I’ve been critical of the claim that European privacy law offers more protection against government surveillance than American law. Apparently not critical enough. An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.
His tale of disillusionment revealed three privacy deficits in European law that even I hadn’t noticed when I trashed the myth of European privacy superiority. First, unlike their US counterparts, German email providers are unable to issue transparency reports of the sort that US companies have been publishing:
“German law forbids providers to talk about inquiries for user data or handing over user data,” Löhr added. “We are currently investigating a possible way with our lawyer to issue a transparency report about questions from police like Google, Microsoft, and [many] other US providers do, but we can not promise we will be able to do so. We try hard.” Indeed, the German Telecommunications Act of 2004 (PDF) states very clearly, “The person with obligations shall maintain silence vis-à-vis his customers and third parties about the provision of information.” In other words, German communications services would be under a gag order by default.
Of course, given their other disadvantages on the government-privacy front, maybe European providers aren’t exactly eager to issue transparency reports. For example, in the US, authorities have to get a specific “gag” order to prevent subscribers from getting notice that their mail has been seized; while gag orders are common in the US, they often expire after a time and can usually be challenged. It appears that Europe simply doesn’t make disclosure an option. Silence, not disclosure, is the law’s default.
[A]n American provider could notify its customer that he or she is the target of a judicial investigation. Google has a user notification policy, for instance, that stands unless the court forbids it from disclosing that information. … German court orders, by contrast, appear to be sealed automatically.
And finally, it appears that European mail providers cannot challenge government discovery orders before turning over the data. In Germany and the Netherlands, the only jurisdictions the writer examined, providers turn over the data first, and then argue about whether they should have to do so:
Löhr also added that Posteo could challenge a secret court order after the fact, unlike in the case of the United States, where such challenges can be made before such a handover. “If we think the order was not right, we can complain afterwards—and we would do so,” Löhr told Ars.
The same is true elsewhere in Europe:
“There is an option to challenge that request [in the Netherlands], but only after it has [been] given the data,” Ot van Daalen, the director of Bits of Freedom, a Dutch digital rights group, told Ars. “A successful challenge leads to an order of the court to destroy the data. In the case of possible privileged communication, in practice the data is sealed in an envelope pending challenge and only opened after the data is deemed to be unprivileged by the court.”