How Both the Eu and the U.S. Are "Stricter" Than Each Other for the Privacy of Government Requests for Information

Abstract

Law enforcement access to personal data presents a paradox at the heart of debates between the European Union (EU) and the United States about privacy protections. On the one hand, the comprehensive privacy regime in the EU contains many requirements that do not apply in the United States-the EU is "stricter" than the United States in applying requirements that do not exist in the latter. On the other hand, the United States also sets requirements that do not exist in the EU, such as the Fourth Amendment requirement that a warrant be signed by a judge upon a finding of probable cause. Thus, both are stricter in important ways when setting standards for law enforcement access to personal data. The fact that both sides are stricter in significant respects is important to two distinct topics: how to reform the system of Mutual Legal Assistance (MLA), and whether the United States provides "adequate" protection for personal data under EU law, and thus is an appropriate destination for data flows from the EU.The relative strictness of standards for law enforcement access is central to understanding current obstacles to reforming the MLA system, the mechanism for sharing law enforcement evidence held in one country for use in criminal investigations in a different country. Our research team has been writing a series of articles about MLA reform.1 The topic has become increasingly important in recent years-globalized communications mean that e-mails, social network data, and other evidence for criminal investigations are often held in a different country. In the course of studying obstacles to effective reform, we have come to believe that the fact that both the EU and the United States provide stricter privacy protections is salient but little understood-each side is reluctant to compromise on a new approach to the extent that there would be a weakening of some specific safeguards that currently exist in their respective jurisdictions. We hope that a fuller understanding of the relative strictness of both sides will enable a more fruitful discussion of possible paths to MLA reform.The relative strictness of both the EU and the United States is also important to a second topic, the current litigation and debates about whether the United States provides "adequate" protection of privacy, and thus is a lawful destination for flows of personal data from the EU.2 Under the EU Data Protection Directive, which went into effect in 1998,3 transfers of personal data from EU Member States to other countries, such as the United States, are generally permitted only if the recipient jurisdiction has "adequate" protections.4 From its negotiation in 2000 until 2015, a major legal basis for such transfers was the EU/U.S. Safe Harbor, under which participating companies could lawfully send personal data to the United States.5 In 2015, the European Court of Justice struck down the Safe Harbor for lacking adequacy in Schrems v. Data Protection Commissioner.6 A related transfer mechanism, the standard contract clause, is now facing a similar legal challenge in Ireland, and the Irish Data Protection Commissioner has preliminarily found the challenge to be "well founded."7 In addition, the EU has recently approved two instruments that will go into full effect in 2018 and strengthen existing privacy protections: the General Data Protection Regulation (GDPR),8 which applies predominantly to private-sector processing of personal information, and a new Police and Criminal Justice Directive that governs law enforcement access to personal data.9 Both the GDPR and law enforcement directive have similar "adequacy" requirements for transfers of personal data.10 An accurate assessment of the adequacy of U.S. law enforcement access to information is thus vital to multiple aspects of current EU data protection law.Part I of this Article provides background for both MLA reform and the current adequacy debates. Part II highlights ways that the EU's comprehensive data protection regime creates privacy protections, including for law enforcement access, that are stricter than those applied to the United States. …