EU Disdains U.S. Surveillance, but Seeks Easier Access

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George R. Lynch

April 27 — The catchphrase “do as I say, not as I do,” seems appropriate to some for how the European Union approaches government surveillance of personal data in the U.S. versus the EU.

In response to terrorism and refugee concerns, some EU member states have been passing laws to give their law enforcement and national security officials easier access to personal data. At the same time some EU officials continue to voice objections to U.S. efforts to do the same.

Throughout it all, companies have begun to worry that these new EU surveillance laws might affect data sharing within Europe and their ability to maintain the trust of privacy-minded customers, attorneys and analysts told Bloomberg BNA.

“There is a trend among European countries to introduce new surveillance powers and undermine encryption,” Fanny Hidvegi, international privacy fellow at the Electronic Privacy Information Center (EPIC) said.

EU Surveillance Legislation

Yet EU data protection officials have decried the proposed EU-U.S. Privacy Shield for data transfers to the U.S. as inadequate, largely because of concerns over U.S. government access to data (15 PVLR 825, 4/18/16).

Wim Nauwelaerts, an international data protection and privacy law partner at Hunton & William LLP in Brussels, said that it is “already hard enough for companies to transfer data outside Europe. If now they’re facing different requirements on encryption and providing access to data by agencies, depending on the member state, it’s going to be a nightmare for companies to comply with that.”

Surveillance Concerns Not Just About U.S

The moves to expand EU surveillance laws may well generate concern among EU institutions, Nauwelaerts said.

When the European Court of Justice, the EU's highest court, invalidated the U.S.-EU Safe Harbor Program that allowed legal transfer of personal data from the EU to the U.S. (14 PVLR 1825, 10/12/15) it wasn't just about concerns over potential improper access to data by the U.S. government, he said. “These were universal concerns raised about indiscriminate mass surveillance by agencies and how they gain access to that data.”

Now with EU countries passing surveillance laws, the assumptions that personal data are safe and data subject privacy is respected within the EU are slowly being called into question, Nauwelaerts said. Companies are “getting increasingly concerned about how these developments in EU member states could affect their sharing of data within the EU,” he said.

The now under strain Privacy Shield proposal, which the Article 29 Working Party recently declined to endorse due to similar concerns, was intended to replace the Safe Harbor (15 PVLR 825, 4/18/16).

EU Member States Take Two Tracks

EU member states have taken two main surveillance law positions—allow greatly expanded government access or reject access—Sara Hoffman, an attorney focusing on European privacy and data security law at Wilson Sonsini Goodrich & Rosati in Brussels, said.

In France and the U.K., and some other member states, “there is a big push these days towards giving data access to law enforcement,” Hoffman said. On the other side, the Netherlands has been notable as the only government in the EU to take a strong stand in favor of Internet security based on strong encryption.

The revised draft of the U.K. Investigatory Powers Bill would give the government the ability to access Web browsing histories and hack phones, Steven P. Farmer, counsel in the Intellectual Property/IT, Data Privacy, Marketing Law and International Trade practices at Pillsbury Winthrop Shaw Pittman LLP in London, said (15 PVLR 510, 3/7/16). The government issued a clarification after releasing the bill, claiming these powers are merely reflective of current practice, but “there is some debate” about how accurately these provisions reflect current practice, Farmer said.

The first draft of the bill “arguably represented a significant increase in authorities' powers to access user data (15 PVLR 309, 2/8/16), and the March revision have barely reined this back,” he said.

The bill also allows the government to access encrypted data where the encryption is applied by the company itself and removal of encryption is practical, and consolidates the bulk collection powers of security and intelligence services.

The French Parliament has cleared a bill that would make it easier for the government to access encrypted data for criminal investigations by enhancing penalties against companies that refuse to hand over communications.

A strict surveillance law also went into effect in Poland Feb. 7. Poland’s newly-amended Police Act gives Polish authorities increased access to digital data before courts approve the use of the data. “Law enforcement may access metadata without court approval,” Dariusz Czuchaj, a technology practice senior associate at Dentons LLP in Warsaw, said.

“Extensive surveillance laws lead to a loss of customer trust, in particular in the communication and technology sector.’’

Hungary has gone even further, Hidvegi said. The government there proposed a bill without debate that seeks to make it a crime for communications service providers to use encryption-based applications or software. The measure would also require Internet service providers to build back doors to allow government access.

Additionally, the Hungarian bill would require ISPs to retain the metadata of anyone who uses encryption and criminalizes the failure of companies to hand over user data to the government.

The governments' demands that companies give them access to information doesn't easily square with the European Court of Justice's stance on limiting government access to personal data for surveillance purposes, Nauwelaerts said.

Choosing Where to Store Data

Although surveillance laws probably won't prevent companies from transferring data to EU member states, the multiplicity of different rules that countries are implementing under national security exceptions is giving companies another factor to consider when deciding where to transfer data.

“It’s no longer a discussion about whether we send our data to the U.S. or do we send it to India, but it’s about where we keep it internally” within the EU, Nauwelaerts said.

Christoph Werkmeister, a privacy attorney at Freshfields Bruckhaus Deringer LLP in Cologne, Germany, said data transfers within the EU should still be possible but “new surveillance laws might conflict with contractual obligations.” Companies with contracts setting forth certain data security promises to customers—a relatively rare occurrence—“will not be able to live up to its promises in particular jurisdictions anymore,” he said.

But PwC Legal Global Head of Cyber Security and Data Protection Stewart Room said that the “undercurrent of concern about data access by law enforcement is not something that’s exercising the minds of business in the way it exercises the minds of privacy advocates.”

Customer Trust

As the U.S. Federal Bureau of Investigation versus Apple Inc. public war over consumer encryption has shown, some companies take privacy issues seriously as do their customers (15 PVLR 367, 2/22/16).

Werkmeister said “extensive surveillance laws lead to a loss of customer trust, in particular in the communication and technology sector.”

Farmer said some companies cite their customer data protection as a means of “enhancing their reputation and customer trust.”

“Draconian or invasive surveillance laws may serve to undermine a company’s ability or power to safeguard its customers’ personal data, and therefore any claims they have made in this regard may be rendered redundant at a cost to their reputation,” he said.

EPIC's Hidvegi agreed that the profusion of surveillance laws may make it difficult for companies to balance legal obligations with consumer expectations regarding privacy.

Responding to Government Requests

Companies should understand the limits on what the government may request under the various EU surveillance laws and what options they may have regarding a request, attorneys said.

Czuchaj said that he advises clients to use encryption because the Polish law doesn't require companies to decrypt communications in order to respond to a government request.

Werkmeister said that “more often than not” his law firm sees requests broader than allowed under the relevant law.

Companies should object to a production request if they have concerns, he said. A company may be in violation of privacy laws if it improperly releases personal data, even if the release was in response to a government request, he said.

To contact the reporter on this story: George R. Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com