Call For Robust Privacy Legislation In Wake Of EU Safe Harbor Strike-Down

A group of U.S. and EU digital rights organizations and consumer NGOs — including the EFF, the U.S. Center for Digital Democracy, the European Consumer Organization and Privacy International — have issued a statement calling for a “meaningful legal framework” to protect fundamental privacy rights in the digital era.

The statement comes as a critical response to the publication earlier this month of the Bridges report: a joint project between U.S. and EU academics — and including the involvement of the Dutch data protection agency — advocating for continued reliance on existing laws coupled with industry self-regulation as a middle-of-the-road approach to safeguarding privacy rights.

The Bridges report advocates for, as they put it, “a framework of practical options that advance strong, globally-accepted privacy values in a manner that respects the substantive and procedural differences between the two jurisdictions” — such as offering standardized user controls and user complaint mechanisms, and best practices for the de-identification of user data, among other proposed measures.

However the EFF et al are highly critical of this approach — dubbing it “failed policy” and “remarkably out of touch with the current legal reality”.

“Digital rights organization and consumer NGOs call on the Data Protection Commissioners to refocus their attention on the need to update and enforce privacy law,” the group said today.

The current legal reality on the U.S.-EU data privacy front includes the ruling, earlier this month, by Europe’s top court, the ECJ, invalidating the Safe Harbor data-sharing agreement — which had governed data flows between the regions for some 15 years, allowing companies sending EU data to the U.S. for processing to self-certify they would provide “adequate protection”.

The court ruled that such self-certification failed in an era of mass surveillance by government intelligence agency dragnets — opening the door to individual reviews of data transfers by data protection authorities in individual European Member States.

This is not a situation conducive to operational certainty for businesses — with DPAs already issuing differing opinions on the current post-Safe Harbor scenario. For example, guidance issued by the U.K.’s ICO differs greatly in tone from a position paper published by German data supervisory authorities in the wake of the ECJ ruling.

So while the ICO is telling businesses and organizations not to panic or “rush to other transfer mechanisms that may turn out to be less than ideal” — arguing the impact of the judgement is “still being analysed” — the German DPAs suggest they will immediately be prohibiting data transfers to the U.S. that are solely based on Safe Harbor, as well as specifying other explicit controls, such as that consent clauses cannot be used to sanction ‘repeated, mass or routine data transfers’.

Meanwhile, the European Commission is attempting to hammer out a so-called Safe Harbor 2.0 agreement with the U.S. in the next few weeks, to try to reestablish a data flows agreement. Although any such deal is likely to face fresh legal challenges unless the U.S. agrees to substantial concessions on surveillance and privacy rights. (Yet only yesterday the Senate passed another bill that critics say will expand government agencies’ surveillance capabilities…)

With existing legal frameworks governing data protection under continued pressure from the surveillance state — and new tech challenges to privacy pushing into the frame all the time, whether it’s from AI-powered big data processing or drone surveillance — the EFF et al are pressing the case for “a comprehensive privacy legal framework” — to offer robust consumer protection, and ultimately also create legal certainty for businesses.

“Particularly after the Safe Harbor decision, the ‘Bridges report’ is remarkably out of touch with the current legal reality and what we need to do to address it,” they write, criticizing the report for failing to recommend any “substantive changes in law”.

“The practical consequence of focusing instead on failed policies, such as self regulation, will be to make more difficult the work of the privacy experts around the world who could have otherwise benefitted from a meaningful discussion about how to move forward on legislation, aggressive enforcement, and other steps that are long overdue. Yes, they are difficult; all the more reason why we need to act now,” they add.

Responding to criticism of the Bridges report and approach, Daniel Weitzner, one of the project participants and director of MIT’s Cybersecurity and Internet Policy Research Initiative, said the aim is not to encourage industry self-regulation but rather to call on the FTC and European data protection authorities to engage in “collaborative policy development”.

He also stressed that the call for the development of better user control technologies is something the report says “can only happen with clear guidelines and legal interpretations from regulators”.

“We’re not saying industry should set rules through design (that would be self-regulation) but rather that policy guidance from governments is vital,” Weitzner told TechCrunch.

“We do hope that we can contribute to progress on legislative development in both the US and EU,” he added. “I myself spent about three years working in the Obama Administration toward issuing and trying to get the US Congress to pass the Consumer Privacy Bill of Rights. That remains very important to me, but I’m also pursuing other avenues for progress.”

However that Bill was described by critics such as the NYT as “riddled with loopholes” and appearing to be “tailored to benefit Internet firms like Google and Facebook and little-known data brokers like Acxiom that have amassed detailed profiles of individuals”.

The paper dubbed it a weak reflection of U.S. consumer privacy concerns, concluding: “No bill at all would have been better than this one, which would effectively codify bad behavior.”

Weitzner is also a paid advisor to Palantir, a big data analysis company, founded back in 2004, with initial funding coming from the CIA’s not-for-profit VC arm, In-Q-Tel. On its website In-Q-Tel lists its “mission” as being to identify, adapt, and deliver “innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community”.

At the time of writing Weitzner had not responded to a request to confirm how much he is remunerated by Palantir for his advisory services.

Speaking to Politico about the Bridges report, Jeff Chester, the executive director for the Center for Digital Democracy, dubbed it a “trojan horse” — arguing that an attempt to push for transatlantic meetings before new policies are formulated is the same modus operandi as the U.S. proposals on digital trade in the proposed free trade agreement TTIP, currently being negotiated behind closed doors.

“This [Bridges report] is a backdoor way of supporting a plan by the U.S. government on digital trade that will ultimately weaken the EU data protection regime,” Chester added.

This story was updated with additional comment from Weitzner and Chester