Apple’s FBI clash risks piercing trust in EU privacy shield
Apple Inc.'s fight with the U.S. government over whether it can be forced to help unlock an iPhone has spilled across borders, threatening to delay a trans-Atlantic pact protecting European data from American eyes.
National regulators from across the European Union promised to give their verdict next month on the so-called privacy shield deal, which toughens EU protections where the U.S. is involved. The Apple case is raising concerns that the new plan doesn't go far enough, regional politicians, officials and lawyers said. That in turn could mean more deliberation and push back the completion date.
Data-protection regulators will probably "be thinking about the FBI's demands on Apple when reviewing the viability of the shield and its level of safeguards," said Wim Nauwelaerts, a privacy lawyer at Hunton & Williams LLP in Brussels. Europe has traditionally had tighter protections for personal data than in the U.S., and revelations by Edward Snowden showing the extent of American security agencies' snooping into communications overseas have exacerbated tensions between the two regions.
The EU was already struggling to garner support to ratify the shield when the fight between Apple and the FBI began last month and raised awareness of how far law enforcement can go to get around people's encryption and security devices.
Last month's draft deal setting up the shield was designed to ensure European users' data is safe from access in the U.S. when companies ship it across the Atlantic for commercial reasons.
The EU heralded the agreement, saying that, for the first time, the U.S. gave it binding assurances that law enforcement and national security would have strictly limited access to Europeans' data. Among the proposed commitments was the creation of a special ombudsman in the U.S. State Department who would follow up on complaints and inquiries by individuals about data access.
The EU and U.S. were forced to the negotiating table after the EU's highest court in October struck down a previous 15-year-old pact, called safe harbor, for failing to offer sufficient safeguards against security services.
The EU court found "that the access that U.S. authorities had to EU citizens' data was too easy," said Paul Bernal, a legal scholar at the University of East Anglia in England. If Apple loses the fight with the FBI and "authorities can effectively backdoor phones, that makes this access even easier."
Viviane Reding, the EU's former justice commissioner, said a recent case involving American demands for access to Hotmail messages held on Microsoft Corp.'s Irish servers shows that Europeans are right to be wary of the U.S.
Soon after the EU and U.S. heralded a separate deal last September on data privacy in law enforcement cooperation, "the U.S. Department of Justice argued in front of a U.S. Federal court to bypass existing legal frameworks between Europe and America," she said. "That was the Microsoft case. This doublespeak is just terrible.
Here we do have exactly the same problem with the Apple case." While the privacy shield gives Europeans stronger protections in some areas, said Reding, who is now a member of the European Parliament, "when it comes to the intelligence services, the text is the same as it was when I left office in 2014." On bulk data collection, she said new exemptions have been added.
The European Commission, which led negotiations with the U.S., insisted that the questions related to the Apple case aren't comparable.
"The whole concept of the shield in relation to national security and law enforcement is to set out clear limitations and safeguards to what might be technically feasible for U.S. authorities," said Christian Wigand, a spokesman for justice policy. "And we will of course hold the U.S. accountable to these strong commitments made through a monitoring and review system put in place through the shield."
Still, some regulators in the EU say the Apple case, and the issues at stake, makes it harder to rebuild lost confidence about data privacy.
"We are concerned about a global backlash in user trust, if companies can be forced to issue weak security versions of their products," said Jacob Kohnstamm, head of the Dutch data protection authority, who sits on the panel of national officials known as the Article 29 Working Party. While the Apple case has triggered a storm of controversy, the focus may quickly shift to EU nations, including the U.K. and France, which are also grappling with how to deploy technology to take on Islamist terrorists and hostile states without trampling on civil liberties.