Schrems II, from Snowden to China

Marc Rotenberg is quite right, in his new article Schrems II, from Snowden to China: Toward a new alignment on transatlantic data protection (European Law Journal), to say:

The United States should not update its privacy law because of a judgment of the European Court. The United States should update its privacy law because it is long overdue, because it is widely supported, and because the ongoing failure to modernise our privacy law is imposing an enormous cost on American consumers.” (p. 12)

Marc Rotenberg

And he makes an important point about the US authorities finally noticing that protecting personal data is also a national security concern — “The alignment of national security and data protection is accelerating.” (id.)

But I am not sure that Trump’s Secretary of State Mike Pompeo really accepted that means taking up this good advice and bringing in serious data protection law and remedies in the USA (and signing up to the Council of Europe’s Convention 108+).

When Pompeo cited the “long-term threat to data privacy, security, human rights and principled collaboration posed to the free world”, he emphasised the need to safeguard “the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party.

I do not think he included the USA, or the NSA (or GCHQ etc.) in the group of “malign actors, such as the Chinese Communist Party.” I believe that the USA (and the UK! and the other 5EYES?) want to continue their excessive (untargetted, bulk) spying on everyone, except their own citizens; they just want to make sure that their strategic enemies (PR China, Iran) cannot do the same. Sorry if I sound pessimistic. (I even think that one element of support for Brexit came from this reluctance to be curtailed by EU law in this respect, or even the ECHR although they find that more difficult to get away from).

So I hope the USA will move on adopting real data protection rules and remedies, and will sign up to 108+ — but I am not holding my breath, not even for Biden 😞

What is more, real data protection a l’ Europe would have to apply to anyone whose data are or can be brought under the power (jurisdiction) of the spying state. In Europe, we do apply fundamental rights in this way (see section 3.3 in the Issue Paper on The Rule of Law on the Internet and in the wider Digital Environment I wrote for the Council of Europe Commissioner for Human Rights some years ago.)

But the USA continues to refuse to adopt this view and insists on not extending many constitutional protections (including privacy protections) to “non-US persons”. (They even succeeded in persuading the lawyer for the German secret service to adopt the same view – which was rightly slammed down by the Constitutional Court in a recent judgment). Does anyone really think that will change?