In 2013, when Edward Snowden revealed the extent of the mass surveillance being orchestrated by the US National Security Agency (NSA), civil liberties groups around the world were alarmed.
So, too, were individuals such as Max Schrems, the Austrian campaigner whose legal action against Facebook led the European Court of Justice to declare Safe Harbour invalid in October 2015.
The European Union and the US, which had negotiated Safe Harbour, the first framework for commercial transatlantic exchanges of personal data between the EU and the US, responded by introducing a new protocol – Privacy Shield.
This, too, has attracted criticism, in that its protections for citizens’ data privacy may not reach far enough – and some of the most vociferous criticism has come from within the European Parliament itself.
As well as being a Labour MEP for London and deputy leader of the European Parliamentary Labour Party, Claude Moraes is chair of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE), currently the largest legislative committee in the parliament.
Moraes says LIBE’s particular role is scrutiny. LIBE projects have examined topics ranging from Swift, the international payment network, to terrorist finance tracking, and international agreements relating to justice and home affairs. “The most important issue that has arisen is the need for privacy and the proper use of individual citizens’ data,” he says.
“We have consistently called for an arrangement on Privacy Shield… to have a strong level of data protection, meet the requirements of the charter of fundamental rights, and the data protection legal framework,” he adds.
In February 2014, a LIBE report into mass surveillance slammed Safe Harbour’s privacy provisions, and also criticised social media companies for failing to use end-to-end encryption.
The EU’s General Data Protection Regulation (GDPR), due to take effect in 2018, was overseen by Moraes’ deputy chair in LIBE, Jan Albrecht. “It remains the single biggest piece of legislation ever enacted in the EU’s history – and we are very proud of that,” says Moraes.
However, a rise in the standards of data protection in Europe will have an impact on transcontinental data transfers. “Now we are in a situation where these transfers are done in an unequal way,” says Moraes. “So the Privacy Shield itself then becomes a huge issue.”
Privacy Shield was accepted by the European Commission (EC) in July 2016, towards the end of US president Obama’s time in power, with provision for a review in September 2017. “Under the Obama administration, we had got some small progress,” says Moraes, “but obviously many, many problems.” The prospect of a new administration was worrying.
While many on the political centre right felt that Privacy Shield was an adequate safeguard, Moraes disagreed. “In my view it was flawed, and I went on record as saying that, having looked at the evidence,” he says.
He also felt that if Privacy Shield were to proceed, it could pave the way for the European Court of Justice (ECJ) to rule against it. “There was no question of it not being examined at some point, in terms of privacy,” he says.
Moraes pressed forward with a motion of resolution, a formal vote of objection to the EC’s endorsement of Privacy Shield, ahead of the planned review. “Basically, a lot of people had already said leave the resolution until much later in the year,” he says. “ I said no, it has to be done so that it is effective and gives a mandate to the commission.”
The vote was controversial. “The European People’s Party, which is the centre right, felt that Privacy Shield was a sufficient kind of substitute for Safe Harbour, and didn’t want to go down the road that we had gone on Safe Harbour,” he says.
Privacy Shield passed
Eventually, Privacy Shield was passed, both within LIBE and in plenary, with a reasonable majority, but there was quite a big minority against, says Moraes.
Moraes stresses that the European Parliament is not equipped to solve such problems unilaterally. “We have particular powers on this,” he says, but the EC is very much in the driving seat.” As such, it is the Commission that negotiates directly with the US.
LIBE itself is sending a delegation to Washington in July 2017 to hear US national security views on the resolution and meet Catharine Novelli, who is due to take up the new role of Privacy Shield’s ombudsman. LIBE members are still concerned that Novelli’s office will not have sufficient capacity and sanctions at its disposal, says Moraes.
He refers to the judgment in the Schrems case as “the other big elephant in the room”. The ECJ ruling demands equivalence in data protection standards for transfers between the EU and US, and the US would have to raise its game to ensure that, he says. “We couldn’t just do business as usual knowing that data protection standards were vastly different in the two entities. We just couldn’t.”
While LIBE does not place much weight on corporate lobbying, the committee invites industry views in open hearings, from technology companies, privacy advocates, NGOs and lawyers. Opinions have varied, says Moraes. “Companies gave their view on Privacy Shield, and it was a mixed bag.”
The majority simply wanted to get on with business as normal, says Moraes, while some were concerned by the perceived deficiencies of the new arrangement. “You couldn’t have a Privacy Shield that was going to collapse with a court judgment, or have fundamental flaws that meant it was going to go the same way as Safe Harbour,” he says.
Moraes believes it is LIBE’s duty to ensure that privacy and citizens’ data remain at the top of its agenda, and that many companies share this approach, but that they do not work in isolation. “I am not sure it’s just about the tech companies themselves, but the tech companies and their relationship with government and their relationship with citizens, and I think this is the key,” he says.
EU Parliament’s resolution on the adequacy of the protection afforded by the EU-US Privacy Shield: Claude Moraes’ key concerns
- The need for effective oversight.
- National security and mass surveillance exemptions – their constitution and mechanism.
- Non-US citizens’ access to judicial redress.
- Integration of Privacy Shield and general data protection regulations.
- The European Commission’s chosen procedure for an implementation decision which limited the Parliament’s expression.
Moraes distinguishes between the responsibilities of small to medium-sized enterprises (SMEs) and those of multinationals. “I think the giants, without doubt – you know, Facebook, Microsoft, Google, all these companies – have the unambiguous moral responsibility in this area to work with their users, which happen to be vast amounts of the population of the world, governments, to not come under pressure from the government on the one hand, but to ensure the privacy and the safety of citizens,” he says.
In 2013, as part of LIBE’s inquiry into mass surveillance, Moraes raised the issue of end-to-end encryption – a “very, very fraught issue” – with Microsoft. At the time, nobody else had put this to the company. “I just do not accept that you cannot regulate in this area,” he says. “It is a moving feast, but we have to have more dramatic moves by these companies.”
Speaking of a visit LIBE paid to Facebook’s headquarters in Silicon Valley, Moraes was struck by the modesty of the building, considering that the company shapes the lives of millions. “The elections that they affect, for example,” he says, “I just don’t think that it’s matched by any element of how they’re operating.”
Moraes is unimpressed by Facebook’s recent use of journalists to examine content. “These are small moves for such a rich and powerful organisation,” he says.
Smaller companies have less power, but typically want to support their customers, he says. “We believe there are many companies that feel very frustrated with their interaction with government, for example the US, because very often they are asked to make compromises.”
Working with tech industry
From corporate giants to small companies, Moraes is clear that regulation must be effective and may not be what people are used to handling. “We want the tech industry to work with us and have high standards, and we accept that it will not be the way that the traditional media is regulated,” he says.
Moraes, who lives close to London’s Old Street digital hub, calls on the tech industry to work with the EU to safeguard the public. “We don’t want to hinder innovation and progress, but we do want to work with industry,” he says. The EU, he insists, “wants intelligent regulation that doesn’t stifle innovation”.
If and when the UK leaves the EU, it will no longer be signed up to EU treaties and agreements, including Privacy Shield, and the bigger tech companies will be affected, says Moraes.
The UK’s safeguarding landscape is likely to remain more or less the same, however, with the country likely to follow the EU’s lead. “I think the issue will be if the EU law is modified, the UK national legislation will have to be modified,” he says. The UK regulator has already made equivalence a priority, he adds.
“In the meantime, you’ll end up with some standard contractual clauses between the UK and EU data controllers and processors. And then there’ll be a self-adequacy assessment and then there’ll be possibly a self-certification scheme. But it’s a lot more work than it would have been.”
As a London MEP, Brexit would put Moraes out of a job, just when he might be most needed to represent the UK’s data-sharing interests. “There’s going to be a lot of work as a result of leaving,” he says.