Safe Harbor Decision Could Spur Congressional Action On Privacy Rights, Data Safeguards

International privacy advocates are demanding U.S. lawmakers pass comprehensive reform that guarantees personal data stored in the country is protected with the same safeguards as data in Europe. It’s the only way, they say, that U.S. technology companies will be trusted with information on Europeans now that the safe harbor agreement has been invalidated.

The European Court of Justice announced Tuesday the safe harbor agreement, which regulated the transmission of personal data to the U.S., was invalid. While a revised version is being negotiated, privacy groups throughout the world are calling on the U.S. to follow the European Union and recognize privacy as a fundamental human right. The problem is that Facebook, Google and other Silicon Valley players have built their businesses on collecting as much information as possible on users.

“There’s a conflict here that can’t be satisfied until the United States passes a privacy law that includes fair information practices and creates clear rules on digital privacy,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “What’s happened in the past is that U.S. and EU officials were willing to create a deal in order to make commerce flow. Now that’s run headlong into the EU constitution.”

The first step, according to the Electronic Frontier Foundation, is to reform Section 702 of the Foreign Intelligence Surveillance Amendments Act, which justifies the mass collection of phone calls, emails, Facebook messages, Internet browsing history and other information -- often without a warrant.

“Europeans have a soft-edged, almost fuzzy view of the human right to privacy,” Retired Gen. Michael Hayden, former director of the U.S. National Security Agency, said at a panel Tuesday. “We Americans generally consider anything in America to be of America."

Congress Eyes Reform

The NSA is able to intercept so many foreign communications, an email sent from Pakistan to Yemen, for instance, because they’re stored on servers on U.S. soil. When it comes to differentiating between messages sent between terror suspects and everyday people, Hayden said, “We’re working our way through that dilemma.”

It’s impossible to guess what a reformed Section 702 would look like, though the invalidation of safe harbor, combined with lingering civil liberties concerns, could force Congress to intervene on behalf of tech companies that have no choice but to fulfill the data demands of intelligence agencies.

“Perhaps what will change is we’ll go from a handful of companies complaining publicly about surveillance to many more companies,” Danny O’Brien, international director of the EFF, said. “One of the biggest shifts is that the NSA and Government Communications Headquarters [the NSA’s British counterpart] have long thrived in a secret environment where what they were doing was long understood to be thriving in a deliberately grey area. What we’re seeing now is a difficult attempt to bring a whole secret side of government under democratic oversight and that’s just hard to pull off.”

Scores of companies have already started following Binding Corporate Rules that allow them to sidestep safe harbor by following one European country’s data collection regulations and undergoing a review process by other EU member states. But that’s a costly, time-consuming route that many of the 4,500 or so companies that relied on safe harbor just can’t afford to follow.

The likeliest scenario is safe harbor 2.0, a revised agreement that’s been under negotiation for nearly two years and will almost certainly address European considerations. But privacy groups are using the court’s decision as an opportunity to build a new awareness about privacy in the U.S.

An Ongoing Problem

“This has been a problem all along, but it took the court to issue a powerful wake-up call to America,” Chester said. “The problem is the Federal Trade Commission doesn’t have the legal authority to protect privacy on a level with their regulatory counterparts in Europe. The EU doesn’t really enforce its privacy regimen -- the fact is that on paper people have real rights, whereas in the U.S. we’re powerless to do anything against data giants.”

Under European privacy law, individuals must be able to access information held about them, must be given notice on how their data is collected and how it’s used, must have the opportunity to opt out and must have other rights that would seem foreign to Americans. Maybe the best opportunity to bring that legislation to America would be for Congress to pass the Judicial Redress Act, which provides citizens in U.S. allied countries the opportunity to correct flawed information in their records, information that could wrongly make them the target of U.S. surveillance. The bill was introduced in the House of Representatives in March.

There’s also the Consumer Privacy Bill of Rights unveiled by President Obama in 2012, which could be a blueprint for improved digital privacy. The framework calls for individuals to have more control over their information, including the right to limit how much of their data is collected, the right to have barriers on how companies can use that data, the right to have that data secured and other safeguards.

Until then, whatever happens next is difficult to predict.

“We’re seeing the law try to respond to technology, and it’s trying to respond in a slow and sometimes jerky way,” said Jay Ward, an attorney specializing in IP and privacy issues at Bilzen Sumberg. “At this point that was just the opening move in a chess game against the U.S. And it was a good move.”