Skip to main content

Time for US businesses to consider an anti-surveillance pledge?

Phil Lee
Breakdown of trust is a terrible thing that often has negative and unpredictable consequences, not just for those directly involved but also for those inadvertently caught up in the ensuing fall-out:

Breakdown of trust is a terrible thing that often has negative and unpredictable consequences, not just for those directly involved but also for those inadvertently caught up in the ensuing fall-out: for the friends who are forced to choose sides when a relationship breaks up, for the children affected when a marriage breaks down and, yes, for the businesses harmed when transatlantic trust between two great economic regions falls apart.

Because, when all is said and done, the recent collapse of Safe Harbor is ultimately attributable to a breakdown in trust.  Whatever legal arguments there are about data export "adequacy", Europe has fundamentally lost trust in the safe handling of European citizens' data Stateside.  The resulting panic was inevitable - international conglomerates worry about their regulatory compliance, US supply-side businesses realize that there is now no effective legal solution for their lawful handling of data, and regulators move to calm in threatening tones that they will not take enforcement - for the time being.

Which leaves us all in a quandary.  Businesses must by necessity start putting in place a patchwork of legal solutions designed, if not to achieve compliance, then at least to manage risk, but many of these solutions will not be officially recognized either by law or the regulatory community (how exactly should US processors lawfully onward transfer data to sub-processors?).  Consequently, these solutions - while necessary in an environment where no alternatives exist - will likely fuel further legislative and regulatory speculation that companies are working around data protection rules, rather than with them.

But when compliance becomes impossible, so everyone becomes a criminal.  Think of it this way:  if you tax me at 40%, I will pay.  But tax me at 90% and I simply can't afford to, so won't - no matter how much I may believe in the principle of taxation or want to be a law-abiding member of society.

An anti-surveillance pledge to restore trust

So where does that leave us?  The real dialogue to have here is one around restoring trust.  This is absolutely critical.  And that is why all businesses - especially US businesses right now - must consider taking an anti-surveillance pledge.

What does an anti-surveillance pledge look like?  It takes the form of a short statement, perhaps no more than two or three paragraphs in length, under which the business would pledge never knowingly to disclose individuals' data to government or law enforcement authorities unless either (1) legally compelled to do so (for example, by way of a warrant or court order), or (2) there is a risk of serious and imminent harm were disclosure to be withheld (for example, imminent terrorist threat).  The pledge would be signed by senior management of the business, and made publicly-available as an externally-facing commitment to resist unlawful government-led surveillance activities - for example, by posting on a website or incorporation within an accessible privacy policy.

Will taking a pledge like this solve the EU-US data export crisis?  No.  Will it prevent government surveillance activities occurring upstream on Internet and telecoms pipes over which the business has no control?  No.  But will it demonstrate a commitment to the world that the business takes its data subjects' privacy concerns seriously and that it will do what is within its power to do to prevent unlawful surveillance - absolutely: it's a big step towards accountably showing "adequate" handling of data.

The more businesses that sign a pledge of this nature, the greater the collective strength of these commitments across industries and sectors; and the greater this collective strength, the more this will assist the long, slow process of restoring trust.  Only through the restoration of trust will we see a European legislative and regulatory environment once more willing to embrace the adequacy of data exports to the US.  So, if you haven't considered it before, consider it now: it's time for an anti-surveillance pledge.


Sign up to our email digest

Click to subscribe or manage your email preferences.