Those of you who read SIIA blogs, statements, and testimony know that we are big proponents of data-driven innovation. For such innovation to achieve its full potential, cross-border data flows are essential. That is why we support Trans-Pacific Partnership (TPP) digital provisions so strongly and consider them a floor for additional digital provisions in the Transatlantic Trade and Investment Partnership (TTIP) and Trade in Services Agreement (TISA). We support interoperability mechanisms such as the EU-US Privacy Shield that allow companies to transfer data from one jurisdiction to another as long as they comply with the rules established in the mechanism. This has nothing to do with undermining societal values such as privacy and everything to do with creating law-based data transfer mechanisms as we demonstrated at an October 9, 2015 Geneva event for TISA negotiators.
We are strong supporters of the EU-US Privacy Shield because it has the potential, like its predecessor, the U.S.-EU Safe Harbor Framework, to become the premier mechanism to transfer data from Europe to the United States. The Framework has over 4,000 member companies. Across the globe, there is no similar mechanism with such a large membership, although APEC’s Cross-Border Privacy Rules (CBPRs) have the potential to grow in uptake.
SIIA is also an active participant in the surveillance debate in the United States and abroad. Our basic views on this subject are spelled out in the seven principles on surveillance we issued in 2014 with the Information Technology Industry Council. The principles deal with lawful basis and necessity; access; technology neutrality; transparency; oversight; avoidance of conflict of laws; and, international engagement. This last principle encourages governments to work together on these surveillance issues. The European Commission and the U.S. government did work together on the operations of the U.S. signal intelligence gathering program, which is reflected in the Shield’s Annex VI.
In this context, a recent German Marshall Fund (GMF) event on “Transatlantic Data Flows and Safeguards: Is the EU-U.S. Privacy Shield Strong Enough?” is timely because the Article 31 committee, which is composed of EU Member States must determine whether to approve the Shield. The GMF event focused mainly on the surveillance issues surrounding the Shield. GMF has done groundbreaking work in this field, for instance its 2015 report: “Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform.”
The discussants at the GMF event, all deeply versed in the security, economic, and intelligence aspects of data flows, agreed that the Privacy Shield’s security/intelligence elements represented a serious effort to address proportionality, redress, and transparency concerns. Some participants also noted that the USG had more transparency on its signal intelligence collection activities than many European countries. With respect to redress, one analyst noted that even reformed German oversight legislation would likely not meet the DPA’s standards for transparency and the draft British Investigatory Powers Act does not meet that standard either. Nonetheless, the invitees noted ongoing Privacy Shield concerns with respect to bulk collection (how much is proportional?), the independence of the Ombudsperson mechanism, and implementation of the Judicial Redress Act. (JRA). Everybody agreed that the annual review process was important, but that there will be a court challenge against the Privacy Shield. The discussants were also unified in their view unless the Privacy Shield is approved, TTIP cannot go forward.
In our view, dialogues such as these are tremendously helpful in deepening understanding among transatlantic policymakers both on surveillance practices and the challenges both sides grapple with in an era of continuing dangerous terrorism. We think the dialogue on these matters should be intensified. As Constantinos Manolopoulos put it in his forward to a major report on European surveillance practices: “Finding a balance between national security protection and respect for fundamental rights is a challenge that requires thorough and candid discussion.”
This balance must be determined by discussions among governments. Our fundamental view is that “Any government collection of private sector data must be authorized by law, must not be indiscriminate, and must be limited to what is necessary to achieve a legitimate purpose.” This is why, for instance, in the United States we support reform of the Electronic Communications Protection Act (ECPA) that would require the government to obtain a warrant to review personal data stored in the cloud, just as it must if the data is stored on a personal computer. We welcomed passage of the USA Freedom Act, which limits the government’s bulk data collection authority. SIIA, together with other trade associations, played an important role in securing passage of the Judicial Redress Act, which provides EU citizen with judicial redress options akin to those enjoyed by U.S. citizens in the U.S. Privacy Act.
A crucial point is that a country’s surveillance practices have an international dimension. As SIIA and ITI said in their principles, “Governments should recognize that the frameworks pursuant to which national governments collect private sector data have global impacts. Governments should engage in multilateral discussions with other governments to minimize adverse global impacts in connection with the collection of such data.”
Comparative studies on surveillance practices would inform these discussions. In addition to the GMF report on rebuilding trust, there are several other helpful studies, including:
- the 2015 European Agency for Fundamental Rights (FRA) published “Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU: Mapping Member States’ legal frameworks, .”
- The law firm, Hogan Lovells, has done work in this area, for instance “A Sober Look at National Security Access to Data in the Cloud.”
- Former Commerce Department General Counsel Cameron Kerry has written extensively about these issues, for example “Missed Connections: Talking with Europe About Data, Privacy And Surveillance.”
It is worthwhile reflecting on where we are on the whole question of data flows between Europe and the United States. We are responsible for half of the world’s trade. Roughly 56% of Europe’s Foreign Direct Investment goes to the United States and vice versa. We are security allies through NATO. We share values on democracy and human rights. We are in the midst of negotiating an unprecedentedly ambitious trade agreement: TTIP. Yet the principal mechanism for transferring personal data from Europe to the United States – the U.S.-EU Safe Harbor Framework was invalidated on October 6, 2015 by the European Court of Justice. Since then, Safe Harbor members that continue to transfer data to the United States and that have not been able to transition to BCRs or SCCs operate in a kind of “legal limbo.” This is truly extraordinary and cannot be allowed to be considered normal. The United States and Europe have too many shared interests.
Once again, we salute GMF for taking the initiative to work on the difficult issues of signals intelligence collection practices. We need many more dialogues on these matters where decision-makers can truly grapple with the tradeoffs that are associated with intelligence collection. In other words, the legal and political decision-making on issues that intersect commerce, data privacy, and security needs to reflect all relevant decision-making factors, including security, civil liberties, economic imperatives; and, comparative collection practices.