U.S. Plan Would Boost EU Privacy Rights

Under Proposal, EU Citizens Could Sue for U.S. Privacy Violations
U.S. Plan Would Boost EU Privacy Rights
Eric Holder

The Obama administration wants to give EU citizens the right to file lawsuits, in certain circumstances, if the U.S. has violated their privacy rights. But Congress must approve the proposal.

See Also: Unlocking Software Innovation with Secure Data as a Service

U.S. Attorney General Attorney General Eric Holder announced the proposal June 25 in Athens, Greece, where he'd been co-chairing a meeting of the EU/U.S. Justice and Home Affairs Ministerial, which is designed to further American and European cooperation when it comes to combatting cross-border crime and terrorism.

Holder has also been negotiating a new EU-U.S. Data Protection and Privacy Agreement with his European counterparts, including EU Justice Commissioner Viviane Reding. The new agreement would pave the way for greater sharing of information between law enforcement agencies in the United States and the EU.

"In a world of globalized crime and terrorism, we can protect our citizens only if we work together, including through sharing law enforcement information," Holder says. "At the same time, we must ensure that we continue our long tradition of protecting privacy in the law enforcement context. We already have many mechanisms in place to do this, and we have - on both sides of the Atlantic - an outstanding record of protecting the privacy of law enforcement information. But we can always do more."

The EU and the United States have reached an agreement on an "umbrella" Data Protection and Privacy Agreement that covers how both police agencies and judicial bodies can cooperate. That agreement is the result of efforts that began during George W. Bush's administration, then intensified three years ago. The resulting framework agreement would give Europeans a recourse to sue over U.S. privacy rights violations by granting them the same rights enjoyed by U.S. citizens under the Privacy Act of 1974, which regulates how personal information can be collected, maintained and used by federal agencies.

"EU citizens would have the same right to seek judicial redress for intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information, as would a U.S. citizen under the Privacy Act," Holder said. "This commitment - which has long been sought by the EU - reflects our resolve to move forward not only on the DPPA itself, but on strengthening transatlantic ties."

Privacy Rights Parity

Reding characterizes the arrangement as a move toward privacy rights parity. "The U.S. administration is now announcing that it will take legislative action to fill the gap between the rights that U.S. citizens enjoy in the EU today and the rights EU citizens do not have in the U.S. - something which the [EU Justice] Commission has been arguing for during the past three years," she says. "This is an important first step towards rebuilding trust in our transatlantic relations."

The reference to "rebuilding trust" suggests that the Obama administration's bargaining power has been undercut by the past year's revelations of the National Security Agency's harvesting of Europeans' private data as part of its mass surveillance system. While many EU countries' intelligence agencies appear to be working with the NSA, the ongoing revelations of its vast digital dragnet triggered widespread anger among many European citizens and their elected EU representatives.

"One year ago, the [Edward] Snowden revelations were a true wake-up call ... to show that we do need laws and we do need rules that protect our business and citizens from undue snooping," Reding said in a June 6 speech in Luxembourg. At that time, she characterized the EU/U.S. Justice and Home Affairs Ministerial negotiations - including an updated Safe Harbor data sharing agreement - as being 95 percent agreed, saying what was yet to be resolved was the matter of "judicial redress." The EU also wanted assurances that U.S. law enforcement data requests wouldn't be for large quantities of information, but instead "always ... framed by clear laws or judicial warrants," she said.

Over the past three weeks, the EU appears to have negotiated those sticking points to its satisfaction.

Now, of course, the Obama administration must convince Congress to pass legislation granting Europeans the aforementioned privacy rights - and Reding has called on Congress to do just that. "The announcement should be swiftly translated into legislation so that further steps can be taken in the negotiation," she says. "Words only matter if put into law. We are waiting for the legislative step."

London-based civil rights group Privacy International has welcomed the agreement, albeit with some caveats. "It is a good step forward. Nonetheless, there are three massive impediments to achieving equivalent protection under law," Gus Hosein, executive director of Privacy International, tells the Guardian. "First, Congress needs to act on this, and we haven't seen many positive steps on protecting non-Americans' rights."

In addition, he characterizes the U.S. Privacy Act as being "an unfortunately weak legal regime." Finally, he notes the agreement did nothing to curb U.S. intelligence agencies amassing large amounts of data on non-U.S. citizens.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network