Counter-Terrorism and US-EU Differences in Data Privacy Law

Update: Bignami has now posted on the ECJ’s airline records decision.

In a recent guest post at Concurring Opinions, privacy expert Francesca Bignami argued that the NSA’s obtention of domestic telephone records would not be allowed under European privacy law. In addition to being an interesting comparative law analysis, Bignami pointed out another consequence of her conclusion:

There is also a more pragmatic reason for taking European privacy law seriously. The National Security Agency might want information on the calls made by Europeans, in Europe. But because the way it handles private data is so out-of-line with European law, it is increasingly unlikely that the NSA will be able to get call information– or any other private information for that matter–from European governments. … In some European countries, private data cannot be transferred to countries without “adequate” privacy safeguards, even if that data is requested for national security purposes.

Lo and behold, the accuracy of this prediction is confirmed by yesterday’s decision in the European Court of Justice, which voided a May 2004 negotiated arrangement under which airlines flying from Europe to the U.S. turn over data about their passengers to the U.S. government. (See coverage by the New York Times [reg req'd] and BBC News). Under the program, the airlines send the data as planes take off, and presumably our government checks it before they land.

Technically, the ECJ decision was not grounded in privacy law. The Court ruled that the bodies that negotiated the deal, the European Commission and the Council of Europe [correction based on comment], lacked the authority to do so, as had been contended by the European Parliament. On privacy, the court said nothing one way or the other. But the political motivations behind the case (including Parliament’s decision to bring the challenge) certainly were privacy-related.

While a new agreement may be negotiated, this decision again shows the disjuncture between American and European perspectives on data privacy (which the Europeans tend to call “data protection” — already demonstrating their different attitude). Given a political climate in Europe increasingly suspicious of U.S. counter-terrorism policy, I think we will see increasing refusals by Europeans to share data, on the grounds that their law prohibits it. Will this encourage the U.S. to agree to more privacy-sensitive data handling practices? Could it even lead to a situation where foreigners’ data is handled with more attention to privacy than Americans’ data? (Just the reverse of the Bush Administration’s repeated assurances that the NSA listens to the contents of international telephone calls without a warrant but not domestic ones…)

In any event, we can expect continued, or increased, tension between EU and U.S. law in all areas related to transfers of personal information — including counter-terrorism.

4 Responses to “Counter-Terrorism and US-EU Differences in Data Privacy Law”

  1. Just a nitpick but it’s the ‘Council’ or ‘Council of the European Union’, not the Council of Europe which is a separate, non-EU institution. Confusing, I know!

    It’s also worth adding that, seeing as this case was based on the Commission and Council not having authority to use a particular legal avenue for the data-sharing agreement, the Council is likely to renegotiate using a different legal approach – an intergovernmental one that doesn’t need the agreement of the Parliament.

  2. Thanks for the correction, Robert. I knew it but I blew it, as they say.

    I acknowledge that the agreement will be renegotiated. But as I tried to say in the post, what’s interesting is that a difference of opinion about data privacy is what caused the dispute, whatever the court’s reasoning. It’s like environmental groups that sue to stop a dam or a road and base their claim on a failure to follow the proper procedures. The motivation is substantive, even if the means to the end is technically distinct from the substance.

    That is important because, as Bignami also says, cooperation on counter-terrorism data-sharing between European and US authorities may be harder to achieve if there is hostility toward US data-handling rules and practices.

  3. [...] Even if the US enacted a data retention law that matched the European one exactly, however, the result would not be a similar regime. As I noted in an earlier post, Europe’s approach to data privacy is much more stringent than the American model, leading to some US-EU tension concerning sharing of data, even for counter-terrorism purposes. A US data retention law on top of already-lax American privacy law is nothing like a European data retention law counterbalanced by effective data protection requirements. [...]

  4. [...] I really don’t know if Finland’s ban on googling is a good idea or a practical one. What’s interesting to me is my initial reaction about the utter impossibility of such a rule becoming law in the United States. The sharp distinction just shows how very far outside the global mainstream our privacy law has become, and it really questions, as comparative law often will, our unstated assumptions about the parameters of legal policy. [...]