The US and European Union have struggled for years to maintain open channels of Internet communications while reconciling growing demands for public safety and communications privacy.  This year the needs of trans-Atlantic public safety and privacy are headed for a collision.  What’s the conflict?

The International Communications Privacy Act (ICPA)

In the Subsentio Government Affairs blog of July 21, 2017 we described a pending statutory amendment in Congress that would streamline cross-border investigations by law enforcement agencies in the US and Great Britain.  The bill, called the International Communications Privacy Act (ICPA), would help US agencies collect suspect data from communication service providers (CSPs) in Great Britain, and likewise British authorities could obtain suspect data from CSPs in the US.  A common standard of due process would govern data captures in both directions to protect suspects’ rights. 

As soon as this year the responsible Congressional committees may bring the ICPA to a vote.  If the US-British “cooperation agreement” succeeds, it will ease regulatory pressures on the communications industry.  CSPs will no longer encounter conflicts of law where they are ordered by one of the Atlantic allies to deliver certain subscriber data but prohibited by the other from disclosing the data.  Streamlining the cross-border flow of investigative data would presumably help solve crimes and curb terrorism in an age when both types of threat are rising.

The Schrems v. Facebook Case

Or such was the hope. Nothing is that simple in the realm of international law. Adding a new twist, the EU is litigating the permissibility of transferring any personal data – not just data sought by police departments – from the EU to the US. The driver in this case is a privacy suit: Schrems v. Facebook (“Schrems II”).  Schrems II is named after the plaintiff, Max Schrems, an Austrian lawyer and privacy advocate.  Mr. Schrems filed the “Schrems I” lawsuit that caused the Court of Justice for the European Union (EU Court of Justice) in October of 2015 to overturn the EU-US Safe Harbor Agreement for the transfer of personal data.  The EU-US Safe Harbor framework had entitled a US company to handle EU personal data by committing to certain EU privacy safeguards as enforced by the US Federal Trade Commission.   Responding to the demise of the Safe Harbor, EU and US authorities scrambled to develop a more privacy-protective data transfer scheme called the “Privacy Shield.”

The Schrems II petition challenges yet another method of trans-Atlantic data sharing established for companies unable to rely on the Safe Harbor or Privacy Shield.  This alternate protocol is called the Standard Contract Clauses (SCCs).  Essentially, an EU company may transfer personal data to an American company if the American entity signs a contract containing the privacy dictates of the SCCs.  Mr. Schrems alleges that the SCCs lack adequate privacy protection for EU citizens because once their personal data falls into American hands it may be subject to American surveillance.

Schrems II gained currency earlier this year when the Irish Data Protection Commissioner deemed the complaint meritorious and referred it to the Irish High Court.  Now the High Court has escalated the case to the EU Court of Justice.  The EU Court of Justice may strike down the SCCs, just as it previously outlawed the Safe Harbor.  Such a legal blow would block all kinds of trans-Atlantic business transactions including credit card charges, hotel reservations, and the cloud storage of employee records.  As a result, observers say nearly a trillion dollars of EU-US trade would grind to a halt, at least until international authorities create a more privacy-protective version of the SCCs. 

The policy conflict between public safety and privacy

Notice the disconnect between the above-described policy trends.  One group of EU and US authorities is building a legal vehicle to carry personal suspect data more easily between them for the betterment of law enforcement.  A separate EU initiative would constrict the flow of all trans-Atlantic personal data to withhold it from US law enforcement. 

When Great Britain exits the EU it will be free to adopt its own privacy rules.  But a pending data protection bill in Britain already proposes to incorporate the EU’s General Data Protection Regulation into British law.  Thus, EU privacy standards will likely apply to British citizens in the post-Brexit era. 

Is the policy conflict necessary?

Earlier this decade, leaks of classified information revealed that US surveillance technology was more powerful and pervasive than was commonly believed.  The public learned that the US National Security Agency, among other things, monitored large volumes of European communications.  EU citizens understandably reacted to the news by strengthening their privacy defenses.  Many Europeans believe US intelligence spies on them routinely and pervasively without legal cause.

In reality, the US Constitution and criminal procedures strictly protect individuals from unwarranted intrusion by law enforcement.  When seeking access to a suspect’s voice conversations or Internet transmissions, American law enforcement agencies must clear legal hurdles that are as high – if not higher – than those governing EU investigators.

For example, the American due process standard of “probable cause” is higher than the standard commonly applied in the EU to justify real-time surveillance.  US courts authorize the interception of only a suspect’s communications metadata in instances where they find no need to intercept the person’s phone calls or emails. In the EU, authorities issue intercept orders without distinguishing between metadata and communications content.  Many EU member states require CSPs to retain subscriber metadata for later possible use by law enforcement.  The US has no comparable decree.  Foreign intelligence gathering is more heavily regulated and scrutinized in the US than the EU.

Hope to resolve the conflict

All told, the EU and US are equally committed to public safety and privacy.  They shouldn’t fight over the two policy goals.

What’s needed is an agreement for cross-border sharing of investigative data that upholds a strong standard of privacy protection.  The cooperation agreement between the US and Great Britain contains a high privacy bar.  In fact, it could set a healthy de facto standard for privacy control among other democracies.  Specifically, each nation that wants to join the US-British circle of law enforcement data sharing could be required to honor the US-British privacy terms.  That would give law enforcement and CSP subscribers a win-win.