Microsoft has published a blog post by Brad Smith, the company's president and chief legal officer, on the implications of the collapse of the Safe Harbour arrangement between the EU and US. In the post, Smith calls for the US government to agree that "it will only demand access to personal information that is stored in the United States and belongs to an EU national in a manner that conforms with EU law, and vice versa."
Smith declares that "privacy really is a fundamental human right," and points out that privacy rights are not meaningful if they change every time that data moves from one jurisdiction to another. "Individuals should not lose their fundamental rights simply because their personal information crosses a border. While never stated quite this directly, this principle underlies every aspect of the European Court’s decision, and it makes sense."
As a consequence, Smith believes that "we need to ensure across the Atlantic that people’s legal rights move with their data." If that were to happen, and the US were to apply EU law to EU data held in the US, it would satisfy the stipulation of the Court of Justice of the European Union (CJEU) in its Safe Harbour ruling that the legal protection for the personal data of EU citizens held in the US must be “essentially equivalent” to that available to them in Europe for it to be acceptable under EU legislation.
Recognising that the authorities will still need access to stored personal data under certain circumstances, Smith also calls for "an expedited process for governmental entities in the US and EU to access personal online information that is moved across the Atlantic and belongs to each other’s citizens by serving lawful requests directly with the appropriate authority in an individual’s home country." Requesting governments could only seek information within the limits of their own laws, and the request would be judged by the receiving government based on its rules. "If the designated authority determines the request is consistent with the privacy protections and other requirements of the citizen’s local law, it would validate and give it legal effect, authorizing disclosure," Smith explains.
An exception to this framework would be allowed for the situation where citizens move physically across the Atlantic. Smith suggests: "the US government should be permitted to turn solely to its own courts under US law to obtain data about EU citizens that move to the United States, and the same is true for a European government when US citizens reside there."
Smith also has some thoughts on how cloud-based information should be handled: "governments on both sides of the Atlantic [would] agree that they will seek to access the content of a legitimate business only by means of service on that business, even when it is stored in the cloud. This would address one of the principal areas of current legal concern for businesses that are relying on cloud services"—that governments might demand data directly from cloud providers. Cloud computing is an area of great importance to Microsoft, which is currently embroiled in a legal battle with the US government over access to data stored there.
The fact that Microsoft is espousing what are quite radical ideas for a US company shows the depth of concern over the collapse of the Safe Harbour framework. Smith's post appears at a time when the US and EU authorities are urgently trying to come up with a replacement for Safe Harbour, which must be in place by the end of January 2016, when enforcement actions by European data protection authorities will begin if nothing has been agreed. Yesterday, the US House of Representatives approved the Judicial Redress Act, which would extend certain US privacy protection rights to citizens of European countries. However, on its own that approach is probably insufficient to satisfy the CJEU's stringent requirements for protections that are “essentially equivalent” to those under EU law.
Listing image by Johannes Hemmerlein
reader comments
108