TTIP: the question of data protection

Written by Jan Baeverstroem

Contrary to EUs comprehensive data protection legislation, protection of privacy in the United States relies not only on federal and state legislation and regulation but also on private-sector regulation. The US Constitution’s First amendment protects citizens’ freedom of speech and the Fourth amendment protects citizens’ freedom of speech and right to privacy in relation to the government, both in their homes, as well as on electronic devices as noted in a recent case law. There are of course several exceptions like border searches and Foreign Intelligence Suveillance.

The right to privacy in the US has also been recognised by the Supreme Court as in the case Griswold v. Connecticut. Different States offer different levels of protection of privacy. California’s constitution states that all people have “inalienable rights” among them to “pursuing and obtaining safety, happiness, and privacy”. The Privacy Act of 1974 (5 U.S.C. § 552a) is the main personal data protection law. It safeguards privacy for records held by US government agencies and requires them to apply “fair information practices”, restricts data sharing for individuals and allow citizens and lawful residents to sue the government in case of violation. The Freedom of Information Act (FOIA) gives the right for anyone to access US public records, although there are exemptions, including the protection of privacy. Furthermore the Private Protection Act of 1980 aims at protecting journalists’ sources. In addition there are a number of laws designed to protect health information, financial information, credit reporting and children. Following 9/11, with the adoption of a number of provisions in the USA Patriot Act, it became easier for law enforcers to obtain private records by changing a number of the abovementioned laws. The European Union and the United States have a number of agreements with regards to data protection. (An overview of Data protection in the EU is described in the European Parliament’s Fact Sheets on the European Union). The EU-US Safe Harbour framework tries to accommodate the differences between the EU and US approach, in order to make it easier for US companies to work in the EU. This, however, has been criticised from the beginning by both the European Parliament; in particular in its resolutions on 5 July 2000, 4 July 2013 and 12 March 2014, by the European Data Protection Supervisor, and by Civil Society organisations like Statewatch, Future of Privacy Forum (FPF) and Center for Digital Democracy (CDD).

Overviews

Civil society’s concerns about the Transatlantic Trade and Investment Partnership / Marika Armanovica & Roberto Bendini, Policy Department, Directorate-General for External Policies, October 2014 p. 16: Data privacy, the internet and intellectual property issues Striking a transatlantic data deal: the smart decision / Datagudiance, Data protectioin law & analysis, Sep 2014 Vol 11 Nr 09 The suggestion to include data flows in the Transatlantic Trade and Investment Partnership has split opinion between the EU and US. Alex Lakatos, Partner at Mayer Brown, outlines why it is essential that the subject of data is included within the deal and seeks to address some of the common reasons espoused for resisting this idea. If the EU and the US are smart, they will ensure that the Transatlantic Trade and Investment Partnership (TTIP) clears a path for free information flows between them. The transatlantic trade and investment partnership and the parliamentary dimension of the regulatory cooperation, EXPO Policy Department, Study, Alberto Alemanno, April 2014 Notamment: pp. 39-40: US Travel Promotion Act and the ESTA fee & p. 48: “SWIFT” agreement regarding US access to EU financial data Tests of Partnership : Transatlantic Cooperation in Cyber Security, Internet Governance, and Data Protection / Annegret Bendiek, SWP Research Paper 2014/RP 05, March 2014, 29 Pages, pp. 20-24 on Data protection and Civil Rights European Parliament Approves Data Protection Law, Lays Down TTIP Markers / World Trade online, March 13, 2014 The European Parliament this week adopted legislation to overhaul the legal regime for data protection in the European Union and at the same time issued a warning that it may reject a trans-Atlantic trade deal if it in any way threatens to undermine EU privacy law.

Analysis

Assessment of TTIP State of Play for Services, Investment and Data Flows / Vastine, Jensen, Lee-Makiyama, Center for Business and Public Policy, September 25, 2014 The clash of cultures: discovery and data privacy : Mitigating difficulties when EU and US systems clash / Chris Ninan, Butterworths Journal of International Banking and Financial Law, Vol. 29, No. 9, October 2014, pp. 586-588 Bridging Transatlantic Differences on Data and Privacy After Snowden / Brookings, Cameron F. Kerry, May 20, 2014 European Parliament Approves Data Protection Law, Lays Down TTIP Markers / World Trade online, March 13, 2014 The European Parliament this week adopted legislation to overhaul the legal regime for data protection in the European Union and at the same time issued a warning that it may reject a trans-Atlantic trade deal if it in any way threatens to undermine EU privacy law. Summary of impications for EU of US Foreign Account Tax Compliance Act (FATCA) on p. 3-4 in: A FATCA for the EU? : Data protection aspects of automatic exchange of bank information / Eva-Maria Poptcheva, EPRS briefing, 27/05/2013 Tests of Partnership : Transatlantic Cooperation in Cyber Security, Internet Governance, and Data Protection / Annegret Bendiek, SWP Research Paper 2014/RP 05, March 2014, 29 Pages, pp. 20-24 on Data protection and Civil Rights How Obama’s NSA Reforms Could Help TTIP / by Guest Blogger for Edward Alden, Council for Foreign Relations, January 15, 2014 It is in the United States’ interest to implement the EU’s Safe Harbor recommendations. They are good policies, and will serve as a lifeline for EU negotiators to move past the privacy issue. Additionally, President Obama should incorporate the recommendation from his presidential advisory committee that the personal data of non-U.S. citizens be treated with the same protections as data on American citizens. This will show that the United States has learned from the incident and is committed to treating its allies as equals. 3rd party data access and retention & The Safe Harbour agreement on pp. 75-79 in: Potential and Impacts of Cloud Computing Services and Social Network Websites / Science and Technology Options Assessment European Parliamentary Research Service January 2014 The EU-US Safe Harbour agreement / Nicolas Copeland, EPRS briefing, 19/01/2012 The US surveillance programmes and their impact on EU citizens’ fundamental rights / Caspar BOWDEN, Introduction by Prof. Didier BIGO, (King’s College London), Policy Department Citizens’ Rights and Constitutional Affairs, September 2013 In light of the recent PRISM-related revelations, this briefing note analyzes the impact of US surveillance programmes on European citizens’ rights. The note explores the scope of surveillance that can be carried out under the US FISA Amendments Act 2008, and related practices of the US authorities which have very strong implications for EU data sovereignty and the protection of European citizens’ rights.

Stakeholder views

EU

EU-US Summit – Joint Statement, Brussels, 26 March 2014 12. The transatlantic digital economy is integral to our economic growth, trade and innovation. Cross border data flows are critical to our economic vitality, and to our law enforcement and counterterrorism efforts. We affirm the need to promote data protection, privacy and free speech in the digital era while ensuring the security of our citizens. This is essential for trust in the online environment. 13. We have made considerable progress on a wide range of transnational security issues. We cooperate against terrorism in accordance with respect for human rights. Agreements such as the Passenger Name Record and Terrorist Finance Tracking Programme that prevent terrorism while respecting privacy are critical tools in our transatlantic cooperation. We will strengthen our coordination efforts to prevent and counter violent extremism. We will continue looking for appropriate mechanisms to counter the threats posed by fighters departing to Syria and other unstable regions, who return home where they may recruit new fighters, plan and conduct terrorist operations. We also work to address the threats posed by activities of groups contributing to instability in these regions. We welcome our increasingly close cooperation in building the capacity of partner countries to counter terrorism and violent extremism within a framework of rule of law, particularly in the Sahel, Maghreb, Horn of Africa region and Pakistan. We pledge to deepen and broaden this cooperation through the United Nations, the Global Counterterrorism Forum, and other relevant channels. We have also decided to expedite and enhance cooperation on threats directly affecting the security of EU and US diplomatic staff and facilities abroad. 14. Data protection and privacy are to remain an important part of our dialogue. We recall the steps already taken, including the EU-US ad hoc Working Group, and take note of the European Commission Communication of 27 November 2013 and President Obama’s speech and Policy Directive of 17 January 2014. We will take further steps in this regard. We are committed to expedite negotiations of a meaningful and comprehensive data protection umbrella agreement for data exchanges in the field of police and judicial cooperation in criminal matters, including terrorism. We reaffirm our commitment in these negotiations to work to resolve the remaining issues, including judicial redress. By ensuring a high level of protection of personal data for citizens on both sides of the Atlantic, this agreement will facilitate transfers of data in this area. The United States and the EU will also boost effectiveness of the Mutual Legal Assistance Agreement – a key channel of cooperation in the digital era. In addition, we are committed to strengthening the Safe Harbour Framework in a comprehensive manner by summer 2014, to ensure data protection and enable trade through increased transparency, effective enforcement and legal certainty when data is transferred for commercial purposes.

European legislation

Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) 2000/520/EC: OJ L 215, 25.8.2000, p. 7–47 Council Decision of 13 July 2010 on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program OJ L 195, 27.7.2010, p. 3–14 Article 5: Safeguards applicable to the processing of Provided Data Council Regulation (EC) No 2271/96 of 22 November 1996 protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom Official Journal L 309 , 29/11/1996 P. 0001 – 0006

European parliament

European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Recitals: (48) (Amendment 24), (63) (Amendment 39), Recital 79 (Amendment 53), Recital 80 (Amendment 54), Recital 82 (Amendment 55), Recital 83 (Amendment 56), Recital 89 (Amendment 62), Recital 90 (Amendment 63). European Parliament resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs International transfers of data US data protection legal framework and US Safe Harbour para 36-42 42. Calls on the Commission to present, by December 2014, a comprehensive assessment of the US privacy framework covering commercial, law enforcement and intelligence activities, and concrete recommendations based on the absence of a general data protection law in the US; encourages the Commission to engage with the US administration in order to establish a legal framework providing for a high level of protection of individuals with regard to the protection of their personal data when transferred to the US and ensure the equivalence of EU and US privacy frameworks; European Parliament resolution of 23 October 2013 on the suspension of the TFTP agreement as a result of US National Security Agency surveillance European Parliament resolution of 13 June 2013 on the role of the EU in promoting a broader Transatlantic Partnership 8. Strongly condemns the Boston terrorist attacks of 15 April 2013; encourages both partners to continue the fight against terrorism and organised crime and, at the same time, to respect and uphold human rights and fundamental liberties; is deeply concerned by recent revelations on the US surveillance and data gathering operations under the PRISM programme, and their implications for the protection of EU citizens’ civil liberties; calls on the Commission and the Council to raise the issue at the forthcoming JHA EU-USA Ministerial meeting on June 14th; notes the fact that the Passenger Name Records Agreement and the Terrorist Finance Tracking Programme Agreement (SWIFT Agreement), approved by the European Parliament, are already in force; calls on the partners to increase their cooperation on the Data Privacy and Protection Agreement, in order to finalise the negotiations in such a manner as to ensure the proper transparency of data processing and sufficient protection of personal data; European Parliament resolution of 23 May 2013 on EU trade and investment negotiations with the United States of America Negotiationg mandate 13. Considers that the agreement should guarantee full respect for EU fundamental rights standards; reiterates its support for a high level of protection of personal data, which should benefit consumers on both sides of the Atlantic; considers that the agreement should take account of the General Agreement on Trade in Services (GATS) provisions on the protection of personal data; European Parliament resolution of 23 October 2012 on trade and economic relations with the United States 16. Takes the view that given the increasing importance of e-commerce, data protection standards play an essential role in protecting customers both in the EU and US; stresses that both the EU and the US need to address rising cyber security threats in a concerted manner and in an international context; points out that interoperability and standards in the domain of e-commerce, recognised at global scale, can help to promote more rapid innovation by lowering the risks and costs of new technologies; European Parliament resolution on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce

European Commission

Factsheet on the EU-US negotiations on the so-called ‘Data Protection Umbrella Agreement’, June 2014 Communication on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM/2013/0847 final, 27.11.2013 What we need to make TTIP work / Karel De Gucht, European Commissioner for Trade, German Economy Ministry Conference on the Transatlantic Trade and Investment Partnership, Berlin, 5 May 2014 “The third value we need to protect is privacy. Data protection is a fundamental right in the European Union, so this agreement can do nothing to undermine it – legally or morally. That is exactly how we are working. We are trying to facilitate trade in the digital economy which is so important for our future. But we will not be doing anything to change Europeans’ rights to privacy.D on’t get me wrong – there are issues between the EU and the US to be resolved. But they need to be tackled outside the framework of these talks.” Spying affair and the TTIP free trade agreement / Question for written answer to the Commission Rule 117 Angelika Werthmann (ALDE), 12 November 2013 with answer from Mr De Gucht on behalf of the Commission, 10 February 2014 “the Commission expects that in parallel solutions will be found to restore trust in EU-US data flows. In pursuing this approach, the Commission has been supported by the European Parliament, whose resolution on the US NSA surveillance programme did not call for a delay of the TTIP negotiations, and by the Member States. The Commission set up, together with the Presidency of the Council of the EU, an ad-hoc high-level EU-US working group on data protection to examine these issues further” “Stepping up a gear“: Press Statement by EU Trade Commissioner Karel De Gucht following the stocktaking meeting with USTR Michael Froman on the Transatlantic Trade and Investment Partnership (TTIP), 18 February 2014 Let me be clear on this very important point: we are not lowering standards in TTIP. Our standards on consumer protection, on the environment, on data protection and on food are not up for negotiation. There is no “give and take” on standards in TTIP. And we are happy to be scrutinized on this: no standard in Europe will be lowered because of this trade deal; not on food, not on the environment, not on social protection, not on data protection. I will make sure that TTIP does not become a ‘dumping’ agreement. EU Chief Negotiator says EU-US trade deal not about deregulation, as third round of talks end in Washington, 20 December 2013 However, Mr Garcia Bercero was at pains to point out that: “TTIP is not and will not be a deregulation agenda.” He said neither side intended to lower its high standards of consumer, environment, health, labour or data protection, or limit its autonomy in setting regulations. Towards a more dynamic transatlantic area of growth and investment / Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner, 29/10/2013 “I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable.” Once a single, coherent set of rules is in place in Europe, we will expect the same from the US. Inter-operability and a system of self-regulation is not enough. Including a legal provision on judicial redress for EU citizens, regardless of their residence, in the forthcoming US Privacy Act is an essential step towards restoring trust among partners. TTIP negotiations following the PRISM scandal / Question for written answer to the Commission Rule 117 Alda Sousa (GUE/NGL) , Marisa Matias (GUE/NGL), 18 July 2013 with answer by Mrs Reding on behalf of the Commission, 30 September 2013 “PNR and TFTP Agreements with the US promote and protect the European Union’s common security interests and the fundamental rights of EU citizens. Review of the PNR Agreement was undertaken recently and its report will be submitted to the European Parliament in due time. Two regular joint-reviews of the EU-US TFTP Agreement in 2011 and 2012 assessed the implementation of the safeguards applicable to the processing of Provided Data and considered the measures taken as adequate. A joint report pursuant to Article 6(6) of the agreement is under preparation. The Commission has requested consultations under A 19 TFTP Data protection reform: restoring trust and building the digital single market / Viviane Reding, Vice-President of the European Commission, EU Commissioner for Justice, 4th Annual European Data Protection Conference /Brussels, 17 September 2013 A. Data Protection Reform and PRISM — C. The EU-US Relationship Statement by President Barroso on the Transatlantic Trade and Investment Partnership, 3 July 2013 In parallel, it is important to address concerns that have been clearly expressed on the European side on some intelligence activities and also on the implication for privacy and data protection at European level. So what I can say we have agreed today is the following: we are committed to the Transatlantic Trade and Investment Partnership, but we expect that in parallel we have work in the EU-US working groups that will analyse the oversight of the intelligence activities, intelligence collection and also the question of privacy and data protection.

European Data Protection Supervisor

Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament and the Council on “Rebuilding Trust in EU-US Data Flows” and on the Communication from the Commission to the European Parliament and the Council on “the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU”, 20 February 2014 Comments of the EDPS on different international agreements, notably the EU-US and EU-AUS PNR agreements, the EU-US TFTP agreement, and the need of a comprehensive approach to international data exchange agreements, 25 January 2010

NGO views

TTIP and TISA : big pressure to trade away privacy / Ralph Bendrath, Statewatch, September 2014 EU-US Trade Negotiations Continue Shutting out the Public—When Will They Learn? / Jeremy Malcolm and Maira Sutton, Electronic Frontier Foundation, October 3, 2014 Transatlantic Data Flows and the Trade and Investment Partnership (TTIP): Ensuring compatibility with European Data Protection standards / Les Verts , Public Conference, 5 March 2014 from 15:00 to 18:30 Place: European Parliament, room ASP 1G3 The EU-US Safe Harbor : an analysis of the effectiveness in protecting personal privacy / Future of Privacy Forum (FPF), December 2013 EU/US Safe Harbor – Effectiveness of the Framework in relation to National Security Surveillance / Chris Connolly, Galexia, Speaking & background notes for an appearance before the Committee on Civil Liberties, Justice and Home Affairs inquiry on “Electronic mass surveillance of EU citizens”, Strasbourg, October 7 2013

Consumers’ views

Transatlantic Consumer Dialogue (TACD) welcomes President Juncker’s push for a comprehensive data protection agreement, letter, September 30, 2014 Transatlantic Consumer Dialogue (TACD) Resolution on Data Flows in the TransAtlantic Trade and Investment Partnership, October 2013

Producers’ views

Chamber Wants TTIP To Ease Data Flows Without Altering EU Regime / Inside U.S. Trade, March 6 2014 The U.S. Chamber of Commerce is pushing for provisions in a trans-Atlantic trade deal to ease cross-border data flows in part by broadening the ways by which U.S. firms can comply with the European Union’s data privacy requirements, though it does not intend to use the trade talks as a vehicle to seek changes to the underlying EU regime

Case law

Ruling concerning the validity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54). In Joined Cases C‑293/12 and C‑594/12, 8 April 2014