A broad industry coalition is lobbying the European Union to strike out part of an impending privacy law that could force companies to deny requests for personal data from non-member countries.
Negotiators from EU institutions are hammering out the General Data Protection Regulation (GDPR), the biggest reform of privacy law in Europe in the past two decades.
A small section, Article 43a, says companies should not always comply with requests from courts, tribunals and administrative authorities in non-EU countries for the personal data of Europeans. The only exceptions would be under law enforcement treaties or relevant agreements between those countries and the EU, or individual European countries.
The Parliament of the European Union added this exclusion to the draft in the wake of Edward Snowden’s 2013 surveillance disclosures. It is informally referred to as the “anti-FISA” clause, in a nod to the American Foreign Intelligence Surveillance Act that authorizes much of the U.S.’s international surveillance activities.
The controversy over Article 43a is emblematic of a core and perpetual Internet conundrum: services simultaneously operate across scores of jurisdictions and must somehow comply with the laws of each one, though they may often clash.
A section added by Parliament says that companies should not always comply with requests from courts, tribunals and administrative authorities in non-EU countries.
The clause could create a quagmire for companies: They may be ordered by a court in one jurisdiction to hand over the data of EU citizens, but forbidden by the EU to comply, according to the Industry Coalition for Data Protection (ICDP), which represents everyone from Apple and Google to Intel and AT&T.
The coalition sent a letter this week to Justice Commissioner Věra Jourová, parliamentary rapporteur Jan Philipp Albrecht MEP, and the Luxembourg presidency of the Council of the EU — the key representatives of the three institutions that are currently negotiating the regulation’s text.
The letter from ICDP said that adopting a “unilateral approach” would create deliberate conflicts of law and severely undermine “both the principles of reciprocity in diplomatic relations as well as the credibility of the EU data protection reform.”
The coalition also warned the clause’s inclusion may lead other countries to enact similar provisions, putting EU companies operating in those countries in a bind when EU authorities demand international customers’ data.
The trade group suggested the issue should instead be dealt with in the regulation’s accompanying data protection directive, which deals specifically with law enforcement issues. Directives give EU countries more leeway for levels of enforcement than regulations do.
National data protection authorities should not be tasked with authorizing data transfers to non-EU countries, as the clause also states, ICDP argued.
Albrecht, the parliamentary rapporteur and a key supporter of the clause, appeared unmoved by their plea.
“If a Chinese court, for example, orders that any London-based financial actor should send out all the financial details and personal data of its European client to the Chinese authorities, then the EU cannot just say, ‘Yeah, let’s do it and ignore European law.’ That’s impossible,” he told POLITICO. “It only means something if there’s also an agreement or a corresponding provision in European law.”
Commissioner Jourovà noted that “many stakeholders have given their views on the data protection reform” and negotiations were still on track to be wrapped up by year-end.
“The Commission wants the new rules to guarantee that EU citizens data are protected by strong safeguards. The regulation will at the same time provide businesses with more legal certainty,” she promised.
The Council, which represents EU countries, has not included the clause in its preferred text for the regulation.