Because they retained the agency's mass data collection, President Barack Obama's modest reforms to the National Security Agency will do little to help multinational corporations in their quest to quell the European Union's privacy concerns and water down the EU's dreaded data- protection overhaul, experts say.
In a Jan. 17 speech, Obama outlined several changes to the government's much-maligned domestic and foreign intelligence-gathering capabilities, including the imposition of restrictions on the NSA's ability to query Americans' phone records and the creation of safeguards that will extend certain data use and retention safeguards that protect U.S. citizens and individuals outside the country.
While the reforms scratch the surface of the privacy concerns prompted by former NSA contractor Edward Snowden's disclosures, the White House did not end the agency's bulk data collection efforts or implement additional safeguards to address Europeans' concerns over the security of their data. This leaves the door open for the EU to continue to push sweeping changes to its own privacy regime, which multinational companies have criticized as too restrictive, according to attorneys.
“The reforms certainly don't hurt, but the question is how much do they help multinational companies at this point in time,” said Jeremy Mittman, a Proskauer Rose LLP attorney and co-chair of the firm's international privacy group. “While they are a step in the right direction, they likely aren't signficant enough to persuade EU government officials to back away from their main concerns with the entire architecture of the U.S. data protection regime, as well as their displeasure with the bulk collection of EU citizens' personal data."
The EU has long refused to officially recognize the privacy regime in the U.S. as comparable to the level of data protection available in the bloc, and the European Commission has said that part of its motivation for floating a proposal in January 2012 to replace the bloc's data protection directive with a uniform and more stringent regulation was to ensure that multinational companies are applying the same privacy safeguards as companies that only do business in Europe.
Companies like Google Inc. and Facebook Inc. have mounted aggressive lobbying efforts to loosen many of the restrictions on the way that they are allowed to use and disclose consumer data. Their battle became tougher after the Snowden disclosures cast a harsh light on their sharing of user data with government agencies, and it was not helped by the vague changes to the spying regime laid out by Obama, attorneys say.
“Expect the EU data protection regulation to be rigorous in its expectations and enforcement with respect to U.S. compliance with EU privacy laws,” Cohen & Gresser LLP intellectual property practice chair Karen Bromberg said. “Until Congress passes specific laws to curtail the NSA’s programs, providing the EU with an adequate comfort level regarding U.S. compliance with its privacy laws is not likely to be achieved in the immediate future.”
EU policymakers have focused on tightening restrictions on the way that data is allowed to flow across borders, both inside and outside the proposed data protection regulation.
The European Parliament in October added a provision to the data protection regulation that would bar multinational companies from handing users' personal data over to authorities based outside the EU unless they received permission from local data protection authorities or showed the transfer comported with an existing data- sharing pact. Meanwhile, the European Commission released a report in December calling for the tightening of transparency and oversight mechanisms in the safe-harbor agreement that governs the transfer of data between the U.S. and EU.
The Federal Trade Commission last week moved to address the concerns raised in the commission's report by taking action against a dozen companies accused of fudging their adherence to the decade-old safe-harbor agreement.
While the safe-harbor enforcement action marks a step toward combating the increasing criticism from the EU about the integrity of the data-sharing arrangement, attorneys noted that it wouldn't do much to improve the fortunes of multinational companies because it fails to address the main focus of the EU's ire.
“I don't think that some of the critics will be satisfied by any safe-harbor reforms unless the bulk collection of data is ended, hence the lukewarm reaction [by EU officials] to the president's announced reforms,” said Morris Polich & Purdy LLP cyber, privacy and data security practice head Timothy Toohey. “In other words, there is a contingent that will unlikely be satisfied with any piecemeal enforcement or reform efforts.”
London-based Latham & Watkins LLP partner Gail Crawford agreed, saying that a shift in attitude by EU officials will require “a lot more than enforcement against 12 companies and the current proposals announced by Obama.”
The relatively narrow scope of the enforcement action is also likely to diminish the significance of the move, attorneys noted.
“The fact that these enforcement actions focused on procedural issues such as whether or not a company had updated its registration and not on substantive security issues means that it's not likely to have a major impact on how Europeans view safe harbor,” Davis & Gilbert LLP partner Gary Kibel said.
However, despite the shortcomings of the recent regulatory actions, attorneys noted that multinational companies could still point to the tightened restrictions in their ongoing efforts to shape the data protection reform, which likely won't be completed until the end of the year at the earliest.
“The reforms give multinational companies an argument to say Europeans' data is not being completely exposed and that there are some restrictions that the U.S. and government will be honoring,” Field Fisher Waterhouse privacy and information law group head Eduardo Ustaran said.
To counter the impact of the Snowden disclosures in the EU, companies should also continue to push for more leeway to disclose how they respond to government requests for user data, an effort that produced a favorable result for companies on Monday with the revelation that the government had agreed to allow them to reveal more of this information.
“The reality for multinationals is that these issues are not going to go away,” Wilson Sonsini Goodrich & Rosati PC of counsel Gerard Stegmaier said. “Until the cloud becomes the equivalent of a locked desk drawer at home, sunlight will continue to be the best disinfectant.”