Trans-Atlantic data privacy relations as a challenge for democracy

I think you are misunderstanding the perceived problem here, Mr President. No one is saying that you broke any laws. We are just saying it is a little bit weird that you did not have to.--John Oliver, The Daily Show, June 10, 2013***John Oliver formulated in this context the very question about the limits, about the use and abuse, of the law and of the state's power when it comes to global mass surveillance practices. Where does lie the 'thin red line' between the two legitimate yet seemingly competing interests: national security and privacy? [.]The result we present to the reader might seem merely another book about the Snowden affaire and the fall of Safe Harbor, but these two have been (only) an inspiration. Our object of interest is the protection of data privacy in relations between Europe and Americas as a challenge for democracy, the rule of law and fundamental rights. [.] The present book is very clearly an anthology - it is a compilation of diverse contributions, from different perspectives, within a broad topic.Our aim with this volume is to highlight a selection of particularly 'hot' questions within the topic of trans-Atlantic data privacy relations as they look at the end of 2016. [.] In the final chapter, we draw out and highlight those themes we see emerging within the body of this work. We eventually attempt to suggest a few lessons de lege ferenda.--From the Preface by the editors (Series: European Integration and Democracy, Vol. 4) [Subject: Public Law, Privacy Law, Politics]

Foreword by Dr Wojciech R. Wiewiorowski - v Preface - ix List of Abbreviations - xxxvii PART I PRIVACY AND ... SECTION I PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA 1. Transnational Data Privacy in the EU Digital Single Market Strategy - Rolf H. Weber - 5 1. Introduction - 5 2. Tensions between free data flow and data privacy - 6 2.1. Free data flow and data privacy as parallel EU objectives - 6 2.2. Data privacy as policy and regulatory topic - 8 2.2.1. Tensions between fundamental rights and regulatory frameworks - 8 2.2.2. Current developments in the EU - 8 2.2.3. Current developments in the US - 10 3. Inclusion of more actors in data protection rule-making - 13 3.1. Concept of multi-stakeholderism - 13 3.2. Implementation in the data privacy field - 15 4. Transboundary impacts of the data privacy framework - 16 4.1. Sovereignty and legal interoperability - 16 4.1.1. Traditional notion - 16 4.1.2. Challenges of a global cyberspace - 17 4.1.3. Interoperability of legal frameworks - 18 4.1.4. Achieving legal interoperability - 19 4.1.5. Increased legal interoperability in the data privacy field - 21 4.2. New participation models for data privacy rule-making - 22 4.2.1. Increased quality of rule-making - 24 5. Outlook - 25 2. Principles for US-EU Data Flow Arrangements - Erich Schweighofer - 27 1. Introduction - 27 2. State sovereignty and the legal framework for international data transfer - 29 3. Requirement of essentially equivalent level of data protection - 33 4. US-EU data transfer regimes - 35 4.1. Intelligence data - 36 4.2. Law enforcement data - 37 4.3. US-EU adequacy arrangements: from Safe Harbour to Privacy Shield - 40 4.4. Protection of the negotiation process by the estoppel principle - 43 5. An international treaty as a better solution for this dilemma? - 44 6. Use of derogations as additional safeguards for data exchange due to the insufficiently solved data exchange question - 46 7. Conclusions - 47 3. The Role of Proportionality in Assessing Trans-Atlantic Flows of Personal Data - David - 49 1. Introduction - 49 2. Proportionality under EU law - 51 3. Proportionality and EU data privacy law - 54 4. The Snowden revelations and the PRISM programme - 59 5. The Schrems decision - 61 5.1. Background - 61 5.2. The CJEU ruling - 63 6. Legal evaluation of the Schrems decision - 68 7. Proportionality, privacy rights and democracy - 69 8. Proportionality, trans-Atlantic and transborder data flows - 72 9. The `Privacy Shield' and proportionality - 74 10. Conclusion - 82 4. US Surveillance Law, Safe Harbour and Reforms Since 2013 - Peter Swire - 85 1. Introduction - 85 2. The fundamental equivalence of the United States and EU Member States as constitutional democracies under the rule of law - 86 2.1. The United States is a constitutional democracy under the rule of law - 88 2.2. Fundamental protections related to law enforcement surveillance - 89 2.3. Fundamental protections related to national security surveillance - 91 2.4. Conclusion - 93 3. The section 702 PRISM and Upstream programmes are reasonable and lawful responses to changing technology - 94 3.1. The legal structure of section 702 - 96 3.2. The PRISM programme is not a bulk collection programme - 98 3.3. The Upstream programme accesses fewer electronic communications than PRISM - 101 3.3.1. How the Upstream technology works - 102 3.3.2. Judge Bates' declassified opinion about section 702 illustrates judicial oversight of NSA surveillance - 105 3.4. Conclusion - 106 4. The US has taken multiple and significant actions to reform surveillance laws and programmes since 2013 - 106 4.1. Independent reviews of surveillance activities - 106 4.1.1. Review Group on Intelligence and Communications Technology - 107 4.1.2. Privacy and Civil Liberties Oversight Board - 108 4.2. Legislative actions - 109 4.2.1. Increased funding for the PCLOB - 109 4.2.2. Greater judicial role in section 215 orders - 109 4.2.3. Prohibition on bulk collection under section 215 and other laws - 110 4.2.4. Addressing the problem of secret law - declassification of FISC decisions, orders and opinions - 110 4.2.5. Appointment of experts to brief the FISC on privacy and civil liberties - 111 4.2.6. Transparency reports by companies subject to court orders - 112 4.2.7. Transparency reports by the US government - 114 4.2.8. Passage of the Judicial Redress Act - 115 4.3. Executive branch actions - 115 4.3.1. New surveillance principle to protect privacy rights outside of the US - 117 4.3.2. Protection of civil liberties in addition to privacy - 117 4.3.3. Safeguards for the personal information of all individuals, regardless of nationality - 117 4.3.4. Retention and dissemination limits for non-US persons similar to US persons - 118 4.3.5. Limits on bulk collection of signals intelligence - 119 4.3.6. Limits on surveillance to gain trade secrets for commercial advantage - 120 4.3.7. New White House oversight of sensitive intelligence collection, including of foreign leaders -120 4.3.8. New White House process to help fix software flaws rather than use them for surveillance - 121 4.3.9. Greater transparency by the executive branch about surveillance activities - 122 4.3.10. Creation of the first NSA civil liberties and privacy office - 123 4.3.11. Multiple changes under section 215 - 123 4.3.12. Stricter documentation of the foreign intelligence basis for targeting under section 702 - 124 4.3.13. Other changes under section 702 - 124 4.3.14. Reduced secrecy about national security letters - 125 4.4. Conclusion - 126 INVITED COMMENTS 5. The Paper Shield: On the Degree of Protection of the EU-US Privacy Shield against Unnecessary or Disproportionate Data Collection by the US Intelligence and Law Enforcement Services - Gert Vermeulen - 127 1. Background: inadequacy of the US data protection regime: clear to everyone after Snowden - 127 2. Safe Harbour unsafe - 130 3. Safe Harbour is dead - 132 4. Long live the Privacy Shield! - 135 5. Limitations and safeguards regarding data collection in the interest of national security - 137 5.1. Collection and access versus access and use: one big amalgamation - 137 5.2. Bulk collection remains possible - 140 5.3. Access and use do not comply with strict necessity and proportionality requirements - 142 5.4. Ombudsperson - 145 6. Limitations and safeguards regarding data collection in the interest of law enforcement or public interest - 146 7. Conclusion - 147 6. International Data Transfers in Brazil - Danilo Doneda - 149 1. Introduction - 149 2. The situation in Brazil and Latin America - 149 3. Elements of regulation of international data transfers in Brazil - 152 4. Conclusion - 155 SECTION II PRIVACY AND INTERNATIONAL TRADE 7. From ACTA to TTIP: Lessons Learned on Democratic Process and Balancing of Rights - Trisha Meyer and Agnieszka Vetulani-Cegiel - 159 1. Introduction - 159 1.1. Anti-Counterfeiting Trade Agreement - 160 1.2. Transatlantic Trade and Investment Partnership - 162 2. Participatory turn - 164 2.1. Problem definition - 164 2.2. European Commission principles of good governance - 165 2.2.1. Anti-Counterfeiting Trade Agreement - 166 2.2.2. Transatlantic Trade and Investment Partnership - 168 3. Balancing of rights - 170 3.1. Problem definition - 170 3.2. Max Planck Principles for Intellectual Property Provisions in Bilateral and Regional Agreements - 171 3.2.1. Anti-Counterfeiting Trade Agreement - 172 3.2.2. Transatlantic Trade and Investment Partnership - 175 4. Conclusion - 177 8. Free Trade Agreements and Data Privacy: Future Perils of Faustian Bargains - Graham Greenleaf - 181 1. Introduction - bargaining with privacy rights - 181 1.1. The USA's forum-shifting on personal data exports - 182 1.2. Data privacy agreements: not bananas - 183 2. FTAs and data privacy prior to 2016 - a quiescent past - 185 2.1. GATS exception and unpredictable WTO jurisprudence - 185 2.2. Regional trade agreements - examples - 187 2.2.1. SAARC trade agreements - 188 2.2.2. ASEAN trade agreements (ASEANFAS and AANZFTA) - 188 2.2.3. Latin America - the Pacific Alliance agreement - 189 2.3. The impact of multilateral FTAs on privacy prior to 2016 - 190 3. The Trans-Pacific Partnership (TPP) Agreement (2016) - present danger - 190 3.1. The parties, now and future: nearly all of APEC, perhaps beyond - 191 3.2. Scope includes any measures affecting trade - 193 3.3. Vague and unenforceable requirements for personal information protection - 193 3.4. Direct marketing limitations - 196 3.5. Restrictions on data export limitations - 196 3.6. Prohibitions on data localisation - 197 3.7. Dispute settlement - 198 3.8. The spectre of ISDS - 199 3.9. The TPP as an anti-privacy precedent - 200 4. FTAs in progress: the veil of secrecy, lifted in part - 202 4.1. Trade in Services Agreement (TISA) - potentially the broadest FTA - 203 4.2. FTAs involving the EU - unusual openness and privacy constraints - 205 4.2.1. Transatlantic Trade and Investment Partnership (TTIP) - the EU/USA FTA - 206 4.2.2. EU-Canada Comprehensive Economic and Trade Agreement (CETA) - 208 4.3. Regional Comprehensive Economic Partnership (RCEP) - a TPP alternative or complement - 209 4.4. Pacific Agreement on Closer Economic Relations (PACER) Plus - a privacy opportunity? - 209 5. Conclusions: future FTAs, the fog of trade and national privacy laws - Faustian bargains? - 210 INVITED COMMENT 9. Nine Takeaways on Trade and Technology - Marietje - 213 1. No old-school trade - views to address the digital economy of the future - 213 2. Trade negotiations can learn from Internet governance - 214 3. Don't panic! Proposals in negotiations are not final texts - 215 4. Data flows have a legitimate place in 21st-century trade agreements, but this does not mean our privacy will be destroyed - 215 5. Trade agreements can improve digital rights - 216 6. Strengthening digital trade is not just a question of data flows - 216 7. The possibility of setting information and communications technologies standards in trade agreements should be explored - 217 8. Discussions at bilateral and multilateral levels are moving, more should be done at the WTO - 217 9. Lessons from ACTA are still relevant - 218 SECTION III PRIVACY AND TERRITORIAL APPLICATION OF THE LAW 10. Extraterritoriality in the Age of the Equipment-Based Society: Do We Need the `Use of Equipment' as a Factor for the Territorial Applicability of the EU Data Protection Regime? - Michal Czerniawski - 221 1. Introduction - 221 2. Territorial scope of the Data Protection Directive - 224 3. Role of `equipment' criterion in practice - 231 4. Article 3(2) of the General Data Protection Regulation - 234 4.1. General description - 234 4.2. Possible impact on the EU-US data privacy relationships - 236 5. Conclusion - 239 11. Jurisdictional Challenges Related to DNA Data Processing in Transnational Clouds - Heidi Beate Bentzen and Dan Jerker B. Svantesson - 241 1. Introduction - 241 2. DNA in the clouds - the basics - 242 2.1. How and why DNA data is used - 242 2.2. Why cloud? - 244 3. Why it is so important to find legal solutions in this field - 246 4. Entering the international arena - public, and private, international law - 250 4.1. Public international law: the not so golden triangle: sovereignty, territoriality and - 251 4.2. Private international law - 253 4.2.1. Where disputes should be settled - 253 4.2.2. Applicable law - 254 5. Contours of a solution - 256 5.1. The limits of territoriality - 256 5.2. Harmonisation - 257 5.3. Better relation between regulation and technology - 258 5.4. Risk mitigation - 258 5.5. Education - 259 5.6. Balance of responsibilities - 259 6. Concluding remarks - 260 SECTION IV PRIVACY AND CRIME 12. Regulating Economic Cyber-Espionage among States under International Law - Masa Kovic Dine - 263 1. Introduction - 263 2. Legality of espionage under international law - 264 2.1. Traditional espionage and international law - 264 2.2. Definition of economic cyber-espionage/exploitation - 268 3. Special characteristics of economic cyber-exploitation - 270 4. Economic cyber-exploitation and privacy considerations at the international level - 272 5. Economic cyber-espionage and the TRIPS Agreement - 276 6. Act of pillage - 279 7. Economic cyber-exploitation among states - 282 8. Conclusion - 285 INVITED COMMENTS 13. Terrorism and Paedophilia on the Internet: A Global and Balanced Cyber-Rights Response Is Required to Combat Cybercrime, Not Knee-Jerk Regulation - Felicity Gerry QC - 287 1. Introduction - 287 2. Cyber-communication - 288 3. Cyber rights - 290 4. Cyber freedom - 292 5. Cyber regulation - 294 6. Cyber surveillance - 295 7. Cyber change - 296 8. Cyber law - 297 9. Cyber protection - 301 10. Conclusion - 302 14. Understanding the Perpetuation of `Failure': The 15th Anniversary of the US Terrorist Finance Tracking Programme - Anthony Amicelle - 305 SECTION V PRIVACY AND TIME INVITED COMMENTS 15. Does It Matter Where You Die? Chances of Post-Mortem Privacy in Europe and in the United States - Ivan Szekely - 313 1. The legal landscape - 314 2. Converging technologies, diverging policies - 316 3. Prospects for the future deceased - 319 16. The Right to be Forgotten, from the Trans-Atlantic to Japan - Hiroshi Miyashita - 321 1. The trans-Atlantic debate - 321 2. Judicial decisions in Japan - 322 2.1. For the right to be forgotten - 322 2.2. Against the right to be forgotten - 323 3. Delisting standard - 323 3.1. Torts and right to be forgotten - 323 3.2. Balancing -324 3.3. Standard-making - 325 4. Technical issues - 326 5. Legislative debate - 327 6. Time and privacy - 328 PART II THEORY OF PRIVACY 17. Is the Definition of Personal Data Flawed? Hyperlink as Personal Data (Processing) - Jakub Misek - 331 1. Introduction - 331 1.1. Definition of personal data - 332 1.2. Hyperlink and personal data - 336 1.2.1. Hyperlink as personal data - 337 1.2.2. Hyperlink as personal data processing - 338 1.2.3. Comparison of the two approaches and their consequences - 340 1.2.4. Practical example - 342 1.3. Discussion and conclusion - 343 18. Big Data and `Personal Information' in Australia, the European Union and the United States - Alana Maurushat and David Vaile - 347 1. Introduction - 347 2. Big data, de-identification and re-identification - 349 3. Definitions of information capable of identifying a person - 351 3.1. `Personal Information' (PI) in Australia - 352 3.1.1. OAIC Australian Privacy Principles Guidelines - 353 3.1.2. Factors affecting `identifiability' and reasonableness - 354 3.1.3. `Not reasonably identifiable' - guidance? - 357 3.1.4. Consideration of the scope of `personal information' - 358 3.2. `Personal Information' (PI) in the APEC Privacy Framework - 360 3.3. `Personally Identifying Information' (PII) in the US - 361 3.3.1. HIPAA - 363 3.3.2. Office of Management and Budget - 364 3.3.3. Data breach - 365 3.3.4. Children's Online Privacy Protection Act - 365 3.4. De-identification - 366 3.5. `Personal Data' (PD) in Europe and the OECD - 367 3.5.1. CoE Convention 108 - 367 3.5.2. OECD Privacy Framework - 368 3.5.3. EU Data Protection Directive - 368 3.5.4. EU e-Privacy Directive - 370 3.5.5. Article 29 Data Protection Working Party Guidance - 370 3.5.6. National implementation example: UK Data Protection Act 1998 - 373 3.5.7. New EU General Data Protection Regulation - 374 4. Comparing the frameworks - 376 4.1. Australia and US - 376 4.2. Australia and EU - 376 4.3. US and EU - 377 5. Concluding remarks - 378 19. Blending the Practices of Privacy and Information Security to Navigate Contemporary Data Protection Challenges - Stephen Wilson - 379 1. Introduction - 379 2. What engineers understand about privacy - 380 3. Reorientating how engineers think about privacy - 382 3.1. Privacy is not secrecy - 383 3.2. Defining personal information - 384 3.3. Indirect collection - 385 4. Big Data and privacy - 386 4.1. `DNA hacking' - 387 4.2. The right to be forgotten - 388 4.3. Security meets privacy - 389 5. Conclusion: rules to engineer by - 390 20. It's All about Design: An Ethical Analysis of Personal Data Markets - Sarah Spiekermann - 391 1. A short utilitarian reflection on personal data markets - 393 1.1. Financial benefits - 393 1.2. Knowledge and power - 393 1.3. Belongingness and quality of human relations - 394 2. A short deontological reflection on personal data markets - 396 3. A short virtue-ethical reflection on personal data markets - 400 4. Conclusion - 403 PART III ALTERNATIVE APPROACHES TO THE PROTECTION OF PRIVACY 21. Evaluation of US and EU Data Protection Policies Based on Principles Drawn from US Environmental Law - Mary Julia Emanuel - 407 1. Introduction - 407 1.1. A brief history of US privacy policy - 409 1.2. A brief history European privacy policy - 411 1.3. The dangers of surveillance - 412 1.4. Recognising privacy as a societal concern - 413 2. Three proposals based on concepts of American environmental policy - 415 2.1. Right-to-know - 416 2.1.1. The Emergency Planning and Community Right-to-Know Act of 1986 - 416 2.1.2. Establishing the right-to-know in the data protection - 417 2.1.3. Evaluation of relevant US policy - 418 2.1.4. Evaluation of relevant EU policy - 418 2.2. Impact assessments - 419 2.2.1. The National Environmental Policy Act of 1970 - 419 2.2.2. NEPA as a model for privacy impact assessment - 420 2.2.3. Evaluation of relevant US policy - 421 2.2.4. Evaluation of relevant EU policy - 421 2.3. Opt-in privacy policy - 422 2.3.1. Mineral rights and the value of `opting in' - 422 2.3.2. Consumer benefits from data collection - 423 2.3.3. Evaluation of relevant US policy - 425 2.3.4. Evaluation of relevant EU policy - 425 3. Conclusion - 426 22. Flagrant Denial of Data Protection: Redefining the Adequacy Requirement - Els De Busser - 429 1. Point of departure - 429 2. Reasons for using extradition in redefining adequacy - 431 2.1. Interstate cooperation - 432 2.2. Protected interests and human rights - 433 2.3. Trust - 436 2.4. Jurisprudence - 436 3. Using the perimeters of extradition for data protection - 437 3.1. Avoidance strategies - 438 3.1.1. Negated and assumed adequacy - 438 3.1.2. Assurances - 439 3.1.3. Legal remedies - 442 3.1.4. Evidence - 442 3.2. Real risk - 443 3.3. New limit for the adequacy requirement - 446 4. Conclusion: a flagrant denial of data protection - 447 23. A Behavioural Alternative to the Protection of Privacy - Dariusz Kloza - 451 1. Introduction - 451 2. Tools for privacy protection - 459 2.1. Regulatory tools - 459 2.1.1. Legal tools - 459 2.1.2. Not only law regulates - 466 2.2. Beyond regulation - 467 2.2.1. Organisational protections - 467 2.2.2. Technological protections - 471 3. Inadequacies of contemporarily available tools for privacy protection - 473 3.1. Introduction: irreversibility of harm - 473 3.2. Inadequacies - 476 3.2.1. Regulatory tools - 476 3.2.2. Organisational tools - 487 3.2.3. Technological tools - 489 4. The behavioural alternative - 491 4.1. History - 491 4.2. Typology - 493 4.3. Implications - 498 4.3.1. Characteristics - 498 4.3.2. Conditions - 499 4.3.3. Problems - 502 5. Conclusion - 504 24. The Future of Automated Privacy Enforcement - Jake Goldenfein - 507 1. Characterising contemporary law enforcement surveillance - 508 2. The utility of existing legal mechanisms - 509 3. Articulation into infrastructure - 510 4. Automated privacy enforcement - 511 5. Questions for further research - 517 6. Conclusion - 519 25. Moving Beyond the Special Rapporteur on Privacy with the Establishment of a New, Specialised United Nations Agency: Addressing the Deficit in Global Cooperation for the Protection of Data Privacy - Paul De Hert and Vagelis Papakonstantinou - 521 1. Introduction - 521 2. The deficit in global cooperation for the protection of data privacy - 523 3. Past and recent UN initiatives in the data privacy field - 526 4. Suggesting the establishment of a new, specialised UN agency on data privacy - 527 5. The WIPO model as useful guidance towards the establishment of a UN system for the global protection of data privacy - 529 6. Conclusion - 531 INVITED COMMENT 26. Convention 108, a Trans-Atlantic DNA? - Sophie Kwasny - 533 1. Convention 108, trans-Atlantic at birth - 534 2. Definitely more trans-Atlantic 30 years later - 535 2.1. Canada - 535 2.2. Mexico - 535 2.3. Uruguay - 536 2.4. United States - 536 2.5. The Ibero-American network of data protection authorities (Red Iberoamericana de proteccion de datos) - 537 3. A new landscape: the Committee of Convention 108 - 538 4. To ultimately transcend all borders - 538 5. Conclusion - 540 CONCLUSION 27. Landscape with the Rise of Data Privacy Protection - Dan Jerker B. Svantesson and Dariusz Kloza - 545 1. Introduction - 545 2. General observations - 546 2.1. Novelty of the concept of data privacy and a growing nature thereof - 546 2.2. The rapid and continuous change of data privacy, its diagnoses and solutions - 548 2.3. Entanglement of data privacy in the entirety of trans-Atlantic relations - 553 2.4. Intermezzo: audiatur et altera pars - 553 3. Specific observations - 554 3.1. Regulation of cross-border data flows - 554 3.2. Territorial reach of data privacy law - 557 3.3. Free trade agreements and data privacy - 559 3.4. Regulation of encryption - 561 3.5. Regulation of whistle-blowing - 562 4. A few modest suggestions as to the future shape of trans-Atlantic data privacy relations - 564