Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Friday, June 07, 2013

PRISM and NSA-Verizon Disclosures May Hurt EU Data Protection Regulation Efforts

By Mehmet Munur

Recent disclosures relating to PRISM and Verizon-NSA wiretapping may hurt efforts to make the EU General Data Protection Regulation less prescriptive and more business friendly for American companies. These programs will give support to the proponents of making international transfers more difficult and possibly place the U.S. Department of Commerce Safe Harbor Programs in jeopardy. Leaving aside for the moment the civil liberties arguments, which are paramount, Congress should reform the laws to better balance Fourth Amendment rights with national security imperatives and also ease burdens relating to international data transfers for multinationals.

In the recent months, there has been a concerted effort to make the upcoming EU Data Protection Regulation less prescriptive and more streamlined. There has also been an effort to ease any issues relating to international data transfers to the U.S. For example, the DoC recently issued a document titled Clarifications Regarding the U.S. – EU Safe Harbor Framework and Cloud Computing. The DoC stated that the Safe Harbor frameworks were open for cloud service providers, stated that they would not have to enter into Standard Contractual Clauses, countered some arguments made by the Article 29 Working Party relating to the Safe Harbor, and expressed confidence regarding the continued availability of the Safe Harbor after the implementation of the General Data Protection Regulation. The FTC has also kept up its efforts on this front by bringing enforcement actions under the Safe Harbor, directly communicating with the European Commission on privacy issues, and regularly attending International Conference of Data Protection and Privacy Commissioners meetings. In a similar vein, law firms and think tanks have issued white papers arguing that governments all over the world (not just the U.S.) have access to personal information held in the cloud. One white paper argues that the right of the government to access data stored in the cloud exists in every jurisdiction. The other attempts to dispel misconceptions relating to the Foreign Intelligence Surveillance Act.  

If the revelations relating to the NSA access to phone records and the scope of PRISM are true, then they may undermine these concerted efforts. European lawmakers may once again point to the U.S. and argue that the scope of the government’s access to data stored in the cloud is far greater than elsewhere in the world. This may impede the ability of the Safe Harbor to survive the revision of the EU Data Protection Directive into the General Data Protection Regulation. This may adversely impact the cloud service providers who depend on the Safe Harbor. In addition, the criticism from the EU may also apply equally to cloud service providers and other multinationals who transfer personal information—due to their internal HR data transfers or otherwise. The scrutiny from European Data Protection Authorities may become so intense that Standard Contractual Clauses and Binding Corporate Rules become the only viable alternatives. While these methods are appropriate under some circumstances, they are not appropriate for all circumstances due to cost and complexity. The added cost and complexity of the abiding by these obligations may adversely affect the bottom line of small and medium size enterprises—to say nothing about lost business due to the individuals moving to European based cloud service providers. 

Therefore, Congress should take this opportunity to revise the aging Electronic Communications Privacy Act (parts of which are unconstitutional), laws relating to National Security Letters (some of which been found unconstitutional by one district court), and FISA (which is at the center of the NSA-Verizon and PRISM disclosures) to better balance Fourth Amendment protections and to help multinationals companies with international data transfers.