Safe Harbor ruling may hamper US law enforcement overseas
U.S. law enforcement agencies could have a tougher time operating in the European Union after a bombshell court ruling struck down a key data transfer agreement between the two governments.
“The restraints that exist now are going to make it much harder for lawyers to respond to a court order in the United States when the information involved implicates foreign affiliates and subsidiaries in the European Union,” says Christopher Swift, a former official with the Treasury Department Office of Foreign Assets Control and current national security professor at Georgetown University.
The European Court of Justice ruled Tuesday that the so-called Safe Harbor agreement, which allowed firms to legally transfer European citizens’ data across the Atlantic, was invalid in light of what the court deemed insufficient U.S. privacy protections.
Privacy advocates have hailed the decision as a huge step forward in bringing the U.S. in line with the EU, which treats data privacy as a fundamental right under the law. Businesses have decried it as an unnecessary and damaging barrier to cross-Atlantic trade.
Some critics argue that the ruling comes with a more serious unintended consequence: Law enforcement agencies that operate overseas, like the Department of Justice and the FBI, may have a tougher time acquiring the data they need to investigate cases involving European citizens.
“If I have an investigation in Europe, I can’t move any data, even if it’s to respond to a subpoena against a client here in the U.S.,” Swift said. “My ability to move data from the European Union back to the United States so I can evaluate it as a U.S. lawyer and respond to a Justice Department subpoena is substantially curtailed,” Swift said.
Under a kind of agreement called a Mutual Legal Assistance Treaty (MLAT), U.S. law enforcement can ask a particular country for assistance gathering information in criminal investigations.
“There are provisions in the Mutual Legal Assistance Treaty that the requested state may deny a request if it’s contrary to important public policy,” said Kenneth Rashbaum, a partner at Barton LLP who specializes in privacy and cybersecurity.
“The clear references and sentiment in the [Safe Harbor] decision may influence local authorities when they are faced with a Mutual Legal Assistance Treaty request,” Rashbaum said.
The issue is particularly pressing given that the Department of Justice is currently planning to embed a prosecutor within the European Cybercrime Centre (EC3) to better combat hackers, who often strike the U.S. from across the Atlantic.
“We look forward to assessing together whether this should be a permanent arrangement in the future,” Attorney General Loretta Lynch said in September.
The FBI has already placed new permanent Cyber Assistant Legal Attachés in foreign offices, including London.
The placements are part of a burgeoning partnership between law enforcement from the two governments that has already born fruit:
In July, the two teams brought down the elite underground hacking forum known as Darkode. Last November, a joint effort busted 400 websites accused of selling illegal goods and services on an online black market.
But it’s not just Dark Web hackers that U.S. prosecutors may struggle to investigate overseas, Swift says.
He points to a much more high-profile example: Volkswagen.
Last month, the EPA accused the German automaker of including software in some diesel vehicles that gamed emissions requirements, making it look as if the cars were complying with federal standards when in fact they were not.
Swift noted that while the vehicles may have been made in the U.S., the executives “making the decisions about whether to put the dodgy software into the cars” are in Germany.
A multistate subpoena was issued last month in the Volkswagen investigation.
“I think there is going to be some impact [on the VW investigation],” Rashbaum concurred. “Germany is one of the strictest countries in Europe on data protection and privacy. The German authorities may well default to their own privacy law.”
European regulators tried to reassure U.S. groups that organizations seeking data transfers across the Atlantic will still be able to gain access to needed information through avenues other than Safe Harbor.
“The EU data protection rules provide for several other mechanisms that provide safeguards for international transfers of personal data,” Vĕra Jourová, the European Commission’s commissioner for justice, consumers and gender equality, said following the decision. “For instance… important public interest grounds, such as cooperation between authorities in the fight against fraud, cartels and so on.”
For some, Jourová’s comments were sufficient to indicate that the Commission will work to ensure the decision doesn’t impede law enforcement efforts.
“I think the Commission addressed [law enforcement fears] by talking about some of the other legal bases for transfers, like public interest,” said Cameron Kerry, senior counsel at Sidley Austin and formerly the chief international negotiator for privacy and data regulations at the U.S. Department of Commerce.
“I interpreted that as alluding to those transfers,” he said.
Others were less convinced.
“Our national security is also under threat, as the elimination of transatlantic information sharing agreements could ultimately threaten the law enforcement cooperation that helps keep Americans safe,” Sen. Chris Murphy (D-Conn.) said in a Thursday statement.
The most likely outcome, Rashbaum suggests, is that European data protection authorities and law enforcement agencies will demand that U.S. requests for data be more narrow in scope.
“I think they’re going to ask for — and many countries laws specifically require this — that there be much more specificity,” Rashbaum said. “There’s going to be pushback. [EU agencies will say] ‘unless it’s a serious national security issue, don’t cast the net so widely. Doing so violates our fundamental principles of privacy. Give us more specifics about what you need.’”