Passage of Judicial Redress Act Crucial for Safe Harbor 2.0
Passage of the Judicial Redress Act is crucial for the European Commission and U.S. to come to agreement on a new safe harbor deal following the European Court of Justice’s recent decision to rule the safe harbor agreement invalid (see 1510060001), privacy advocates, representatives from industry and the EU agreed Friday during a Congressional Internet Caucus event. Panelists disagreed on the importance of further reform to U.S. surveillance law and the need for a comprehensive privacy law in the U.S. Earlier Friday, EU privacy chiefs gave companies until January to come into compliance with their data transfers before possibly taking enforcement actions (see 1510160030).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
At its heart, the ECJ ruling on safe harbor is a surveillance decision, said Access Now U.S. Policy Manager Amie Stepanovich. There is a huge exception in the agreement for national security with the caveat that data could be analyzed by a government only if absolutely necessary, Stepanovich said. The court found U.S. practices didn’t ensure a high level of adequate protection of Europeans’ data, she said.
Significant changes have been made to U.S. surveillance laws since 2013, such as the passage of the USA Freedom Act, which was the biggest restriction on NSA authority since the 1970s, but Section 702 of the Foreign Intelligence Surveillance Act Amendments Act, which facilitates the acquisition of foreign intelligence information concerning non-U.S. persons located outside the U.S., hasn't been addressed, Stepanovich said. The court specifically mentioned concerns with Section 702, she said, as well as executive order 12333, which mandates rules for spying on U.S. persons and on anyone within the U.S. The court may not have been entirely accurate in how these programs work, but the court also was concerned the U.S. doesn’t grant redress rights for Europeans, Stepanovich said.
Though the court’s decision was largely about government surveillance, it also touches on commercial data practices, Stepanovich said. In its opinion, the court mentions concerns with U.S. companies self-certifying compliance with the agreement and a lack of transparency and accountability, Stepanovich said.
U.S. Chamber of Commerce Center for Global Regulatory Cooperation Director Adam Schlosser disagreed with Stepanovich’s assessment of the ruling. There was no examination of commercial practices, Schlosser said. The court solely examined national security surveillance practices based on allegations, he said. It would be helpful if the court and data protection authorities examined and considered changes made to U.S. laws since 2013, Schlosser said. He added that the court should also keep in mind the FTC brings enforcement when a company violates the self-certification. This kind of enforcement doesn't exist elsewhere around the world, Schlosser said.
U.S. and EU laws aren't the same on paper, but in many ways the U.S. law “goes above and beyond,” Schlosser said. The European Commission, U.S. Commerce Department and the FTC have been reviewing the safe harbor agreement for the past two years and are working very hard on a new agreement because data flows are the backbone of the global economy, Schlosser said.
The court should have considered surveillance conducted by EU member states, said Internet Association Legal and Regulatory Policy Vice President Abigail Slater. “People living in glass houses shouldn’t throw stones.” The court called the U.S. system of privacy inadequate but didn’t say in comparison with which countries, Slater said. The revelations made by former NSA contractor Edward Snowden disclosed that many EU member state agencies were engaged in mass surveillance of their citizens, Slater said.
Had the court considered EU surveillance and market-based solutions like increased adoption of encryption technologies, its concerns likely would have declined significantly, Slater said. Though Slater said she didn’t know if those considerations ultimately would have changed the court’s ruling, she said it’s important to see the reality on the ground on both sides.
EU delegation to the U.S. Head of Trade Section Damien Levie said Americans were reading too much into the judgment and weren't considering that the court had rules to follow. Levie added that the judges sitting in Luxembourg were really concerned that Europeans don’t have redress rights.
Congress needs to further reform U.S. surveillance programs and pass the Judicial Redress Act, which would grant Europeans some rights afforded to Americans under U.S. privacy law, such as the right to review and correct data collected on them, Slater said. Schlosser agreed Congress should pass the Judicial Redress Act, but said any further changes to surveillance law or the passage of a comprehensive privacy law would be more for Americans than Europeans. Levie said the act's passage would be a huge step forward, but added everyone needs to take a deep breath and ensure all concerns are addressed so that another safe harbor agreement isn’t struck down in a few months.
Stepanovich agreed with Levie. Passage of the Judicial Redress Act is an incremental step forward, but comprehensive surveillance reform and comprehensive privacy law in the U.S. is needed to address concerns about commercial use and access to data, she said. Stepanovich urged the Senate to remove the Judicial Redress Act as an amendment to the Cybersecurity Information Sharing Act, noting that CISA has raised concern among privacy advocates because it creates more surveillance loopholes.