3: Vorträge, Vorlesungen, Aufsätze
Advanced Topics in European Privacy Privacy and Data Protection – A Conflict between the US and Europe ]engl.]
by Dr. Thilo Weichert
Data Protection Commissioner and Head of Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein, Germany
IAPP Global Privacy Summit 2012 in Washington/USA
Wednesday 07.03.2012
I. First Common Roots
Data protection as practiced in Europe originates in its main history of ideas also from the United States of America [1] . The first legal basis of personnel confidentiality protection roots back 2000 years, when Hippocrates defined the relationship between a physician and his patient as one of absolute secrecy. Likewise, the legal instrument of confessional secrecy between a clergyman and his Christian faithful is more than a thousand years old. But these obligations to secrecy were and stayed related to the individual and occupational context. They are also not based on a generally applicable concept of privacy. [2]
Privacy in a modern sense is closely connected to the technical development of information processing which depersonalizes the relationship between humans. This causes direct confidentiality ensured by social contact in the context of family, profession and/or friendship, to be substituted for a legal guarantee. This necessity has been developed in 1890 with exceptional conceptual clarity by two US jurists and published in the Harvard Law Journal. [3] Warren and Brandeis deducted from the “threats“ of photography and the press, which were modern back than, that the common law would imply a right to privacy. This right was to be universal and granted to people in all situations of life. It was not to be limited to specific relationships, neither to specific individuals such as celebrities nor to designated data.
The further development of this concept was also strongly influenced by discussions in the US, with Alan F. Westin leading the way in the sixties of the 20th century. [4]
II. The Development in Europe
Hereafter, legal developments took place in which the Anglo-American and the continental European legal conceptions continued to drift apart further. While the right to privacy continually developed in Europe becoming more precise and finding more general recognition, especially in the prevalent political and legal understanding in the US it continued to be a vague concept that did not yet receive its proper recognition as a fundamental right. It is still determined by a spatial and social understanding of privacy without responding appropriately to the modern technological challenges. There are a multitude of data protection regulations also in the US on both national and state level to be sure, e.g. protecting children or in the financial sector, that may be even more precise than in Europe. [5] However, from a European point of view there are no uniform standards across states and economic sectors. While enforcement against the private sector can be carried out under consumer protection laws, a comprehensive federal data protection control does not yet exist.
Legal developments on the European continent were deeply influenced by the jurisdiction of the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG). Already in the ‘60s and in the light of modern data processing capabilities the court derived from the general personality right that a state should not have the right to compulsorily register and categorize the individual in his or her full personality in an identifiable manner. [6] On the occasion of a scheduled population census, the Federal Constitutional Court in 1983 declared the “right to informational self-determination” a fundamental basic right. Accordingly every human should in principle be able to decide by him- or herself who knows what and when at which occasion about him- or herself. This basic right may only be encroached if the subjected person has given consent or where a prevailing public interest can serve as a legal basis. [7] The newly created basic right does not only protect against direct governmental infringements, but being an objective norm unfolds its legal content also in private law, [8] especially where infringements by overly powerful corporations occur. [9]
Another articulation of the modern personality right was made by the German Federal Constitutional Court in 2008, when it defined a legally protected digital sphere concerning the “protection of confidentiality and integrity of informational systems” in parallel with the spatial protection sphere of the home and the social protection sphere of the family, into which the state may encroach only under tight conditions. [10] The court draw the consequence from the fact that in our information society more and more personal spheres of life are mirrored in information systems that desperately need legal protection.
In its jurisdiction the German Federal Constitutional Court has repeatedly emphasized that data protection serves, in addition to the general personality right, the protection of specific individual freedom rights such as the protection of freedom of speech in accordance with Art. 5 Basic Law or the protection of political rights such as the right to free assembly: “Whoever is insecure whether his divergent behaviour is recorded continually and whether this information is saved permanently, is used or shared, will try not to attract attention by such behaviour. This would not only compromise the free development of an individual, but also the public good because self-determination is a fundamental condition of a free democratic society that is based on its citizens capacity to act and participate” freely. [11] If data protection comes into conflict with freedom of expression, German courts after balancing the basic rights regularly decide in favour of freedom of speech. [12]
This development in the jurisdiction of the German Constitutional Court has been and is accompanied by parallel changes in the jurisdiction of the European Court of Justice which is the highest court in the European Union (EU), and of the European Court of Human Rights in Strasbourg which is relevant also beyond the EU. [13] Then, the European Union amended its Charter of Fundamental Rights in 2009 in which Article 7 and 8 protect the fundamental rights to private and family life and personal data. [14]
In parallel to the constitutional situation a common law developed. In the ‘70s the first data protection laws evolved in many European countries. In 1995 the European Union passed the European Data Protection Directive, a harmonized legal framework aimed at guaranteeing the free flow of data while at the same time protecting personal data. This development is not at an end yet and led to the proposal made by the European Union on January 25, 2012 concerning a regulation for a common framework on the protection of the individuals with regard to the processing of personal data and on the free movement of such data. This regulation will be directly applicable throughout the EU and shall ensure data protection in light of the modern challenges presented by the Internet – as well as towards providers who are established outside the EU. [15]
III. The Situation in the USA – from a European Perspective
A completely different development took place in the US. Up to today the US Supreme Court has neither acknowledged a fundamental right to informational self-determination, nor to data protection. The court extrapolated from a number of different amendments to the Constitution restrictions on data collections by the state in specific areas, especially whenever freedom of speech, the press or assembly protected by the Constitution were infringed by so called “chilling effects”. Furthermore data collection can be unconstitutional when it compromises the private sphere as acknowledged by the Supreme Court. Starting from a spatial understanding of privacy, the Supreme Court considers whether a data subject has a reasonable expectation of privacy to withdraw his or her information from public access and applies the requirements for “search and seizure” to these cases. These considerations were also made by the Supreme Court in its current judgement “United States v. Jones” of January 23, 2012 with regard to a criminal investigation using a GPS tracking device. [16]
Additionally, the Supreme Court checks whether a data collection forces data subjects to incriminate themselves. A data collection by the government is not so much opposed by privacy considerations but the protection from government coercion. In principle the Supreme Court requires substantive harm or actual damage. Pure informational harm is mostly not recognized by the courts.
Even today the Supreme Court does not grant comprehensive protection of privacy as it was demanded by Warren/Brandeis more than 120 years ago, except in restricted sensitive areas. The Fourth Amendment shall only protect a person’s “reasonable expectation of privacy”. [17] The purpose principle of the European data protection law is diametrically opposed to the “Third Party Doctrine” of the Supreme Court according to which there is no protection against disclosure of data to the government if the data subject has freely disclosed his or her data to third parties. Another main restriction of data protection respective privacy protection is accepted by the Supreme Court if a measure serves national security. This aspect is also accepted by European Courts. However, while they undertake a differentiated examination of necessity and proportionality, it seems that the Supreme Court mainly requires that a measure can serve security purposes. [18] An observation of fundamental rights by private corporations especially when they have a dominant position in the market with regard to informational measures is – different from Europe – generally not acknowledged in US jurisdictions. In consequence, US corporations are restricted to use informational measures at most for reasons of consumer or children’s protection and in competition law.
In Europe it is generally acknowledged that the protection of personal data and privacy not only serves subjective rights of the individual, but also is a fundamental condition for the free democratic information society. [19] This consideration, too, seems not to be acknowledged in US American jurisdiction.
IV. Attempted Explanation
While in the USA and in Europe there was a parallel development with respect to the protection of civil rights until the ‘60s and early ‘70s, this changed considerably in the years afterwards. European society at the beginning of the ‘70s faced massive internal terrorist threats leading to tightened security laws in all the states. However, these security laws always aroused opposition from civil society and were moderated through the political process. This resistance roots back to the experiences of European societies during authoritarian and totalitarian regimes, in Germany e.g. with Hitler-fascism and with the communist regime of the German Democratic Republic with its omnipresent state security service.
Apparently this was different in the USA: while during the second half of the 20th century powers assigned to security agencies were massively strengthened due to the “war against drugs“, this legitimacy pattern was replaced and complemented after September 11, 2001 by the “war against terrorism”. The Supreme Court tends to follow this and has increasingly been ready to give full scope to surveillance measures and enforcement powers. [20]
In the US as well as in Europe, extensive civil society debate about data protection and privacy in our modern information society takes place. Nevertheless, it did not prevail in politics or in US law. Two factors seem to be especially important: (1) security policy and (2) economic policy:
1. Repudiation of a comprehensive fundamental right to data protection is a precondition for the security policy claim made by US government which it exercises in almost all parts of the world: if such a fundamental right would be acknowledged in the US, citizens of other states could not reasonably be deprived of it. But this would implicate that military and security surveillance measures by US services would be called into question world-wide. This is true for control measures against potential military enemies in Arabic countries as well as for sourcing presumably security relevant data from the European Union, e.g. banking or flight passenger data.
2. It is undeniable that US corporations have gained dominance on the information technology market globally, but especially in Europe. Not European corporations but companies like Microsoft, Apple, Google, or Facebook dominate the technological development in the information technology market and particularly in the Internet. These corporations have direct access to politics and the current US government. Core business models of these US corporations are founded on ignoring the strict European data protection regulations. This is especially true for the exploration of user data, by Facebook and Google for instance. As a result US companies gain a competitive advantage on the European market to European corporations, the latter being subject to national data protection supervision and more or less rigid data protection inspections. Enforcement actions by European data protection authorities against US companies’ corporate policies were very limited in the past. This has changed only lately by a few enforcement actions concerning applications of Google (Search, Street View, Analytics) and Facebook.
V. The Legal Recognition of US Security Dominance
The US rejection of data protection as a fundamental right meets approval from certain lobbyists in Europe. This is especially true for security agencies dreaming to possess powers for investigation and data analysis comparable to those possessed by US security agencies. Especially in the United Kingdom, which shares a common legal history with the US and which was spared from developments in legal data protection on the European continent to some extent, such security interests flourished. [21] But in other states as well there is a distinct interest to be able to extensively store and analyse data from telecommunication surveillance, financial transactions, and passenger data and to simplify exchange of data between security agencies in Europe.
These interests prevailed in Europe repeatedly. The most prominent example is the Data Retention Directive for telecommunication data for security purposes.[22] A central mechanism to implement security agencies’ interests is the transfer of treaties between Europe and the US to the inner-European area. Against these treaties the European fundamental rights arguments were and are unable to fully push through, for example with regard to transmission of bank data from international transactions (SWIFT) [23] , or passenger data (Passenger Name Records). [24]
National parliaments again and again and the European Parliament as well as European and national courts resist this logic. Germany, its politics, and authority play an important but not necessarily decisive part in Europe. Good evidence is the critical and negative decisions of some constitutional courts concerning data retention of telecommunication data. [25]
VI. The Conflict in the Area of Private Data Processing
With regard to data exchange between corporations in Europe and the US, the Safe Harbor Framework of 2000 is of fundamental importance. [26] With this framework the European Commission accepts a level of data protection comparable to European data protection for companies who have subjected themselves to Safe Harbor self-certification. Criteria for self-certification are: notice, choice, restricted onwards transfer, data security, data integrity, access, and data protection enforcement. The requirements provide a legally viable method to transfer personal data from a European to a US company.
From the outset the European Parliament and the Article 29 Working Party [27]have requested an evaluation whether the mechanisms of this framework are observed. Indeed, until today no comprehensive independent evaluation has been conducted. The studies available suggest that there are severe shortcomings. [28]Under the veil of formal self-certification the core principles set out in the framework are often neglected and violated and the framework is used to practice a most uninhibited data exchange with US companies.
This led to a decision by the federated German data protection authorities organised in the so called “Duesseldorfer Kreis” of 28./29.04.2010, arguing that a Safe Harbor certificate cannot be trusted blindly when exporting data to the US and that the data exporter needs to check whether the allegations made concerning the data protection standards of the recipient are actually true. [29]This critique by the Duesseldorfer Kreis of Safe Harbor is based on the experience that self-certification without independent and structured monitoring does not produce certainty about the necessary compliance with data protection requirements and that an abstract sanctions threat without enforcement is not effective.
Further insights have impaired trust in compliance with data protection standards by US corporations in recent times. It became apparent that companies in Europe that are established or have a subsidiary in the US are subject to the Patriot Act enforcing access to personal data which call into question that the companies can keep the confidentiality statements and compliance assertions about European data protection law. Corresponding access to data stored and processed in Europe are made on the basis of US security instruments such as FISA or the “Bank of Nova Scotia Subpoena” ruling. [30] A current disturbance of reliability of affiliated companies with US connections was posed by questioning data protection to prevent tax flight on the basis of financial instruments such as FACTA or the Volcker-Rule. [31]
The most ostentatious violations of European data protection law have been perpetrated for many years by US Internet companies such as Google and Facebook. These companies have gained a strong dominance in the European Market. In some cases there is a monopolistic competitive context, for example Google reaching more than 90% market share on the German search engine market. This led to first controversial discussions with European data protection authorities concerning search engines, panorama services in the Internet, and analytic tools for website owners. If there were direct legal implications as were detected for Google Street View and subsequently Microsoft Bing Street Side, authorities were able to enforce data protection regulations. [32]
For analytic tools for website owners some rudimentary acceptable changes were reached after many months of discussion with Google, and after some data protection compliant solutions were offered on the European market. [33]
The worlds of data protection in the US and Europe collide most blatantly in social networks where US providers with Facebook and Google leading the way do not comply with the legal requirements concerning transparency and choice. The basic conflict between US providers and European data protection activists is that on the basis of a general privacy statement in which neither the purpose and neither the accountable controller nor the type of data are adequately identified, personal data are stored for many years, and comprehensive data analysis takes place without providing sufficient means of control by the data subject. [34] This caused the Unabhaengige Landeszentrum fuer Datenschutz in Schleswig-Holstein to publicly request website owners in this federal state to refrain from using Facebook offerings and to bring some individual enforcement actions in the form of prohibition orders. [35]
In the end, data protection issues in Internet offerings were the primary driver for the European Commission to make its proposal for a harmonized data protection regulation on January 25, 2012, which shall facilitate in particular the enforcement of European data protection law towards US service providers. [36]
European enforcement activities as well as political pressure seem to be no longer ineffective, as seems to be true even in the US. This is indicated by three current events: on February 22, 2012 the California Attorney General forged an agreement with Apple, Google, Microsoft, RIM, Hewlett-Packard, and Amazon to develop explicit privacy policies for mobile apps that collect explicit consent from data subjects. [37] One day later the White House published a “Bill of Rights”, a white paper on “Consumer Data Privacy in a Networked World” introducing some data protection principles, but only to sing the Song of Songs on self-regulation, which is still not really functioning. [38] On the same day it became public that 400 Internet companies in the US, with big ones such as Google amongst them, were to bind themselves to technically support a commonly agreed Do-Not-Track standard. [39] Additionally, a report of the EU Commission became known that day according to which a transatlantic framework on data protection in the area of security was not making any progress because the US government is not ready to change even a single US law. [40]
VII. Conclusions
The data protection conflict between the US and Europe is further intensifying. One of its legal grounds is the denial of the fundamental right to data protection by US law. This is reason enough to intensify the exchange across the Atlantic about the conditions of a legal framework necessary to preserve democracy and freedom in the global information society. Not only in the US but also in Europe the perception is not yet mature enough to seriously discuss an “International Charter of Digital Human Rights” of which a fundamental right to data protection would be a part of. But precisely such an international Charter is strongly needed – not only concerning the relation between the US and Europe. [41] Given the negligence of digital fundamental rights by authoritarian states and dictatorships like the Iran or China, Europe and the US being free democracies must have a joint interest in such a Charter or must at least develop it. [42] To focus only on short-term market and security advantages is neither in the national interest of the US or Europe, let alone in the interest of enforcing, preserving, and long-term guaranteeing of democratic fundamental rights in a globalized information society. If they were still alive, surely Samuel Warren and Justice Brandeis would rejoice over such a binding Charter.
[1] United States of America – USA.
[2] Weichert in Däubler/Klebe/Wedde/Weichert, Bundesdatenschutzgesetz, 3rd ed. 2010, Einl. Rz. 2.
[3] Samuel D. Warren / Louis D. Brandeis, The Right to Privacy, Harvard Law Review Vol. IV December 15, 1890 No. 5 (German translation: https://www.datenschutzzentrum.de/allgemein/20111219-Warren-Brandeis-Recht-auf-Privatheit.html).
[4] Westin, Privacy and Freedom, New York, 1967.
[5] Cf. e.g. COPPA – Children's Online Privacy Protection Act, http://www.coppa.org/.
[6] BVerfG NJW 1969, 1707.
[7] BVerfG NJW 1984, 419.
[8] BVerfG NJW 1991, 2411.
[9] BVerfG MMR 2007, 93 ff. = JZ 2007, 576 ff. = DuD 2006, 817 ff.
[10] BVerfG NJW 2008, 822 ff.
[11] BVerfG NJW 1984, 422; BVerfG EuGRZ 1985, 457 ff.
[12] BGH MMR 2009, 610.
[13] Siemen, Datenschutz als europäisches Grundrecht, 2006.
[14] Art. 7: Everyone has the right to respect for his or her private and family life, home and communications. Art. 8: (1) Everyone has the right to the protection of personal data concerning him or her. (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority.
[15] European Commission, 25.01.2012, KOM(2012) 9 final; cf. Hornung ZD 2012, 99.
[16] Sokolov, http://www.heise.de/, 24.01.2012, US-Gericht: Überwachung mit GPS-Wanze ist eine Durchsuchung.
[17] Katz v. United States, 389 U.S. 347 (1967).
[18] Grunwald, Datenerhebung durch das Federal Bureau of Investigation, 2007, 55 ff.
[19] BVerfG NJW 1984, 422.
[20] Arzt, Polizeiliche Überwachungsmaßnahmen in den USA, 2004, 122 f.
[21] Korff, Guaranteeing Liberty or Big Brother, Surveillance in the United Kingdom, 2007, https://www.datenschutzzentrum.de/sommerakademie/2007/sak2007-korff-surveillance-in-the-united-kingdom.pdf.
[22] Directive 2006/24/EC of 15.03.2006, ABl. L 105 of 13.04.2006, S. 54; cf. e.g. BVerfG DVBl. 2010, 503 ff.
[23] ULD sources at https://www.datenschutzzentrum.de/internationaler-datenverkehr/swift/.
[24] Cf. e.g. Article 29 Working Party, WP 145, Joint opinion on the proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes, presented by the Commission on 6 November 2007, https://www.datenschutzzentrum.de/flugdaten/EU-PNR-opinion_doc.pdf.
[25] European Commission, Evaluation report on the Data Retention Directive of 18.04.2011, http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf.
[26] Decision of the Commission of 26.07.2000, ABl. EC of 25.08.2000, L 215/7.
[27] Opinion 4/2000 on the level of protection provided by the “Safe Harbor Principles” of 16.05.2000, CA07/434/00/De, WP 32; 02.07.2002, 11194/02/DE, WP 62.
[28] Galexia, The US Safe Harbor – Fact or Fiction?, 2008; Conolly, Revisiting the Safe Harbor, Privacy Laws & Business International Conference, July 2010; cf. also report from the European Commission of 20.10.2004, summarized by Greer, RDV 2011, 271 f.; cf. Alexis/Yuill, Privacy & Security Law 10-12-09; arguing against Greer, RDV 2011, 270 ff., but without providing counter evidence.
[29]https://www.ldi.nrw.de/mainmenu_Service/submenu_Entschliessungsarchiv/Inhalt/Beschluesse_Duesseldorfer_Kreis/Inhalt/2010/Pruefung_der_Selbst-Zertifizierung_des_Datenimporteuers/Beschluss_28_29_04_10neu.pdf.
[30] Position paper of Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein of 15.11.2012, https://www.datenschutzzentrum.de/internationales/20111115-patriot-act.html; similar: joint letter of Duesseldorfer Kreis and the Conference of Data Protection Commissioners of the Federal State and the Laender of the Federal Republic of Germany of 12.01.2012 to the Chairman of the Article 29 Working Party concerning "Zugriff außereuropaeischer Staaten auf personenbezogene Daten europaeischer Staaten"; in detail: Stölzel, Amerika liest mit, Wirtschaftswoche 23.01.2012, http://www.wiwo.de/.
[31] Piper/Zydra, USA greifen auf deutsche Konten zu, Sueddeutsche Zeitung, 23.12.2012, 25; Zydra, Jagd nach Steuersuendern, SZ 10.02.2012, 25.
[32] Resolution of Duesseldorfer Kreis of 13./14.11.2008, https://www.datenschutzzentrum.de/geodaten/20081118-dk.html.
[33] ULD provides hints on how to implement data protection compliant web-analytic tools, https://www.datenschutzzentrum.de/presse/20110315-piwik.htm.
[34] Duesseldorfer Kreis, Datenschutz in sozialen Netzwerken, Resolution of 08.12.2011, https://www.ldi.nrw.de/mainmenu_Service/submenu_Entschliessungsarchiv/Inhalt/Beschluesse_Duesseldorfer_Kreis/Inhalt/2011/Datenschutz_in_sozialen_Netzwerken/Datenschutz_in_sozialen_Netzwerken_endgueltig.pdf.
[35] ULD activities concerning Facebook are documented at https://www.datenschutzzentrum.de/facebook/.
[36] Cf. fn. 15 and http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&aged=0&language=DE&guiLanguage=en.
[37] Mehr Datenschutz bei Apps für Smartphones und Tablets, http://www.fr-online/, 23.02.2012.
[38] The White House Washington, Consumer Data Privacy in a Networked World, a framework for protecting privacy and promoting innovation in the global digital economy, February 2012.
[39] Ralph, ´Do-not-track` button: Google, others agree to privacy setting on web browsers, 23.02.2012, http://www.globalpost.com/dispatch/news/business-tech/120223/do-not-track-button-google.
[40] Krempl, Datenschutzabkommen mit den USA steht weiter in den Sternen, http://www.heise.de/, 23.02.2012.
[41] Weichert, Codex digitalis, 30.08.2010, https://www.datenschutzzentrum.de/sommerakademie/2010/sak10-weichert-begruessung.pdf.
[42] Morozov, The Net Delusion, 2011.