Lawmakers were told Tuesday that in order to enable digital data transfers between the US and the European Union, Congress must further rein in government spying activities, and empower federal agencies to crack down on companies that play loose with their customers’ data.
The recommendations came from a witness who appeared before a House energy and commerce subcommittee hearing convened to examine the impact of last month’s ruling by a European high court. That decision struck down a critical data privacy agreement that allowed US companies to transfer Europeans’ data to servers stateside.
The President of the Electronic Privacy Information Center (EPIC), Marc Rotenberg testified that any new Safe Harbor agreement currently being negotiated by the Commerce Department and its European counterparts must take into account concerns across the pond.
His comments were in direct response to claims by some US policymakers that the European Court of Justice erred in its ruling and didn’t account for recent spy reforms approved on Capitol Hill in June via the USA Freedom Act.
“The Freedom Act was a significant step forward for privacy protection in the United States, but it limited only the surveillance activities directed at US persons—that’s the 215 collection program,” Rotenberg noted. The bill dismantled one of the government’s bulk collection program related to domestic telephony metadata.
“The Freedom Act did not address the 702 program which was collection directed at non-US persons,” he added, pointing to separate authorities granted to Washington by the Foreign Intelligence Surveillance Act.
Rep. Anna Eshoo (D-Calif.) acknowledged that the disclosures made by Edward Snowden about the activities of US spy agencies were “really damaging to the brand ‘American Product,’” even after the passage of USA Freedom.
“The Europeans are deeply suspicious of that,” she said. “I don’t think we cured everything.”
Other witnesses, however, rejected the call to roll back surveillance in order to boost transatlantic trust.
John Murphy, the Senior Vice President for International Policy at the US Chamber of Commerce claimed that the European Court of Justice “did not conduct any formal investigation in current US surveillance oversight rules,” and said it issued a ruling that holds the US to a “different standard on national security and law enforcement issues.”
The President and CEO of the Business Software Alliance (BSA), Victoria Espinel, urged lawmakers to “help the Europeans understand our privacy system better, including some of the recent improvement like the USA Freedom Act.”
Piling on was Rep. Mike Pompeo (R-Kansas) who asked Rotenberg if it was his position that “US person and non-US persons should be treated identically?”
“That’d be ahistoric,” Rep. Pompeo went on. “You could be right about it being proper, but no nation has ever behaved that way.” He then claimed that “there’s always a wrinkle, there’s always an exception, there’s always a section 12333 executive order”—a reference to a Reagan-era surveillance directive that still governs much of the intelligence community’s activities.
Rotenberg reminded Rep. Pompeo that according to US consumer law, there is no distinction between citizens and non-citizens.
He went on to say that another problem with the previous iteration of the Safe Harbor agreement was its lack of enforceability—a task that was left up to the Federal Trade Commission.
“To date, the FTC has not meaningfully exercised its enforcement powers against US companies that violate the Safe Harbor framework,” Rotenberg said in his opening remarks.
Rotenberg also called on Congress to also pass a Consumer Privacy Bill of Rights and to create a new agency to enforce privacy laws.
