Governments should resolve, rather than create, new conflicts of privacy laws
The cross-border nature of the Internet disrupts the traditional notion of geographically defined national jurisdictions. Increasingly, contradicting privacy laws confuse consumers and force international companies to violate one country’s law in order to comply with another’s.
Three high profile cases have privacy experts, and all the rest of us, really confused:
Case one: The European Parliament vs The U.S. Foreign Intelligence Surveillance Act (FISA)
The European Union is in its final stretch of agreeing a reformed data protection framework. In the frenzy following the Snowden revelations, the European Parliament (EP) looked for ways to force the U.S. Government to reform its surveillance practices. One means for doing so is a well-intended article in the proposed EU general data protection regulation, which is popularly known as the “anti-FISA clause.” This provision, Article 43a, would severely limit the circumstances under which a company is allowed to provide third country authorities with Europeans’ data. Today, companies are often asked to respond to requests for data to be used in a criminal investigation or by a regulatory authority acting in the public interest, e.g., from third countries’ consumer and environmental agencies. As EU negotiators are about to conclude the data protection regulation, it is becoming evident that the EP’s proposal would place companies in legal limbo due to contradictory EU and U.S. laws.
The reform that the EP wanted can only be truly addressed through the direct talks between governments currently taking place. The EP should avoid imposing contradicting obligations on international firms by forcing them to violate another country’s laws.
Case two: The U.S. Department of Justice vs Microsoft
In December 2013, the U.S. government was issued a search warrant to obtain the contents of emails and other details from a user account hosted by Microsoft on a server in Dublin, Ireland. Microsoft refused to turn the emails over to the government, arguing that a U.S. judge had no authority to issue a search warrant for records stored abroad, and instead the U.S. Government should utilise the process detailed in the U.S.-Ireland Mutual Legal Assistance Treaty (MLAT). Supplying the content could also potentially put Microsoft in breach with EU privacy law, and could constitute an illegal extraterritorial application of U.S. law. The case will next be argued in the U.S. Court of Appeals for the Second Circuit tomorrow, September 9, with a final ruling expected in 2016. The ruling would likely generate more jurisdictional questions than answers.
I would argue that such tricky questions related to international jurisdiction should be clarified by elected European and U.S. lawmakers rather than a national court.
Case three: A European vs a global “right to be forgotten”
France’s Data Protection Regulator (CNIL) is leading a campaign to globally enforce a controversial 2014 European court ruling that demands search engines to delist personal information, even if accurate, from search results. Since the ruling, search engines have received hundreds of thousands of requests for the removal of all sorts of content, including serious criminal records, embarrassing photos, and negative press stories.
The ruling forces online companies to act as judges, on a case-to-case basis, in striking the right balance between individuals’ right to be forgotten with the public’s right to information. Many fear that the ruling could set the precedent for large scale private censorship in Europe.
This summer, CNIL threatened Google with penalties should it not remove links to such information from all its sites around the world—so not just google.fr, but also google.com. This jurisdictional overreach would significantly deteriorate the online search experience for the nearly 7 billion non-Europeans around the world. Imagine reactions in Europe, if third country authoritarian leaders similarly asked to have all search links to unflattering news stories removed world-wide! One solution could be to limit delistings to services directed at European users as is already happening. Unfortunately, this would mean that an online startup would only be able to launch when it has tens or hundreds of customized services in place that would abide to each national rule globally.
So where does this mess leave us?
The global nature of the Internet disrupts centuries-old understandings of geographic jurisdictions. Lawmakers must ensure that their national privacy laws are internationally implementable to the benefit of consumers, global companies, and law enforcers.
The good news is that privacy lawmakers and legal experts are discussing how to develop interoperable privacy rules. Europe and the U.S. have a track record of solving potential conflicts of law. The Safe Harbour framework for instance has for the past 15 years bridged EU and U.S. privacy regimes. It has enabled more than 3,000 firms to adhere to European data protection standards to the benefit of consumers and transatlantic commerce. An updated and stronger Safe Harbour regime is currently under discussion and so is a new EU-U.S. framework for sharing of data for law enforcement purposes.
Europe and the U.S. could well discover that there is global demand for interoperable and workable privacy laws.