TTIP – How US Corporations Stole Your Private Data Irrespective Of EU Law

This week we reported on “How The US Blocked The EU Ban On Animal Testing In Cosmetics” as part of a mini-series of reports breaking down into digestible parts the hugely important document published by Corporate Observatory on how “regulatory cooperation” under TTIP allows bureaucrats and big business to attack the public interest.

Regulatory cooperation is set at the heart of the TTIP agreement with negotiations being held in secret between the US and the EU which poses a considerable threat, not just to the public interest but to the very heart of democratic principles. It fully illustrates that TTIP was instigated by big business, trade officials and unelected bureaucrats.

From the very beginning of transatlantic regulatory cooperation in 1995, the EU and the US have been hell-bent on including big business in decision making. For that reason, the European Commission and the US Department of Commerce helped to set up the Transatlantic Business Dialogue (TABD), a club of CEOs from some of the biggest companies on both sides of the Atlantic.

Below is an excerpt from the full document entitled “Dangerous Regulatory Duet“. This article relates only to how US corporations stole your personal information and not the many examples highlighted that paints a depressing outlook for the future of Europeans under the jackboots of TTIP.

How do you feel about US companies selling personal information about your life to whoever will pay? This happens very often, and the transactions are often in complete violation of EU data privacy rules that require your explicit consent. And even more pertinent: what if US companies routinely hand over massive amounts of information about EU citizens to US intelligence agencies?

Why are US companies not simply held accountable to EU law? This is because in 2000 the transatlantic parties (US and EU) concluded the so-called Safe Harbour agreement that enabled US companies to escape accountability. From the moment the EU adopted its data privacy directive in 1995, it was obvious that this was a thorn in the side of many US corporations. They were accustomed to the more relaxed, self-regulated atmosphere in the US, and were not happy with the EU’s demand that consent be secured from individuals before valuable personal information was gathered. At the time, as there was no formal ‘early warning mechanism’ in place, business was not in a position to start a huge debate with the Commission or the Council. Lobbyists did work against the directive in Brussels, but they lacked an obvious point of contact inside the administration on international privacy regulation issues. Attempts, also via the TABD, to have the EU water down the directive had little effect.

But there were other means available inside the framework of ‘regulatory cooperation’. Regulatory cooperation was not just to be about discussing drafts of proposals, but more generally about making rules less trade restrictive. Several tools were available in the 1998 Transatlantic Economic Partnership Action Plan, one of which was ‘mutual recognition’ – that one side accepts that the other side has taken steps that broadly meet the requirements. This was the avenue that the US sought with data privacy.

Confronted with the inevitable adoption of the EU rules, the TABD pushed for the EU and the US to find a solution via negotiations on the issue. However as there was no consensus in the business community, the TABD’s input was limited to some utterances about the ability of business to self-regulate following the US model. In parallel, though, individual companies lobbied governments extensively and successfully for a Safe Harbour agreement that would not inhibit their business models.

In March 2000, the Safe Harbour agreement was concluded. According to the agreement, US companies would have to sign a pledge that they would abide by seven core data privacy principles, including “clear and conspicuous” notice when making use of individuals’ information, and an obligation to be transparent about the onward transfer of information. The European authorities, however, would not have the means at their disposal to call into question decisions made by the US authorities to demand information about EU citizens from US companies.

At the time, this ‘self-regulation model’ was deemed insufficient and untrustworthy by many key players. On the European side, political support was practically non-existent beyond governments. The European Parliament adopted a report with a negative assessment of the substance of the agreement, but was ignored by the Commission with the argument that the Parliament did not have the power to demand substantive changes.

The TACD (the consumers dialogue), which had been adamantly opposed to the negotiations, urged “the European Commission and the Ministers of the European Council to reject the Safe Harbour proposal. The proposal will undermine the purpose of the EU Data Directive and compromise the privacy interests of European citizens.” However, all of this critique was brushed off by the Commission and the Council, and the agreement took effect in November 2000.

Events would prove the critics right. Signatory US companies did not respect the principles after all, and in 2013 the Commission flatly admitted in an evaluation report, that it had “identified a number of weaknesses in the scheme. As a result of a lack of transparency and of enforcement, some self-certified Safe Harbour members do not, in practice, comply with its principles.”

In response to the report, Monique Goyens from The European Consumer Organisation (BEUC) said: “This agreement claims to reassure EU and US consumers when their personal data is exchanged for commercial purposes, but it has now been shown to retain only a fig leaf of credibility. In practice, many signatories lack even a privacy policy. Recent events have highlighted the obvious imprudence of poorly designed data exchange agreements.”

Goyens’ position was supported by Jeff Chester from the Center for Digital Democracy: “Until the US enacts privacy protection for consumers in line with the EU approach, there should be no Safe Harbour regime in place. Given the strong opposition of the data collection lobby (Google, Facebook, etc), it is unlikely there will be any legislation soon, leaving both US and EU citizens unprotected.”

In the end, the Safe Harbour Agreement would prove to be yet another example of how regulatory cooperation can work in favour of big business groups and their pet issues, leaving both civil society groups and even the European Parliament on the sidelines.

But the death blow to the scheme came from another source. In October 2015, the European Court of Justice decided in favour of an Austrian citizen who complained about Facebook being required to hand over information about his private life to the US National Security Agency if so requested, with no questions asked and with no regard to EU rules on data privacy. Specifically, the court repealed the so-called Safe Harbour Agreement, which bars European authorities from interfering in data flows covered by the agreement. The Court concluded that such decisions lead to “compromising the essence of the fundamental right” to respect for private life and the rule of law.

Graham Vanbergen – truepublica.org.uk

---