies' activities on data, and said the Privacy and Civil Liberties Oversight Board doesn’t have authority in that arena either. He said the U.S. needs its own DPA. Brill disagreed, saying that wasn’t her interpretation of the ruling and that not all DPAs in Europe have authority over national security uses of data.
Data security problems have been a central focus for the FTC in the past year and will continue to be a focus in years ahead, Brill said. She said she was pleased President Barack Obama recently came out in support of encryption, saying she doesn’t support back doors for encryption technology since the technology is supposed to protect privacy. She said she’s optimistic about a new trans-Atlantic robust privacy framework, but is staying away from using the term safe harbor 2.0.