CDD

Safe Harbor on Data Declared Illegal: Message to U.S.—Time to Enact Privacy Law that Protects Americans and Supports Global Data Protection

Jeff Chester

Today’s historic decision by the European Court of Justice, which overturned the purposely ineffective “Safe Harbor” deal enabling data to flow to the U.S., is very welcome. As one reads the court’ (link is external)s findings, it’s clear that for the EU, fundamental and human rights include the right to have your personal privacy protected. That means from both governmental surveillance (such as the NSA and other intelligence agencies) and also with commercial Internet companies—as Google or Facebook.

Advocates always recognized (link is external) that the Safe Harbor agreement brokered by the Clinton Administration was a digital privacy `house of cards.’ All U.S. companies needed to do was to sign up for some inadequate principles that allegedly would protect the EU public. The Federal Trade Commission was supposed to investigate problems. But as CDD demonstrated last year in its complaint to the FTC on how leading U.S. companies were thumbing their data collecting noses at Safe Harbor, the system doesn’t really do much of anything. Safe Harbor is run by the U.S. Department of Commerce, whose political loyalties (and revolving door) lie with the data collection industry.

The message to America from the EU is clear: enact comprehensive privacy legislation. It has to meet (and should try and exceed) the high bar set by the EU. It can’t be the weak (link is external) and self-regulatory based “Privacy Bill of Rights” proposed this year by the White House. It has to define strong and enforceable rights, including limiting Big Data style collection—which is now a pervasive part of our online landscape. The law should empower an independent privacy commissioner and give the FTC real regulatory clout. The U.S. also should endorse the EU’s framework (link is external) on privacy that is supported by many countries around the world.

In its decision, the European Court of Justice reaffirmed what its Advocate-General has explained earlier. That the U.S. Federal Trade Commission does not have the statutory authority and legal powers to protect a person’s privacy as required by the EU. In the EU, privacy is a “fundamental right.” In the U.S., consumers have really very few such rights online. The court explained yesterday (in referring to the 2000 decision by the EU approving the Safe Harbor deal with the U.S.) that: “ Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security… Nor does Decision 2000/520 refer to the existence of effective legal protection against interference of that kind. As the Advocate General has observed (link is external)in points 204 to 206 of his Opinion, procedures before the Federal Trade Commission… are limited to commercial disputes…”

The Business lobby has consistently fought against legislation that would empower the FTC to regulate privacy and other commercial practices. Consequently, while the commission does what it can (and is very active working to help the public), it cannot address the fundamental issue. U.S. companies gather and use our information in far-reaching, non-transparent and often troubling ways (think all the secret “scoring” of people that goes on to assess how to treat them; or the use of race, ethnicity, income and location used to track and target us, regardless of device, etc.). Safe Harbor cannot be fixed without the U.S. enacting comprehensive privacy legislation that brings it in sync with the EU. The time to do so is way best due.

Kudos to Max Schrems (link is external), who brought the case, and is a tireless and effective privacy campaigner. See BEUC (link is external), PI (link is external) and TACD (link is external) statements as well.