Battle over spying versus legitimate data transfer heats up in Congress
As negotiators from the US and the European Union work to forge a new deal on the movement of electronic data across the Atlantic, US lawmakers took a more decisive step on Thursday to assert control over a related provision that would allow European citizens to sue in US courts if their data 鈥 such as social media postings 鈥 is mishandled in an international law enforcement investigation.
In October, the European Court of Justice struck down the 15-year-old Safe Harbor data transfer agreement, used by thousands of US companies, amid concerns about how the act could be used to further US government surveillance programs.
In the wake of that decision, originally filed against Facebook鈥檚 European arm in Ireland, attention has shifted to several related proposals to restore cooperation between the two regions.
Lawmakers and tech companies have particularly focused on the Judicial Redress Act, which extends the right to sue for data misuse 鈥 currently provided to US citizens under European law 鈥 to European citizens in US courts. It isn't seen as essential to renegotiating the Safe Harbor pact, but European regulators have said passing the bill would be significant as a sign of good faith.
鈥淔rom an industry perspective we鈥檝e been supportive of it, I think it is sort of a brick in the wall to rebuild trust across the Atlantic from the Internet user鈥檚 perspective, not so much from the political [angle],鈥 said Bijan Madhani, public policy and regulatory counsel at the Computer and Communications Industry Association, a trade group that includes Google, Facebook and Microsoft, at a conference in Washington earlier this week.
On Thursday, which is Data Privacy Day in the US, known as in Europe, lawmakers from the Senate Judiciary Committee voted 19-1 in favor of the bill. The committee will also hold hearings on two of the surveillance programs disclosed by former NSA contractor Edward Snowden next week.
The bipartisan group 鈥 which includes presidential candidate Ted Cruz, who was not present at the meeting 鈥 also accepted an amendment to allow the US Attorney General to limit the right to sue to only citizens of countries that were participating in an international data-sharing deal such as Safe Harbor.
鈥淭he Obama administration believed it needed to make concessions in order to share law enforcement info with the European Union,鈥 said Sen. John Cornyn (R) of Texas, who proposed the amendment. 鈥淭oday, when Europe and the United States face common threats like radical Islamic terrorism, sharing law enforcement information should be a matter of common interest, period. We shouldn鈥檛 have to barter for it."
But citizens could also see those rights to sue revoked if a country 鈥渋mpedes鈥 the transfer of information related to criminal conduct of a person or private company, according to a .
Privacy groups have expressed concerns that the bill 鈥 which allows the Attorney General to set which agencies are covered 鈥 doesn鈥檛 provide sufficient safeguards for European citizens concerned about how their data could be used.
The Electronic Privacy Information Center has been of the bill until regulators make public the larger 鈥渦mbrella agreement鈥 between the US and Europe that would further define how the two sides share information.
On Tuesday, the group said, the Justice Department responded to its public records request, revealing a for the first time.
Privacy groups also point to distinctions between US and European law 鈥 which has traditionally held privacy protection, including for electronic communication 鈥 as an fundamental human right.
That鈥檚 even reflected in the naming conventions for Thursday鈥檚 celebration, which was first proposed in Europe in 2006.
鈥淭he idea of 鈥榗elebrating鈥 聽the expansion of an individual's right to include his or her data is a radically European idea. The notion that government 鈥 specifically, the EU 鈥 should do something about enforcing that right is also deeply European,鈥 writes Jim Kinsella, a former Microsoft executive who founded a European cloud data storage firm called Zettabox, in . 鈥淥n the other side of the Atlantic, the concept is reversed: that is, the individual is expected to take responsibility for his or her own privacy. Informing the individual about risks, about tools they can use and about the state of cybersecurity is thought of something the government can legitimately do."
Mr. Kinsella points to the General Data Protection Regulation, a set of rules being developed by the European Commission that would require all companies that store data in Europe to follow European law, as a more robust protection for citizens concerned about how their data could be used. The regulations up the stakes for businesses by fining them up to 4 percent of their global revenue if they fail to protect their customers鈥 data, he notes.
But as the deadline set by the European high court looms 鈥 regulators have said they hope to release a new Safe Harbor agreement by Feb. 2 鈥 lawmakers in the US are taking a different approach.
鈥淚'm going to make sure ... that we don't just try to do something to help them out and we don't protect our interests,鈥 Senator Cornyn, the Senate鈥檚 number two Republican, , referring to the European Union.
鈥淯S companies should not have to endure regulatory threats in an attempt to change our policies or laws,鈥 he added on Thursday, just before the Judiciary Committee voted to adopt the bill.
