Category: Safe Harbor

U.S. Dominance Over International Communications: A Status Report

Two stories jump out this week. One concerns the Internet’s coordinating mechanism, the other the pact that enables European data to be sent to the United States.  Seemingly discrete, at a deeper level they are organically connected. The underlying issue is whether challenges to U.S. power over the system of international communications will intensify – or be shunted aside.

We have written before about the “Safe Harbor” agreement, which had governed data- transfers between Europe and the U.S. and which was struck down by the European Court of Justice three months ago because it did not offer sufficient guarantees that Europeans’ personal data were protected from eavesdropping by U.S. intelligence agencies.  Would a new pact be devised, incorporating Europeans’ demands to strengthen privacy protections? What kinds of guarantees would be supplied?

An answer is now at hand. Although the prescribed negotiating deadline passed without agreement, two days late a deal was announced.[1] The US firms escaped the obligation to store their data in European lands; while, a new “EU-US Privacy Shield,” the European Commission declared, “will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans.” U.S. companies wishing to import personal data from Europe “will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.” The U.S. Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US Federal Trade Commission. In addition, “any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Administrations.” E.U. citizens will have access to an ombudsman located in the United States. And, “for the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”[2]

We will need to see during the months ahead just what level of protection the “Privacy Shield” actually offers. What’s interesting, though, is that considerable effort needed to be expended to reach even such a seemingly minimal agreement as this.  Intense negotiations were conducted at the World Economic Forum in Davos, involving both governmental functionaries and trade groups. Satya Nadella, the CEO of Microsoft, editorialized that the Safe Harbor agreement – with its guarantee that corporations may transmit personal data from jurisdiction to jurisdiction – must be supplemented with “additional agreements, that enable privacy rights to follow data around the world.”[3]  Google, by appointing as head of its global policy unit a onetime Obama Administration negotiator known for her calm, conciliatory style, reportedly was “burying its confrontational stance” in favor of more moderate international diplomacy.[4]  Facebook publicized a report that it had commissioned, to emphasize disingenuously that the U.S. had actually become more “privacy friendly” than Europe.[5]  Transatlantic data flows are simply too important to be left to the lower echelons.

Still, the data-hogging transnationals are not yet in the clear.  Europe’s national privacy regulators are slated to release their own decision tomorrow, February 3d, on how data should be moved between the two regions. And a clamor that the EC had sold out 500 million Europeans is already audible. It is possible that some nations’ data protection authorities will prove more vigilant than their colleagues in the Commission.  Thousands of U.S. companies, rooted in every sector, will be watching – eagle-eyed, we might say. No matter which way tomorrow’s decision goes, transborder data flows will still continue to constitute a crucial point of vulnerability for corporate capital.

Read more

Transborder Data Flows

Available in Spanish. Kindly translated by Daniel Urbina

Early in October, Europe’s highest court invalidated the 15-year-old “safe harbor” – an international agreement that the European Union had negotiated with the United States to loosen the EU’s Data Protection Directive of 1995[1] so that it would allow companies to transfer personal information in digital form from the European Union to the United States.[2]  Is the European Court’s judgment a fundamental change in networking policy – a full stop – or merely a comma?

This is actually a longstanding structural conflict that has reignited. Its beginnings go back nearly half a century – when transborder flows of computer data [TDF] threatened to become a point of sharp conflict between the US, Europe, and often newly independent countries of the then-Third World.

By the mid-1970s, TDF was simultaneously controversial and – for U.S. big business and military agencies – irreplaceable. In 1981, Herbert I. Schiller showed, a few thousand large corporations possessing foreign direct investments outside the United States and (two-thirds of them, anyway) headquartered within the U.S. – relied on “a continuously swelling volume of data flows circulating inside [their] corporate business structures across national boundaries.”[3] Based in all economic sectors, these companies used early computer communications networks to transmit data concerning such things as “raw material stocks, production schedules, quality control, personnel records, tax and legal information, currency transactions, profit repatriation, and investment decisions.” As Schiller underlined, TDF helped to enable the largest corporations both “to transact their global business and further integrate the internationalization of capital.”[4]

A second source of TDF was the U.S. military and its allies. “The ability of American companies to operate on a global scale and enjoy the benefits of worldwide resource and market exploitation,” Schiller explained, “would be unimaginable without the full backup of a concentrated military power, ready for instantaneous deployment and intervention.”[5] Military and intelligence agencies depended on networked TDF to operate bases around the world; to implement attacks; and to conduct increasingly widespread surveillance.

There existed no definitive inventory of TDF; even partial views were highly inexact, for  the data that streamed across jurisdictions remained shielded. How much data was being sent over the private telecommunications circuits that carried most of it?  What portion of TDF was made up of operational and administrative business data? What part of the total was comprised of personally identifiable information?  What were the companies doing with all of “their” data? States did not deign to find out. The absence of meaningful public documentation bespoke an underlying power imbalance. Big companies successfully insisted that policymakers should not peer too closely at TDF, out of concern that such investigation might lead to calls for greater accountability – which in turn might constrain the operations of their profit-projects.

TDF not only conferred power on corporate capital but also, paradoxically, established a new point of vulnerability for it.  Interruptions and oversight requirements both endangered the political economy that was being reconstructed around computer-communications. Physical threats emerged when an earthquake or even the drag of a ship’s anchor engendered a break in the submarine cables over which data coursed; however, far more menacing for big business were political threats, emerging in initiatives that aimed to restrict the content of TDF, or charge according to the volume of data sent, or oversee TDF in the interests of self-government. Read more