Advocate General Correctly Determines that Safe Harbor Fails to Protects Privacy and Does Not Establish Trust,
Threatening Data Flows that Underpin Transatlantic Trade
September 28, 2015
The Electronic Privacy Information Center (EPIC) has worked in close consultation with NGOs, legal scholars, and technical experts since the establishment of the Safe Harbor Framework. Based on these expert opinions, EPIC has for many years urged the strengthening of the Safe Harbor Framework. The Framework has given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information; it has shown the weakness of the self-regulatory approach to privacy, a growing concern around the world for the protection of individual privacy and flow of data across national borders. Of particular concern is the lack of meaningful enforcement of the Safe Harbor provisions and the revelations of mass surveillance by intelligence agencies.
These concerns have been presented to negotiators in both the United States and the European Union over many years, yet no substantive progress has been made. We had little reason to believe at this point that there will be significant changes to the Framework.
Understandably and predictably, the adequacy of the Safe Harbor Framework has finally been called into question by the Advocate General's recent opinion in Maximillian Schrems v. Data Protection Commissioner. We fully respect the European Union's legal process; it reflects not only a reasoned judgment about an important legal matter of broad interest across the European Union but also the growing importance of Articles 7 and 8 of the Charter of Fundamental Rights. However, in light of a recent communication from the US Mission in Brussels regarding the opinion, we believe that it is essential to respond to inaccurate assertions made about intelligence practices in the United States.
The Advocate General's opinion adopts a small number of facts as found by the Irish High Court, but the opinion barely scratches the surface of the true scope of surveillance and other relevant information that could have been considered in this matter. There was only a cursory discussion in the High Court opinion of the extent of mass surveillance, which is now more extensively documented. The incomplete record put forward by the Advocate General requires further attention.
The United States continues to engage in the routine and mass surveillance of persons outside of the United States, including ordinary European citizens. The PRISM program, that is to say the routine collection of Internet activity gathered by Internet companies and made available to US intelligence agencies, continues even after extensive public opposition. We acknowledge that President Obama has taken significant steps to enhance transparency and public accountability regarding U.S. intelligence practices directed to US persons, which we have supported. We further acknowledge the passage of the USA FREEDOM Act, which ended the bulk collection of domestic telephone records. But the Congress has failed to act on reforms to foreign intelligence collection under Section 702. Moreover, we have subsequently learned of surveillance undertaken under 12333 that is even more extensive and with less oversight than the 702 program. As a consequence, the activities described by the Advocate General are at best incomplete and fail to reflect the current extent of surveillance.
The Advocate General's opinion correctly observes that the change in circumstances since the adoption of Safe Harbor strengthens the claim that the Framework can no longer be considered as valid. When one party to an agreement acts in a way contrary to the purpose of the agreement the other party cannot be bound. This is evident in circumstance where one nation is asked to cede the legal rights of its citizens. The sensible expectation is that the negotiators for the United States and the European Union will have the opportunity to develop a new framework that safeguards fundamental rights following the decision of the Court of Justice.
Moreover, the underlying issue here also goes far beyond the Safe Harbor Framework. The Advocate General's reasoning would support the adoption of strong legal frameworks for countries, businesses and citizens to rely upon in negotiated arrangements with the European Commission. Such legal certainty is a key element of trust that promotes trade and commerce.
Given the important privacy and trade benefits that an enforceable legal framework provides to EU and US citizens and businesses, we will continue to work closely with experts and NGOs to support the creation of frameworks that safeguard privacy and help establish trust in transborder data flows. We fully respect and support the decision of the Advocate General. We note also that the Madrid Declaration calls for the establishment of "a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions."
(EPIC is an independent non-profit research center in Washington, DC. EPIC works to protect privacy, freedom of expression, democratic values, and to promote the Public Voice in decisions concerning the future of the Internet.)