For some time, the European Commission and European Data Protection Authorities (DPAs) have complained that US law provides insufficient protection to Europeans for the data that is shared from Europe to the United States. This is important to Europeans and to people around the world who use wildly popular services based in the US, like Facebook, Gmail, and Twitter. The European Commission has made some level of parity a condition of data exchanges with the US in the criminal context, and as a result, Congress is considering the Judicial Redress Act to extend some Privacy Act protections to that data flow. Though the bill is only a small step forward, US companies have embraced it and Congress seems poised to adopt it.
Ironically CISA would increase the gap in data protection between Europeans and Americans in US law, rather than help close it.
Ironically, different legislation that the Senate just passed, CISA, or S. 754, would increase the gap in data protection between Europeans and Americans in US law, rather than help close it. CISA permits companies to share with the Federal government “cyber threat indicators” (CTIs) derived from Internet users’ communications. It requires companies and the Federal government to remove from CTIs personally identifiable information (PII) that they know is not directly related to a cybersecurity threat. Senator Wyden (D-OR) proposed an amendment to the bill that would require notice to a person whose PII was shared inappropriately under the bill.
Instead of accepting Senator Wyden’s approach, the bill managers changed the amendment from a privacy victory for all to a privacy victory just for Americans. They made it so that non-US persons (everyone but US citizens and residents) get no notice when the Federal government shares their PII illegally under the bill, but required such notice to US persons.
Notice to the victim of a privacy abuse discourages such abuse. If it is possible to give such notice to Americans, it should be possible to give the notice to anyone whose PII is shared unlawfully. Instead of moving toward data protection parity between Europeans and Americans, the bill furthers the disparity – and it does so for no good reason.
The House cybersecurity bill includes no such disparity. Unfortunately, that is because it imposes no duty to give notice of privacy violations to anyone at all – not to Americans nor to anyone else. One can only hope that when the bills are reconciled, this will be corrected to ensure that when anyone’s personal information is shared illegally under the cybersecurity legislation, they are told about it.