On 13 November 2015, terrorists conducted simultaneous attacks at several locations in Paris, leaving more than 130 people dead. The French government responded by enacting a state of emergency, which allows the agencies of the government to search homes without warrants and block websites.
There’s no doubt that extraordinary measures are called for – and the French government’s efforts have already paid off. A number of terrorists have been caught and other attacks probably prevented.
But will these extraordinary measures extend to data privacy? Will the French government soften its stance on data protection in impending legal battles with the US? And will they allow US authorities to violate French data protection laws, in the hope of reducing the threat of terrorism?
There are two reasons to believe the French government will do just that: The French government has already allowed the US government to infringe privacy laws in France. French banks operating in the US regularly provide the US tax authorities with information on the French bank accounts of US citizens living in France. And French and other European governments rely on data collected by US agencies, such as the CIA and the NSA, to track terrorists.
In the final analysis, when it comes to the eternal balancing act between individual liberties and the common good of society, France reacts no differently from the US to terrorism. Less than a week after the 13 November terrorist attacks in Paris, the French newspaper Le Figaro and radio station RTL conducted a survey, in which 84% of the respondents expressed a willingness to accept higher surveillance in exchange for greater security.
The present state of data privacy in France – with the European Court of Justice’s recent wranglings over the EU-US Safe Harbour agreement in the run-up to the expected passing of the EU General Data Protection Regulation (GDPR) overhaul to European data protection – owes its existence to events over 30 years ago.
Origins of data privacy in France
In 1978, France enacted the Loi Informatique et Libertés legislation to protect citizens’ privacy. This wasn’t created out of the blue; it was created in reaction to a secret interior ministry project, started in 1973, which aimed to identify individuals by cross-analysing electronic files. Once this project was revealed to the public in a 1974 article in the French newspaper Le Monde, it took the French government four years to pass legislation to protect citizens again the invasion of their privacy. It was one of the world’s first data protection laws.
The legislation proved solid and most of the Loi Informatique et Liberté is still intact today. French Prime Minister Manuel Valls said the fact that the law has lasted so long “explains how particularly sensitive French people are to the issue”.
Some years later the European Union (EU) passed laws around data protection, and the US was deemed an unsafe territory for European companies to transfer data to. Companies that transferred data to such unsafe territories would be acting illegally, and could be fined as much as €150,000 in France.
In 2000 the US reacted through the US Department of Commerce by proposing the Safe Harbour Framework to the EU. The EU and the US Department of Commerce reached an agreement on the Safe Harbour Framework, under which companies would self-certify. Self-certification amounts to companies looking over the rules making up the framework, and confirming that they do indeed follow those rules. They would then be added to the list of 5,000 or so US companies that adhered to the Safe Harbour Framework.
ECJ throws out Safe Harbour agreement
Google, Amazon, Microsoft, and all the other US data giants self-certified. Why shouldn’t they? All they had to do was to claim they comply with the rules – and in the event that they were found not to comply, the US Department of Commerce would fine them up to $16,000 a day. These sanctions were never very frightening to the biggest cloud providers.
Not surprisingly, the Safe Harbour Framework didn’t stand up in the European Court of Justice (ECJ). In October 2015, the framework was struck down by the ECJ on the grounds the US authorities are under no obligation to comply with the agreement. So no matter what the framework says, companies who choose to have their European customer data stored in the US are doing so in violation of European laws.
The EU and the US government are now scrambling to come up with Safe Harbour 2.0 by January 2016. The trouble is, any agreement they reach will still be in conflict with US laws that require US companies to turn over data to the US government on request.
The US Patriot Act
How did freedom-loving US citizens come to accept such an infringement on their privacy? Like any other people in the world, when they feel threatened from outside, Americans are willing to loosen the reins on the government in hope that it will protect them from evil. In the US, loosening the reins on the government took the form of the US Patriot Act, which made it easier for agencies such as the CIA and the NSA to collect electronic data on anyone they want.
After October 2015, when the ECJ rejected the Safe Harbor Framework, it was already clear that the US and EU governments were heading for legal battles. But this was no surprise to anybody who had taken a close look. Several years ago, researcher at the CERSA/CNRS in Paris Primavera De Filippi noted that “several provisions of the Patriot Act are known to clash with various aspects of European data privacy laws insofar as they allow for US authorities to legally request access to foreign personal data stored or transferred in to the US”.
In the end, the anticipated provisions of the GDPR – expected to pass into law by the early part of 2016 – and its anticipated clash with the demands of the US Patriot Act look set to subordinate the instincts of the French government about trading off data privacy to reduce the threat of another series of co-ordinated terrorist attacks on French soil.
The French government may well carry on turning a blind eye to isolated cases of conflict – such as with French banks operating in the US – where it proves expedient. But one of the notable distinctions between the GDPR and the previous European data protection directive lies in the fact that it will not be subject to interpretation by individual member states’ governments when passing into sovereign law.