The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
I recently posted about the threat posed to US counterterrorism efforts by European data protection dogma. Briefly, European law has long insisted that personal data may not be transferred to a country whose data protection law is not "adequate." And the European Court of Justice (ECJ) recently decided that U.S. surveillance law did not provide "adequate" protections for human rights; it authorized every data protection agency in Europe to impose an embargo on data exports to the United States.
You'd be right in thinking this story sounds familiar. In the last fifteen years, the EU has used the threat of a data embargo to create half a dozen transatlantic crises just over exports of travel reservation data, another two or three on financial data, years of negotiations over law enforcement data, and at least two over a "Safe Harbor" for U.S. firms who promise to follow European law when handling data in the United States. Yet despite all those crises and all those negotiations, the EU has never once cut off data transfers. It's fair to conclude from that history that a data embargo is for EU negotiators what nuclear weapons are to Kim Jong Un—a dandy way to force the United States pay attention and negotiate, but not something they actually want to use.
You'd also be right in feeling some outrage. If Europe is looking for nations in need of moral tutelage about controlling surveillance and law enforcement, you wouldn't expect it to start with the United States, which yields to no nation in imposing legal limits on government surveillance. Yet no country has been threatened more often with a data embargo than the United States. Aside from deals with a few European ministates like Andorra, Europe has negotiated only a handful of agreements over data protection with other nations, declaring "adequate" the laws of Argentina, Canada, Israel, New Zealand, Switzerland, and Uruguay. The rest of the world, from Russia to Saudi Arabia and on to China , has never been forced into a single negotiation about the adequacy of their surveillance law. The threat of data embargoes over data protection, in short, is a weapon of mass hypocrisy—used only to chivy the United States and not to improve global human rights.
Unfortunately, the latest use of this weapon has crossed a line. The EU is demanding action that could seriously hamper America's ability to stop terror attacks. It's time to stop accommodating European hypocrisy and hostility. How? One possibility is to call Europe's bluff. I like that idea, in part because I did it once, while negotiating for the US over the use of travel data to cut the risk of terrorist attacks, and it worked; the EU quickly caved. (I tell the story in Skating on Stilts.) But raising the stakes for Europe was the point of my last post.
This time I'd like to suggest a different approach to the problem of Europocrisy over privacy. If I'm right, Europe has no intention of ever applying to the rest of the world the adequacy rules it has made up for the United States. If it did, Europe would almost certainly have to tell all its major trading partners that their security and surveillance laws do not meet the high standards set by Brussels—and that their companies' European subsidiaries may not collect and send home data about local customers or employees. Even the handful of countries who've received an adequacy determination would not be safe now that adequacy has been redefined by the ECJ to include restrictions on surveillance, a field where the governments of Argentina and Uruguay aren't exactly global leaders, to pick on two nations currently basking in an adequacy finding. Insulting all these trading partners the way it has insulted the United States would leave the Eureopean Union isolated diplomatically and commercially. The EU would find itself reinventing isolationism for the digital age.
So far, though, Europe has not needed to confront its double standard because bureaucrats and activists have been united in using the data protection weapon only against the United States. For example, Maximilian Schrems, whose complaint led to the ECJ opinion, has challenged many companies' data transfers—all of them American.
But that tacit antiAmerican alliance is fragile. European law purports to apply the same standards to every nation and to be available to anyone whose data is processed in Europe, a point the Europeans dwell on to show their law's superiority over ours. That means the same complaint process that Schrems used to attack US law can be used by anyone in Europe to challenge the laws of other countries.
Maybe it's time, as the Marxists used to say, to "heighten the contradictions" in European adequacy law.
Maybe it's time to bring Europe's hypocrisy home.
In a nutshell, I propose a monetary prize for the first person or group who successfully files European data protection complaints in three large European jurisdictions (say, France, Spain, and a German Land) against the transfer of data to ten countries with laws that do not meet the ECJ's standards for adequacy. The ten countries are Europe's ten largest nonEuropean trading partners other than the United States. In order, they are: China, Russia, Japan, South Korea, India, Brazil, Saudi Arabia, Canada, Algeria, and the United Arab Emirates. Finding surveillance law inadequacies that dwarf the United States' in that group should be like shooting fish in a barrel.
We could call it the Europocrisy Prize.
How big is the prize? That's up to you. I propose to crowdfund it. I've asked several 501(c)(3) nonprofits to establish the prize; and as soon as I find one that isn't beholden to EU funding, we will open an Indiegogo site so that anyone can pledge a tax-deductible contribution to the prize. Pledges will be redeemed once contributions reach $10,000, at which point the prize will go live. But if you want to get a jump on the competition, feel free to start now and send me notice when they're complete. First is first. I personally guarantee the prize will be at least $1000 by the time you finish.
Some tips for contestants:
- Worried that you're not a European citizen? Not a problem. As the European Union never tires of telling us, their "rights of man" data protection law covers anyone whose data happens to be collected or processed in Europe. So all you need to do is be in Europe, even changing planes, when you interact with a company from one of the target countries. Expatriate Americans, members of the US armed forces stationed in Europe, even US embassy personnel - everyone can get in the act!
- Don't know how to file a complaint? Don't worry. Maximilian Schrems has posted his complaints against several American companies on the web. They may make a useful template if you drop the NSA-specific stuff and instead complain that companies aren't informing you about their home country's surveillance law. He'll hate you, but that's just a bonus.
- Wondering how you can claim to be a customer of companies in, say, Algeria? That's not as hard as you might think. Join Wechat and dollars-to-donuts your data is stored in China; join mail.ru and the Russians will be glad to add you to their database. Heck, there are even ten pages of Algerian Android apps listed in Google. Anyone who lives in Europe could fire up an Android phone, download a few Algerian apps, and be reasonably confident that their data is already on its way to Algiers. Reading the app's permissions and terms of service will tell you more; and if they don't, well, that's another ground for complaint in the always-guilty world of data protection enforcement.
- Can't wait to claim the prize while the data protection bureaucracy grinds slowly forward? To make the contest easier, half the prize will be awarded to the first group or person who makes proper filings covering all ten countries, without the need to wait for a ruling. The other half of the prize will be awarded as the data protection authority rules on the merits.
And for those of you with more money than time, watch for our Indiegogo campaign!