Apple Inc.’s fight with the US government over whether it can be forced to help unlock an iPhone has spilled across borders, threatening to delay a trans-Atlantic pact protecting European data from American eyes.
National regulators from across the European Union promised to give their verdict next month on the so-called privacy shield deal, which toughens EU protections where the United States is involved. The Apple case is raising concerns that the new plan doesn’t go far enough, regional politicians, officials and lawyers said. That in turn could mean more deliberation and push back the completion date.
Data-protection regulators will probably “be thinking about the FBI’s demands on Apple when reviewing the viability of the shield and its level of safeguards,” said Wim Nauwelaerts, a privacy lawyer at Hunton & Williams in Brussels.
Europe has traditionally had tighter protections for personal data than in the US, and revelations by Edward Snowden showing the extent of American security agencies’ snooping into communications overseas have exacerbated tensions between the two regions. The EU was already struggling to garner support to ratify the shield when the fight between Apple and the FBI began last month and raised awareness of how far law enforcement can go to get around people’s encryption and security devices.
(Also see: What if the San Bernardino Shooters Had Been Using a Samsung Galaxy Phone?)
Last month’s draft deal setting up the shield was designed to ensure European users’ data is safe from access in the US when companies ship it across the Atlantic for commercial reasons.
The EU heralded the agreement, saying that, for the first time, the US gave it binding assurances that law enforcement and national security would have strictly limited access to Europeans’ data. Among the proposed commitments was the creation of a special ombudsman in the State Department who would follow up on complaints and inquiries by individuals about data access.
The EU and US were forced to the negotiating table after the EU’s highest court in October struck down a previous 15-year-old pact, called safe harbor, for failing to offer sufficient safeguards against security services.
The EU court found “that the access that US authorities had to EU citizens’ data was too easy,” said Paul Bernal, a legal scholar at the University of East Anglia in England. If Apple loses the fight with the FBI and “authorities can effectively backdoor phones, that makes this access even easier.”
(Also see: US Appeals Ruling on Accessing Data in New York iPhone Case)
Viviane Reding, the EU’s former justice commissioner, said a recent case involving American demands for access to Hotmail messages held on Microsoft’s Irish servers shows that Europeans are right to be wary of the US.
Soon after the EU and US heralded a separate deal last September on data privacy in law enforcement cooperation, “the US Department of Justice argued in front of a US Federal court to bypass existing legal frameworks between Europe and America,” she said. “That was the Microsoft case. This doublespeak is just terrible. Here we do have exactly the same problem with the Apple case.”
While the privacy shield gives Europeans stronger protections in some areas, said Reding, who is now a member of the European Parliament, “when it comes to the intelligence services, the text is the same as it was when I left office in 2014.” On bulk data collection, she said new exemptions have been added.
The European Commission, which led negotiations with the US, insisted that the questions related to the Apple case aren’t comparable.
“The whole concept of the shield in relation to national security and law enforcement is to set out clear limitations and safeguards to what might be technically feasible for US authorities,” said Christian Wigand, a spokesman for justice policy. “And we will of course hold the US accountable to these strong commitments made through a monitoring and review system put in place through the shield.”
Still, some regulators in the EU say the Apple case, and the issues at stake, makes it harder to rebuild lost confidence about data privacy.
“We are concerned about a global backlash in user trust, if companies can be forced to issue weak security versions of their products,” said Jacob Kohnstamm, head of the Dutch data protection authority, who sits on the panel of national officials known as the Article 29 Working Party.
While the Apple case has triggered a storm of controversy, the focus may quickly shift to EU nations, including the UK and France, which are also grappling with how to deploy technology to take on Islamist terrorists and hostile states without trampling on civil liberties.
The UK’s Investigatory Powers Bill – dubbed the “Snooper’s Charter” by its critics – will give the country’s spying services the power to look at browsing histories of suspected criminals once a senior government minister and a judge have signed a warrant.
A revised version of the bill will force Internet and phone companies to collect and store customer data and allow intelligence agencies to remotely access smartphones and other devices when permitted.
“There are major concerns remaining on bulk collection, mandating back doors and Internet collection records,” said Emily Taylor, an associate fellow in International Security at Chatham House in London. “It is also difficult to reconcile” with recent EU court rulings “and the direction of privacy shield.”
One of Britain’s top spy chiefs, Robert Hannigan, weighed into the debate in a speech at the Massachusetts Institute of Technology on Monday, insisting he was neither “in favor of banning encryption” nor “asking for mandatory backdoors.”
Security agencies need a new relationship with the tech sector, academia, society and government agencies, said Hannigan, director of Britain’s Government Communications Headquarters, or GCHQ. “We should be bridging the divide, sharing ideas and building a constructive dialog in a less highly-charged atmosphere.”
After helping prosecutors unlock at least 70 iPhones, Apple last year stopped cooperating and said the company would no longer serve as the government’s helper. Apple claims its US case could set a precedent and threaten other users by creating a program that will let the FBI get around the phone’s encryption.
Apple has already gained the backing of some of the industry’s biggest names, including Google parent Alphabet Inc., Facebook Inc. and Microsoft Corp.
Microsoft President Brad Smith said earlier this month that encryption is the most important technology to ensure security and that “the path to hell starts at the back door.”