A majority of Passcode Influencers said that Europeans should be allowed to sue in US courts if their personal data is misused.
A new data-sharing agreement is currently in the works between the US and European Union, after the European Court of Justice struck down a the 15-year-old Safe Harbor agreement allowing companies to transfer data across the Atlantic.
European policymakers and privacy advocates are arguing for stronger protections for Europeans’ personal data, such as Web searches, as it’s transferred to the US – and some want Europeans to have the right to sue in US courts for privacy breaches.
There is already movement in that direction. Earlier this year, Brussels and Washington agreed Europeans could sue if their personal data transferred to US agencies for law enforcement purposes is misused. But it’s up to Congress to allow it to happen. As a bill makes its way to the Senate, 76 percent of Passcode Influencers say that Europeans should have that right to sue in US courts.
“Without access to US courts and real remedies, the privacy rights are more promise than protection,” said Jenny Durkan, chair of the Cyber Law and Privacy Group at Quinn Emanuel law firm.
Passcode’s Influencers Poll is a regular survey of more than 120 experts (listed below) in digital security and privacy, from across government and the private sector. To preserve the candor of their responses, Influencers have the option to comment on the record or anonymously.
For some Influencers, the whether or not Europeans should be allowed to sue came down to human rights. “At heart of the question is whether privacy is a human right,” an Influencer who preferred to remain anonymous said. “If yes, [give them] the right to sue. If no, we should have fundamental questions about interpretation of the Constitution.”
It’s also a matter of fairness, some said. “If data is indeed being misused, there should be a remedy. What the question doesn’t ask is what should count as misuse. But there’s no reason to offer differing protections here based on the citizenship of the person whose data a company is handling,” said Jonathan Zittrain, a Harvard law professor. “And protection irrespective of country of origin is not only the right thing to do. It also gives US companies an important competitive advantage.”
Making a decision about whether to give Europeans legal rights is just the tip of the iceberg, said Sascha Meinrath of tech policy think tank X-Lab. The bigger issue, Mr. Meinrath said, is whether courts can provide sufficient remedies for data abuses.
“So long as international agreements signed by the US impact European Union residents, they should have full access to avail themselves to the US legal system,” he said. “Sadly, what they are likely to find is that the US court system has proven woefully ill-equipped to handle surveillance and data collection malfeasance.”
A 26 percent minority of Passcode Influencers said Europeans should not be given the right to sue in US courts. “This would require ratification of law that allows US companies to be strictly responsible for every privacy law whim of every other country,” said an Influencer who prefers to remain anonymous.
The Influencer instead argued that other approaches would be more effective to achieve the same end: Privacy protection? “A better approach would be a single Internet wide ratified legal framework rather than the patchwork of country and state privacy laws that are a huge burden on businesses.”
Allowing Europeans to sue, another Influencer who preferred to remain anonymous said, is a debate for another time.
“Let’s get the more basic extraterritorial stuff right first, and then work on this one,” the Influencer said.
What do you think? VOTE in the readers’ version of the Passcode Influencers Poll.
Passcode gathered more than 120 high-profile security and privacy experts for the Influencers Poll. Click their names below to learn more about them.
Lorrie Faith Cranor
Angela L. Heise
Jane Holl Lute
“Europeans should have the same right to sue as Americans under the Privacy Act.” - Peter Swire, Georgia Tech Scheller College of Business
“The legal right follows from the commercial use. Simple solution is to minimize the collection of personal data. This would have many benefits - including the risks of data breach, identity theft, and financial fraud. But the innovative solutions will not emerge unless there is liability for the misuse of data.” - Marc Rotenberg, Electronic Privacy Information Center
“Yes, if (i) subject to the same exemptions that already protect the appropriate law enforcement and intelligence-gathering activities of the U.S. government from improper disclosure, and (ii) part of an umbrella agreement with the EU that facilitates the flow of transatlantic data and that ensures US persons have similar remedies vis-a-vis European governments.” - Bobby Chesney, University of Texas School of Law
“With Congress choosing not to act on data privacy, it’s up to the courts (and the FTC) to create case law-based guidance. Lawsuits should be an option for anyone wronged by the misuse or failure to reasonably protect personal data.” - Chris Finan, Manifold Security
“This is a practical matter. If Europeans don’t have rights to sue here, then they’ll just force US companies operating there to give them the rights to sue there. This makes sorting out jurisdiction harder, as well as further fueling the fight over safe harbor, use of personal data, misuse by the US government and so on.” - Jon Callas, Silent Circle
“Clearly a complex issue, but Europeans should have protections over their data within US borders. The more important questions becomes: Which laws apply? Should Europeans be able to seek protections under European law, or American law?” - Influencer
“They may well have the right to sue; the much harder question is whether they should win or if they do, what the remedies should be. In my view even if the answer to the first question is “yes,” the question to the latter two are far less certain to produce a positive outcome for Europeans.” - Influencer
“European law offers more default protection to citizens and more clarity on data ownership than the US. Since US law does not so clearly define these matters, the only recourse to Europeans traveling or doing business with US company is the right to sue for avoidable misuse.” - Nick Selby, StreetCred Software
“Sure. If they can show US law was somehow transgressed.” - Influencer
“Yes, but Europeans should not expect that they will have broader access to information about the intelligence activities of the US government than Americans do – or than they have at home with their own governments.” - Influencer
“Yes, with the caveat that there is an international standard for ‘misuse.’” - Influencer
“For clarity, the right to sue in US courts assumes a number of facts, including whether the defendant is within the jurisdiction of US courts and violated a US law.” - Influencer
“At heart of the question is whether privacy is a human right. If yes, the right to sue. If no... we should have fundamental questions about interpretation of the Constitution.” - Influencer
“No. And ‘no’ for all forms of cross-border arbitrage of statutory law.” - Dan Geer, In-Q-Tel
“No, no more than US citizens should have the right to sue in European courts, when the French, German or any of numerous other national intelligence services use and/or abuse data about US citizens.” - Influencer
“This would require ratification of law that allows US companies to be strictly responsible for every privacy law whim of every other country. A better approach would be a single Internet wide ratified legal framework rather than the patchwork of country and state privacy laws that are a huge burden on businesses.” - Influencer
“Let’s get the more basic extra-territorial stuff right first, and then work on this one.” - Influencer