By EDRi

The United States authorities have produced another lobbying document
to influence the European Union’s decision making on European citizens’ fundamental right to privacy and data protection.

Strangely, the document itself is not on headed paper and contains no authorship information. All of the lobbying documents produced so far have been in support of the positions taken by large US corporations and the adoption of US-style weak privacy protections in Europe.

Much of the joint US-government and corporation lobbying has centred on the misunderstanding or
misrepresentation that the proposed legislation constitutes a huge revolution,
rather than, for the most part, a reiteration of existing principles – improving implementation of legislation that has often been wilfully ignored, to the detriment of European citizens’ rights. The latest US document maintains this unfortunate trend.

Political comedy

The document explains that privacy should not be approached as a “legal harmonization exercise” but instead “interoperability of frameworks”
as this is what the United States and EU have “always done”. In other policy areas, however, the USA has no problems with imposing its will on other countries. For example, the United States keeps a so-called Special 301 “watch list” of countries that fail,
in its view, to maintain adequate levels of protection of “intellectual property” rights and threatens those countries with sanctions if
they do not follow the orders of the United States.

Political rhetoric

Instead of reasoned argument, the document launches straight into a bizarre range of desperate and groundless claims about how the proposals are going to lead to terrorism, financial meltdown and… the last refuge of the morally bankrupt politician…
child pornography. Condescendingly, the Americans suggest that European policy makers should undertake “careful, thorough examination”
of the consequences of the proposals, implying that such an examination would otherwise not take place.

Interoperability of privacy regimes

The United States document demands “interoperability” without explaining where the proposals (which are broadly identical to current EU data protection requirements) would lead to a deterioration of the current situation – which is already unacceptably weak, as shown by various studies examining, for example, the existing Safe Harbor” system.

Having slammed the European proposals, the section of the lobby document on interoperability concludes by broadly supporting what is proposed and asking for more “self-regulation”, without providing any clues about what that would be needed for and how this would be backed up by effective legal protections.

“New” technologies – new “realities”

The US lobbying paper makes reference to the OECD Recommendation on Principles for Internet Policy Making and its support for multi-stakeholder approaches. Bearing in mind that privacy groups – one of the key stakeholders – have lost faith with the US Department of Commerce’s (DoC) work on this issue, this is surprising, to say the least. Indeed, some already doubt that the DoC’s work on multistakeholder approaches to privacy has a future.

Furthermore, the authors of the paper make reference to the OECD Recommendation on Internet policy-making but oddly forget that the civil society group at the OECD rejected the Communiqué on Internet Policy-Making.

Again with unintentional irony, this section of the paper makes reference to the “Universal Declaration of Human Rights and the International Covenant of (sic) Civil and Political Rights”. One of the main reasons that civil society rejected the OECD Communiqué was wording (pushed by the USA) which invited states to reject the rule of law and place regulation of free speech online in the hands of private companies, which would inevitably lead to breaches of, for example, Articles 17 and 19 – of the ICCPR!

RTFM – Comments on data breaches based on misreading of the proposals

The lobbying document argues that the “proposed notification period for informing supervisory authorities and individuals of data breaches is too short”. This suggests that the author of the paper did not actually read the proposals.
There is no “notification period” for informing authorities and individuals, there are two separate requirements.

For authorities, the requirement is that, “where feasible”, a notification should be sent in 24 hours and a justification for a delay must be provided if the deadline is not met. For victims of data breaches, a notification should be sent “without undue delay” if the breach is likely to “adversely affect” the victim.

The only alternative is allow businesses to delay notifications, even if it would be feasible for them to inform the appropriate authorities and to permit undue delays in cases where the victims are adversely affected which appears to be a rather reckless approach, which would undermine confidence, reduce incentives for improving security and, ultimately, damage both commerce and citizens.

Data sharing among regulatory agencies

At the interparliamentary hearing on Data Protection in the European Parliament in October, US government delegates complained
about the disastrous implications of the “new” proposals on lawenforcement data exchange, until Paul Nemitz from the European Commission
explained that the proposals in question are already part of EU law, without the “inevitable” negative consequences being foretold.

In this lobbying document, the entire objection to the proposals appears to be based on the fact that data protection authorities would be
able to prevent transfers where they were convinced of harm to European citizens and that authorities would be subject to sanctions in case
of failures to respect the Regulation. The alternative is not having sanctions and not having oversight.

Earlier in the document, the US authorities made reference to the International Covenant on Civil and Political Rights.
Article 17 of this binding international legal instrument establishes that “no one shall be subjected to arbitrary or unlawful
interference with his privacy”. However, the US document supports unspecified current “informal arrangements” (“arbitrary” in other words) for transferring
personal data between countries and objects to the principle that transfers should be restricted to situations where the transfer
is “pursuant to a legal obligation” or in the public interest.

Having previously complained about the overly-prescriptive nature of the proposals, the US demands a detailed definition of “public interest” before explaining that such a definition would be inadequate.

Law enforcement cooperation

The final section of the document refers to law-enforcement cooperation. The text completely misunderstands the concept of data
protection as a fundamental right, commenting negatively on the idea that minimum standards would be required of foreign law enforcement authorities, on the idea that data protection specialists should decide on data protection issues rather than law
enforcement authorities and that both parties involved in a data exchange should bear responsibility for the data they share.
The text goes on to worry that, even though they consider the data to be crucial for fighting crime and even though they believe that data will be treated with necessary care, data will not be transferred if there are sanctions for abuse of the personal data in question.

Ironically, after criticising the complexity of the proposals, the US then argues that it is better to keep the chaotic patchwork of what they describe as the “hundreds of bilateral and multilateral agreements in force in the criminal justice area”
rather than adopting a consistent approach, overseen by one instrument.

On the more optimistic side, the fact that the authors of the document chose to avoid including any
authorship information, to put the document on headed paper or leave any obvious trace that the document was even from the US authorities shows that the authors do have some understanding of the concept of privacy and data protection.

Notes:

While the EU extends privacy rules to all non-EU personal data under its jurisdiction, the US excludes non-US citizens from constitutional protections, and from meaningful protection under the PATRIOT Act, the FISA Act, etc.

The US does not have adequate requirements on “purpose-specification and -limitation”
which is at the core of European privacy protections. Instead, its “third party” doctrine fundamentally undermines this principle.

U.S. national security access to personal data, esp in the cloud, is not subject to either meaningful substantive limitations or serious judicial oversight.

Unless all of these issues are addressed, there is barely any basis for a meaningful EU-USA discussion on mutual respect for privacy and data protection.

The unwillingness of the US to sign and ratify the Council of Europe Convention on Data Protection (by contrast, it was happy to sign the Council of Europe Cybercrime Convention) demonstrates a lack of willingness to address this issue seriously.

Analysis prepared by
Joe McNamee (Executive Director, EDRi)
Janneke Sloetjes (Bits of Freedom)
Douwe Korff (FIPR)