Comment We have already witnessed how the US administration’s campaign against Huawei succeeded in reversing the UK government’s original decision to allow Huawei to participate in the UK 5G rollout. Even as questions are being raised about the necessity and the economic consequences of this ban, the US is now stepping up its campaign by focusing on Huawei’s cloud business as well. This comes as a strangely welcome distraction for US cloud players that have recently been found to all be breaking the EU’s data protection rules, by failing to protect EU personal data from US mass surveillance.
Huawei has had an enviable track record of almost 30 years supporting UK telcos during which no major security incidents had ever occurred – nor have vulnerabilities ever been found relating to Huawei equipment that have led to any security incident. While faults have been found in Huawei equipment, this is not uncommon – with all manufacturers issuing patches on a regular and sustained basis.The decision to ban Huawei from the UK 5G rollout decision was simply the result of a great deal of scaremongering and pressure from the US government.
Then again, it is not the US government that will have to foot the bill for replacing all the Huawei equipment, nor will it compensate the UK for the considerable financial impact that the decision will cause. Independent analyst firm Assembly Research reckons that a 3-year delay to the rollout of 5G could cost the UK economy as much as £18.2bn. On top of this the UK would lose its current competitive advantage and global leadership position in 5G. However, if the removal of Huawei equipment is brought even further forward, as has been threatened, to sooner than 2027, this would lead to even further delay to 5G rollout and even higher cost to operators and the UK economy.
As Matthew Howett, Principal Analyst & Founder of Assembly and one of the report’s authors commented: “As a result of further restrictions on Huawei in the US, the UK mobile operators are set to incur billions of pounds worth of cost stripping out equipment from their networks. This report reaffirms that there is also an untold cost in terms of the economy and impact on productivity a delayed 5G rollout will have, the scale of which the UK can ill afford given the current economic circumstances.”
Some have questioned why the US administration would now choose to extend its trade war and its campaign against Huawei to include its cloud operations when it has next to no presence in the cloud market outside of China. It comes at a time when the dominant cloud players, all major US tech giants, are reeling from a recent privacy ruling in the European high court.
The ruling overturned Privacy Shield, the EU / US data-sharing treaty, and limited the use of Standard Contractual Clauses (SCCs), the other main legal basis on which data can be transferred to the US. Essentially SCCs can no longer be used by any companies that are subject to the US mass surveillance program under FISA 702 and EO 12333. These are US laws that apply to all cloud, telecoms or social media firms (defined as “electronic communication service providers” or ECSPs) that operate in the US.
And FISA 702 and EO 12333 have no territorial limitation. This means that they not only apply to data that has been transferred to the US, but also to data held on servers that they operate in the EU. The location for hosting is therefore irrelevant.
This is a major headache for these US firms. Unable to use Privacy Shield or SCCs as a legal basis for processing data and transferring it to the US and also unable to store and process personal data on servers in their European data centres, they face the following options:
- Set up entirely independent operations in the EU to handle the data of EU citizens – any such European operation would need to be entirely independent of the US entity with no form of ownership or control. Microsoft operates such an arrangement in China with a fully sovereign cloud in partnership with a local provider
- Cease operating in the EU. This is a step that Facebook has announced that it is currently seriously considering
- Lobbying for legal reform in the US to overturn the extra-territorial provisions and end mass surveillance – or at least provide the same protections for EU citizens that are provided to US ones.
The alternative would be to seek to agree a new version of the Privacy Shield Agreement, as they did after Safe Harbor was overturned). For this you would need to persuade EU citizens to give up their certain rights within the Charter of Fundamental Rights of the European Union, (articles 7, 8 and 47). So this would appear to be a non-starter.
Obviously, these are not changes that can be made overnight and the US tech giants are keen to buy themselves time. Any distraction, such as a campaign against Huawei’s cloud operations, even though they have next to no business in the US or EU, would be welcomed by them.
The reason that there is no leeway or no grace period here is that there has been no actual change in the law. These firms were always under an obligation to protect the personal data of EU citizens from mass surveillance. They had simply been ignoring this obligation for many years – the Risks section of their SEC filings, show that they were fully aware all along that Privacy Shield could have been invalidated at any point in the same way that Safe Harbor had been. it has now simply been made clear to them that this has to stop.
Similarly, some of the claims being made by these firms (eg. Microsoft and Google) that they are able to continue operating as before and continue using SCCs are blatantly misleading and possibly illegal. If you actually read the ruling itself (C-311/18 SchremsII/PrivacyShield, EU Commission SCC (2010/87/EU) article 4a and the EU EDPB FAQs point 5) then it is clearly not only unethical but also illegal for US Cloud providers to state they can continue to transfer and process personal data even if data stays in the EU.
Under pressure from powerful lobbyists, European governments have been reluctant either to push back on the anti-Huawei misinformation or to publicise how citizens’ fundamental rights are being violated by US tech firms.This matches their reluctance to enforce GDPR or adequately fund local DPAs.
You will also see limited mention of the predicament in which the US cloud giants find themselves, as many commentators, analysts or journalists are reluctant to rock the boat by speaking out. Why would they?
The hypocrisy here is stark – given the fact that almost all US tech firms are technically acting illegally here while Huawei has not broken any laws, and yet the US administration has been calling for Huawei to be banned.
The US tech giants will argue that changing the way that they operate to comply with EU law would be unnecessarily disruptive to their business and to that of their clients. This is a fair point, but it somewhat overlooks the disruption that the US has caused to Huawei’s business, to its UK clients (like BT and Vodafone who will bear the cost of replacing billions of pounds of Huawei equipment) and to the UK economy in terms of missed opportunity from the delayed adoption of 5G.
A further report by Assembly Research found that all regions of the UK will be negatively impacted by the 5G decision, including those regions already hard hit by the pandemic. While HS2 has been touted as a way to enable the ‘Northern Powerhouses’ to thrive as part of the UK government’s ‘levelling up’ agenda, in reality 5G has far greater potential of achieving this aim. The economic benefit associated with 5G will be spread throughout the various regions of the country. While London is set to realise the greatest share in terms of benefit and job creation, more than three quarters of the total expected benefit and opportunity comes from the regions. Outside London and the South East, 5G has the potential to give a £108bn economic uplift, and create more than 350,000 jobs. All of this has been put ‘at risk’ by the UK’s Huawei 5G decision.
Nevertheless, the US tech firms will have to face the music at some point. Their disinformation and distraction will only work for so long. A number of challenges have already been made following the EU Privacy Shield ruling – see the 101 complaints on EU-US data transfers brought by None of Your Business (NOYB.eu), the privacy campaigning and enforcement NGO. More will inevitably follow, until action is taken.
It is ironic that the land of the free that supposedly upholds values such as free competition and the rule of law should be acting in this way, but nobody has ever really claimed that self-interest wasn’t at the heart of politics and policy, even in America.
Editor’s note: Bill works with a number of global vendors and accepts paid commissions from them, including Huawei; however, he has requested for us to point out that he is paid for his time and not his opinions – therefore the opinions expressed in this and other articles are entirely his own.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.