Opinion It has been seven years since Edward Snowden exposed the level of surveillance by US intelligence agencies that one might have rather expected from totalitarian countries. Petabytes of private or company data – no matter from which country – are made available to US authorities by default without suspect or a court decision.
While little is known publicly about current practice, it would certainly be more than surprising if the powers and capabilities of the US authorities had been reduced under the Trump administration. A survey by GMX last year revealed that 73% of British internet users mistrust U.S. companies over data protection concerns. The figure is twice that of a similar survey in 2015 which showed that only 35% had such concerns. Eight percent have actively left a US online service within the last twelve months and 11% are planning to do so.
The death of Privacy Shield
In spite of the growing distrust in the population, it seemed as if local and European politicians had resigned themselves – out of powerlessness or in the interest of cooperation – to the fact that every US company without exception has to hand over all user and company data obtained worldwide to the US secret services. Not so Max Schrems and the European Court of Justice, which ruled last month to overturn Privacy Shield – as they had done a couple of years before with its precursor, Safe Harbor. As a result, Europe in 2020 is once again faced with no viable solution for international data transfers to the United States and especially to US-based companies.
And the heart of the problem is quiet obvious: GDPR (General Data Protection Regulation) clearly stipulates that the data of European citizens must be protected regardless of its location and prohibits European firms from transferring personal data to overseas jurisdictions with weaker privacy laws. In other words, it was exactly what Privacy Shield failed to do; hence why the highest European Court ruled it illegal.
The US does not have its own direct equivalent of the GDPR, and its data protection standards are being regarded as lower. What’s more, the US CLOUD (Clarifying Lawful Overseas Use of Data) Act (H.R. 4943) serves as another red flag for individuals concerned about their data in the US. In direct contrast to the GDPR which seeks to protect personal data, the CLOUD Act effectively erodes data protection by allowing US federal law enforcement agencies to compel US-based technology companies to provide requested data stored on their servers, irrespective of whether the data resides within the US or not. In other words, even if you choose to store your data on GDPR-compliant servers in Europe, if the data is stored by a US company, it can still be handed over to U.S. authorities.
Would you still be comfortable giving your data to US companies in Europe, knowing this law exists? The European Court of Justice had a clear answer to this question and confirmed the discomfort of 73% of Great Britain’s internet users.
How can Europe win the digital race?
Besides the two legal failures of Safe Harbor and Privacy Shield, the last ten years have not been particularly good for the digital economy in Europe in general. The global digital industry is dominated by US, and increasingly, far eastern companies.
Google dominates the search, browser and mobile OS market; Facebook leads the social media landscape; Amazon took over online retail and Apple built a more and more closed digital ecosystem within its consumer devices and services. In parallel there is China with its native (and often state-supported) equivalents of many of the above named companies and services (Baidu, Huawei, Alibaba, TikTok) taking market share at a high pace. Europe may have a thriving technology sector, but none of its homegrown companies have reached the global scale where they can set the standards for the global digital economy.
With little dominance in the global digital industry to drive new standards, and with Privacy Shield dead in the water, what are Europe’s options going forward?
Option 1: Third time lucky? Should Europe make a third attempt to construct a data agreement or use standard clauses to weave a construction between European Court rulings and European law? The durability of such a route would likely be limited, as the European Court of Justice has, as a precautionary measure, already made it clear that European data may only be exported if the importer’s data protection and, above all, official access, is regulated as strictly as in Europe (any agreement cannot conflict with GDPR for example).
This means that either the United States would have to raise its level of data protection regulation to the GDPR levels – or the GDPR would have to be lowered to the US level. Since both seem unlikely, any successor or alternative model would certainly be history in three to four years.
Option 2: Go our separate ways? Europe will need to recognise that with the continuing divergence of legal opinions on both sides of the Atlantic, no data transfer with the European Court of Justice can be made. So, there will be no alternative to building its own solutions.
As a first step in the catch up race, Europe will have to generate a level playing field. As all digital infrastructure except for networks is in the hands of dominant US players, Europe has to make sure that components like operating systems, app stores, and browsers are acting hundred percent neutrally and not abusing their position by pre-installing their own services, charging fees and setting their own rules of play. As the attempts to regulate players like Google took such a long time – and besides a couple of billion Euro fines, did not have any effect on the market – Europe urgently needs a legal basis to secure access to digital platforms, especially those that have infrastructural character.
As that alone does not generate European alternatives, the question is how one could build relevant competition. Copying a solution from the aviation industry and merging European internet companies to an “internet airbus” would barely make sense as the synergies between eCommerce, music streaming, email and food delivery would be very limited. The only option is to push open standards to generate synergies within and across industries, and invest heavily to build up competitors that differentiate themselves in the European B2C and B2B markets by keeping European data in Europe.
Between a rock and a hard place
Following option one to try to find another legal construction, would likely end up in the same legal and strategic dead end. So, it looks like Europe will have to go the hard and costly way of option two. Europe’s digital companies will need to work fast to agree on the necessary open standards to foster competition. At the same time, politicians will need to act just as quickly to ensure these new legal frameworks are presented as a viable alternative to those dictated by US and in the future Chinese companies. Only by investing in Europe’s own digital industry and promoting open standards would European digital companies have a chance.
A knee-jerk reaction might be to say that creating a European internet industry with data kept in Europe would mean too much change, would be too costly, would take too long and would lack the technical prerequisites. The same would have been said about the idea to have 95% of office jobs moved to home office a couple of month ago – anything is possible if the pressure and willingness are high enough. Come on Europe, it is time to get moving.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.