New privacy laws are a must if Congress wants to keep Europeans happy with American privacy standards and surveillance practices, according to lawmakers and advocates. As the United States and European Union negotiators draw near to a new agreement on cross-Atlantic data transfers, members of the industry are worried about deal’s shortcomings.
In early October, the European Court of Justice invalidated the ‘Safe Harbor’ agreement that permitted thousands of businesses to send data from European servers back to the United States. Europe’s highest court struck down the agreement due to a lack of privacy protections in American law and Europeans’ lack of trust in the U.S. government’s surveillance practices.
To reach a new deal, and to regain the Europeans’ trust, lawmakers have called for an update to American privacy and surveillance laws. This process began a few weeks ago when the House passed the Judicial Redress Act. But lawmakers and industry participants say there is a long way to go.
Negotiators between the U.S. and the E.U. also have “agreed in principle” on a data-sharing pact to replace Safe Harbor. That deal is expected soon.
Experts say that the U.S. needs to go much farther. American surveillance and privacy laws need updates to keep Europe content part of the digital trade economy, they say, regardless of how negotiations over ‘Safe Harbor 2.0’ end.
“The biggest thing that Congress can and should do is begin the process of reforming section 702 of the FISA Amendments Act,” Ross Schulman, senior policy counsel at the Open Tech Institute, said in an email. “The current surveillance laws under 702 were the basis for a large portion of the [European] court’s reasoning… and it seems clear from analysis that any attempt to recreate a new Safe Harbor without addressing 702 is going to run afoul of the [European Court’s] decision.”
Section 702 refers to a provision of the Foreign Intelligence Surveillance Amendments Act, passed by Congress in 2008. The section permits surveillance of non-U.S. persons living abroad and authorizes foreign surveillance campaigns conducted by the National Security Agency.
Marc Rotenberg, president of the Electronic Privacy Information Center echoed the calls to change Section 702 at a hearing Tuesday. “If you only have a revised Safe Harbor 2.0 and you don’t address the 702 problem… And [if] you don’t solve the problem that the [Federal Trade Commission] actually doesn’t have enforcement, I think you will almost immediately see European data protection agencies attack the revised agreement,” Rotenberg said.
The hearing was held jointly by the House Energy and Commerce Communications and Technology Subcommittee and the Commerce, Manufacturing and Trade Subcommittee.
Lawmakers generally agreed. Rep. Jan Schakowsky (D-Ill.) said the European court’s ruling “does rightly call into question the adequacy of U.S. data security practices.”
Schakowsky said she plans to introduce legislation that “would enhance data security standards here at home and would probably have the added benefit of making the E.U. more confident in U.S. privacy and data security standards.”
She said the bill would require strong security standards for a range of personal data, such as geo-location, health-related information, biometric identifiers, email, and social media account information. It would also require companies to report data breaches to consumers within 30 days of the incident.
Full committee ranking member Frank Pallone (D-N.J.) said Congress should pass “effective baseline privacy and data security protections. …For the Internet of the future, economic gains and consumer protections go hand-in-hand. When consumers feel safe, that their personal information is protected, they do more business online.”
Rep. Joe Barton (R-Texas), a staunch conservative, also saw the E.U. high court’s decision as reason for Congress to act. Barton founded the Privacy Caucus in Feb. 2000 with then-Rep. Ed Markey (D-Mass.), who is now a senator. The bipartisan group of lawmakers seeks to press data privacy and security issues in Congress, and is now led by Barton and Rep. Diana DeGette (D-Colo.).
“If I put my Privacy Caucus co-chairman hat on, I think the European Union has highlighted a substantial issue in that the U.S. privacy laws aren’t as strong as they could be and people like me think they should be,” Barton said.
Rotenberg stressed that privacy protections are vitally important to the citizens of the E.U. “European regulators are trying to protect a consumer interest, which is data protection, set out in the Charter of Fundamental Rights,” he said. “This is the European bill of rights, and they have set up privacy and data protection as cornerstone rights of their legal systems.”
Once a data sharing deal is finalized, it’s not even clear that the new pact will even be upheld in various European countries. Robert D. Atkinson, President of the Information Technology and Innovation Foundation, said in an interview on Monday that if some countries’ data protection agencies aren’t happy with either provisions within the deal or the idea of handing over data to the U.S., they could challenge the decision.