Snowden, Schrems, safe harbor ... it's time to rethink privacy policies, says FTC commish

FTC Commissioner Julie Brill views the landmark decision to kill the US-EU safe harbor agreement as an opportunity to improve privacy laws on both sides of the Atlantic.

The safe harbor pact allowed Europeans' personal and private information to flow into American data centers, but that agreement was torn up by the European Court of Justice (ECJ) this month in the wake of the NSA's mass surveillance of foreigners.

Giving the keynote at the Amsterdam Privacy Conference on Friday, Brill – one of four commissioners at the US trade regulator – took a largely pro-Schrems line; Max Schrems being the law student who kicked off this whole thing.

But she couldn't resist poking European regulators in the ribs about the need for an "honest" discussion about what is done with people's data.

"Transatlantic Privacy After Schrems: Time for An Honest Conversation" was the title of her talk [PDF]. But while Brill failed to give any detail beyond general goals, her comments highlight that the FTC, the consumer protection arm of the US government, is looking to make some serious changes in how people's personal details are handled in the internet era.

The decision by the European Court of Justice "came as a shock to many policy makers and companies in the United States," Brill noted, quoting from a private meeting held in Silicon Valley last week in which the local Congressional representative said it "measured 7.8 on the Richter scale."

Brill noted that the Edward Snowden revelations about global NSA surveillance, which fueled the Schrems case, has put a spotlight on an agreement that already needed updating, but argued that the safe harbor framework was "the wrong target for arguments that US surveillance practices violate the privacy rights of Europeans."

She pointed out that the decision doesn't dig into the actual practices of Facebook and argues that the loss of safe harbor may mean a loss both in transparency and in the FTC's ability to come down on companies that violate the framework's rules. "Although companies with approved binding corporate rules are listed on the European Commission's website, the details of the rules that each company creates for itself are not public," she notes, while pointing out that "the invalidation of the Safe Harbor decision removes the most explicit link between FTC enforcement and our ability to protect European consumers."

Differences

She also argues that when it comes to how governments view the protection of privacy, the US and Europe are not very far apart: the big difference is in how companies' data practices are handled.

In the US, she notes, "we have largely separated the discussions about data practices of commercial firms from the data practices of the government." This, she argues, allows the FTC to focus on general consumer protection and separates consumer issues from "the debates that have surrounded criminal law enforcement investigations."

However that approach has started being "eroded" because of the issue of encryption in consumer devices. Law enforcement requests that a back door be introduced in such systems to give them access to data when needed. Brill reiterated the view of her colleagues that providing such access was unnecessarily risky given that others would also exploit it, claiming that to believe otherwise was "magical thinking."

She also highlighted the fact that laws around the right of law enforcement agencies to access people's email, social network content, and cloud services were being reviewed with a view to modernizing them and restricting access to only those agencies who practice criminal, as opposed to civil, law.

Brill then took the opportunity to poke the European audience for its not-entirely-open discussion around data privacy and the government access to it.

"In the United States, we are engaged in a robust conversation about these issues," she highlighted. "I believe Europeans should engage in this discussion as well, and examine their Member States' own law enforcement and intelligence data collection practices with the same openness and recognition of the potential impact the practices may have on consumers' and citizens' privacy."

She continued: "The ECJ's decision suggests that the United States and Europe should have an honest dialogue about the 'essential equivalence' of all of these data practices within companies, as well as within our law enforcement and national security agencies."

Or in other words: just wait until you get your Edward Snowden.

Ch... ch... ch... ch... changes

Broadly, Brill pitched the audience on creating "a new data transfer mechanism that strengthens the privacy protections that were in the Safe Harbor principles." And while not disclosing any details of the text that has been under negotiation between the European Commission and the US government, she said she had "every reason to believe that both sides understand the need to ensure that these substantive protections are more robust, and that both sides have been working to that end."

In short, Brill said the Schrems decision has highlighted "the need to have an honest conversation about the strengths and weaknesses of privacy protections on both sides of the Atlantic."

Next week a meeting of data protection and privacy commissioners from around the world will gather in Amsterdam in an effort to find common ground on what to do with online privacy and how they can work together.

The conversation will be based around a report released this week called "Privacy Bridges: EU and US Privacy Experts in Search of Transatlantic Privacy Solutions." It suggests 10 "bridges," such as improving transatlantic coordination between agencies, coming up with uniform practices for businesses to provide data to government access requests, developing best practices to anonymize users' data, and so on. ®