A clash of two western cultures on privacy
While it seems that Americans are helpless with respect to the protection of their personal (consumer) data from potential abuse by the likes of Facebook, Google, and perhaps 5000 other U.S. companies, and developing countries like China and Nigeria have much more important survival-related issues to contend with (than worrying about how citizens’ personal data are used), the European Union (EU) last week demonstrated some civility and its care for how the personal data of its citizens are handled by Facebook and thousands of U.S. companies.
You see, the significance attached to the protection of personal data may depend on the side of the Atlantic you are on. Although Americans talk a lot about constitutional rights, civil liberty, and all that stuff, when it comes to the need for the government to protect citizens’ personal data, Americans are usually very mum, at least so it seems. On the other hand, Europeans can die to protect their personal data, which is usually argued in terms of personal honor.
The current event started when a 27year old Austrian student and privacyactivist, Max Schrems, who was very dissatisfied with the way that Facebook handles the data it collects from users, took the matter to court to challenge the validity of the so-called “Safe Harbor” agreement (SHA) between the U.S. and Europe. The SHA was a framework that was used to create a single standard for the handling of private consumer data between the U.S. and Europe. Specifically, it was an agreement drawn up between governments allowing the transfer of citizens’ personal data between the two regions of the world, obviously without the consent of the citizens!
As alluded to above, the target in Schrems’ case is Facebook, whose European headquarter is in Dublin, Ireland. Schrems said his privacy had been violated by the U.S. National Security Agency (NSA) mass surveillance programs, which were flagrantly revealed in 2013 by the whistleblower Edwin Snowden, an NSA contractor. Schrems first brought the case against Facebook in Ireland, but the Data Protection Commissioner there, also the data regulator, rejected the case on the ground that the case was bound by SHA. Schrems appealed to the European Court of Justice (ECJ) - the EU Supreme Court, which, last week, overturned the judgment of the court in Ireland, ruling that SHA is unconstitutional.
An important aspect of the issue at hand is the depiction of the cultural differences about privacy across the Atlantic Ocean. Incidentally, this subject matter has received scholarly attention, as evidenced by the research, for example, of James Q. Whitman in Volume 113, 2004 issue of Yale Law Journal. (This is also Research Paper No. 4 of the Public Law and Legal Theory Research Paper Series at Yale University.) The idea is that while Europeans protect personal honor of ordinary Europeans, American law primarily protects liberty interest. Whitman suggests that the differences reflect the contrasting political and social ideals of continental (i.e., European) and American law. Will this theory wholly explain EU’s apparent disposition to control? I am not sure. Remember the numerous anti-competitive cases coming out of the continent, some of which I have reported on in this column? They are not about personal honor!
Bob Price suggests three implications of last week’s ECJ ruling in his 6 October 2015 UK Business Insider online article. The first is that individual European countries can now set their own regulations for US companies’ handling of citizens’ data. Price feels that this aspect will vastly complicate the regulatory environment in Europe. He also suggests that EU countries can choose to suspend the transfer of data to the US - forcing companies to host user data exclusively within the country. Lastly, Irish data regulator may now need to examine whether Facebook offered European users adequate data protections, and may order the suspension of Facebook’s transfer of data from Europe to the US if necessary. This seems like serious stuff.
The global effects of ECJ ruling on Internet technology could be very profound. For example, it is not just Facebook that will suffer, but, as mentioned earlier, up to 5000 U.S. companies who mine consumer data may have to figure out more legit way of obtaining the personal data of EU folks. (I wrote on Internet data brokers in this column in Daily Trust on 17 March 2014.) Furthermore, we have organizations that operate globally that will need to transfer data across the Atlantic. Another example of potential problem pertains to payment processing for merchandise purchase. A European making a purchase in the U.S. with a credit card will usually need to have his data transferred somehow to a U.S. point of sale.
Are there workarounds against the new EU law? You bet! Facebook can ask each of its billion users to “agree” to personal data transfer across the Atlantic. However, this option can potentially open up a “can of worms.” That is, the fairness of asking a user to agree to pages of conditions in fine-print size, which no one ever reads before agreeing to. While such practice may survive in the U.S., I see the EU disallowing it on the basis of unfairness to the consumer. Also, for global companies, asking employees to agree to cross-Atlantic personal data transfer may be frowned upon by the EU, but the legal system in the U.S. may somehow be more permissive, in favor of the employer.
Okay, continental (European) privacy law protects personal honor of the ordinary European, while American law protects liberty interests. Now, do we have an established relevant privacy law in, say, Nigeria, and, if so, what does it protect? Obviously, this one is for the legal luminary, aka, the SAN.