Why the U.S. Is Held to a Higher Data Protection Standard Than France
That certain European countries have laws permitting mass surveillance is not news to lawyers who follow the matter. In a 2012 whitepaper, we highlighted the broad and sometimes unsupervised powers of intelligence agencies of certain European governments. As Muiznieks’s column states, intelligence agencies are getting more surveillance power, not less. France’s July 2015 surveillance law permits intelligence agencies to scan metadata of all citizens in order to detect suspicious patterns. Other European countries are also broadening surveillance powers to protect against terrorism.
As Eduardo Ustaran pointed out, finding the right balance between protection of privacy and effective protection against terrorist attacks is a wrenching and perhaps insoluble debate in most democratic countries. In France, at least, the political reality is that privacy advocates have almost no political influence in the debate. One of the authors of this blog sat on a bipartisan commission at the French National Assembly designed to help lawmakers take fundamental rights into account when considering measures affecting the Internet. The Commission’s conclusions were that French laws violate European data protection principles because France has not modified its rules on telecom data retention, even though the underlying directive on which those rules are based was found illegal by the European Court of Justice (ECJ).
As regards the new French law on surveillance, the Commission pointed out that the indiscriminate analysis of metadata to detect suspicious patterns would almost surely fail the proportionality test set forth in the ECJ’s Digital Rights Ireland decision. The parliamentary commission’s findings are consistent with those of the CNIL. Yet the French law on surveillance was adopted almost unanimously by the French Parliament. The privacy objections were inaudible, particularly in the aftermath of the Charlie Hebdo terrorist attacks in Paris.
The reality is that data protection authorities in Europe have very little power over the laws in their own country. They have much more power over non-EU countries because they can theoretically block data transfers.
After the ECJ’s Schrems decision invalidating the U.S. Safe Harbor regime, all eyes are fixed today on the U.S. The inadequacy of the U.S. data privacy framework—and in particular of U.S. intelligence gathering practices—is at the top of the agenda for every data protection authority in Europe. Some data protection authorities are making broad statements that any form of transfer to the U.S. may be illegal. The European Commission and the U.S. government are working to build a new safe harbor agreement addressing in particular the issues relating to European citizens’ rights vis-à-vis U.S. intelligence gathering practices.
But we cannot help but ask whether Europeans are holding the U.S. to a higher standard than that to which they hold their own Member States.
If France’s laws were analyzed under the Schrems adequacy framework, France would likely be considered as offering inadequate protection and data transfers to France would be prohibited. The reality is that data protection authorities in Europe have very little power over the laws in their own country. They have much more power over non-EU countries because they can theoretically block data transfers. It is natural for data protection authorities to invest their efforts in areas where they actually have power.
The guardians of human rights in Europe are the European Court of Human Rights, which operates within the framework of the Council of Europe, and the ECJ, whose job is to apply the treaty of the EU and indirectly the European Charter of Fundamental Rights. Sadly, even these courts do not have a direct and immediate effect over laws in a country like France. For example, the ECJ decided on April 8, 2014 that Europe’s directive requiring telecommunications operators to store metadata violated fundamental rights, and yet France has still not modified its own law on the subject.
Also, appeals to these European courts take a long time.
If an individual were to challenge France’s new surveillance law as violating fundamental rights, the matter would have to go up to the highest court in France before the case could be taken to the European Court of Human Rights or the ECJ. The result is that France is under little internal or external pressure to change its laws. Internal pressure from the CNIL and advocates of data protection is politically weak. External pressure is also weak because court procedures are long and no one is threatening to block data transfers to France in the meantime. Statements by the European Parliament, such as the October 29, 2015, resolution, have very little influence on domestic politics.
The U.S. is being held to a higher standard than countries like France. This double standard has a logical explanation. Data protection authorities in Europe have power through their authority on data transfers to put pressure on the U.S., but they don’t have the same powers vis-à-vis European national governments. Data protection authorities have little to gain by fighting battles they know they can’t win. It makes more sense to fight battles they can win. As a result, focusing on data transfers to the U.S. is a no brainer.
This entry originally was published on the International Association of Privacy Professionals’ (IAPP) Privacy Perspectives blog.