Home > News > European privacy policy is not a cynical anti-competitive plot
174 views 13 min 0 Comment

European privacy policy is not a cynical anti-competitive plot

- February 26, 2015

President Obama waves during the White House Summit on Cybersecurity and Consumer Protection on Feb. 13, 2015 in Stanford, Calif. (Justin Sullivan/Getty Images)
Carrie Cordero at Lawfare has written a post which appears to be in large part a riposte to an earlier Monkey Cage post that one of us wrote on President Obama’s recent remarks on European privacy. Cordero describes Obama’s comments, which criticized European privacy policy as anti-competitive as both “refreshing” and fundamentally right. As another Lawfare blogger summarizes her argument, she “applauded the remarks and described how Europe used the Snowden revelations to support European industry while hamstringing American companies under the guise of concerns over government surveillance.” I recommend that readers interested in looking at the counter-case go and read Cordero’s comments. However, they’re perhaps more useful in conveying the collective wisdom among some circles in Washington D.C. (Cordero has enjoyed a distinguished career in the intelligence and national security community before going into private practice) than in really explaining what is at stake in EU-US disagreements over privacy.
Was Obama really talking about privacy and national security?
This is at best doubtful. Cordero argues that Obama was criticizing the Europeans for “taking advantage” and engaging in “game playing” by “conflating consumer privacy laws and policies with national security laws and policies.” As she describes it, “The European pressure on U.S. companies following the Snowden disclosures has, as the President alluded [sic], taken advantage of the situation by conflating consumer privacy laws and policies with national security laws and policies.” However, there isn’t any actual evidence in the interview that Obama is “allud[ing to]” European “pressure on US companies following the Snowden disclosures” Obama is responding to a question about EU investigations into the consumer privacy practices of Google and Facebook which started long before Snowden made any disclosures. He only mentions Snowden once in the entire interview, in a completely different context.
Even so, is E.U. policy driven by protectionism in the other privacy areas that Cordero talks about?
Not really. Cordero pivots from the privacy investigations that Obama is, in fact, talking about, to a separate set of issues involving three major E.U.-U.S. privacy disputes that mingle questions of privacy and security. These are the so-called ‘SWIFT’ or TFTP dispute over financial data, the PNR dispute over airline passenger data, and disagreements over the Safe Harbor arrangement. As it happens, we’re writing a book about these disputes and the underlying policy questions (the book isn’t finished yet, but earlier versions of some of our arguments can be found here and here). As we see it, the evidence doesn’t support Cordero’s claim that this is all about protectionism.
First, Cordero’s post focuses on a single report, coming from a committee of the European Parliament, as evidence that the European Union’s privacy policy is motivated by protectionism. Or, more precisely, she focuses on a couple of sentences from a very long report (which she doesn’t link to) that she says support her claim that the European Unino is motivated by protectionism. The sentences that she picks out highlight how the European Union needs to “Develop a European strategy for greater IT independence (a ‘digital new deal’ including the allocation of adequate resources at national and E.U. level) to boost IT industry and allow European companies to exploit the E.U. privacy competitive advantage.” She suggests that this shows how “many of the recommendations for action had less to do with curtailing foreign intelligence collection programs, and more to do with fostering E.U. technological independence,” and goes on to criticize the Parliament for trying to reopen questions on SWIFT, PNR and Safe Harbor that the United States had hoped were closed.
The problem is that the re-opening of the SWIFT and PNR agreements don’t have anything obvious to do with protecting European firms (most of whom do not want to see these agreements opened up again). The SWIFT agreement is all about the obligations of a Belgium based firm to provide data to U.S. authorities. If it collapsed, it wouldn’t hurt US firms even slightly. The PNR agreement involves the obligations of European based carriers to provide information on their U.S.-bound passengers to U.S. authorities. Again, it has no obvious competitive implications (except that if it broke down, European airlines would almost certainly suffer). We simply cannot see any credible argument that the European Parliament’s opposition to these agreements is driven by protectionist considerations.
One could, however, make an argument that a breakdown of the Safe Harbor agreement would damage the ability of U.S. firms to compete in Europe. They use this agreement to provide them with an opt out from the full rigor of E.U. privacy law when they transport personal data from Europe to the United States. However, there are lots of legitimate reasons to want to see the Safe Harbor revised — its enforcement provisions are notoriously weak. And the European Parliament is very clearly signaling that it sees a solution to the transatlantic disputes over security and privacy, which does not involve E.U. protectionism. Instead, the European Parliament is asking the United States to introduce legislation that would recognize the privacy rights of European citizens as well as U.S. citizens, and give them judicial recourse if they feel that their rights are breached. The U.S. administration has signaled that it is willing to consider this (what Congress has to say may be a different story).
So what is driving E.U. policy on security and privacy
A lot of things that Cordero doesn’t really talk about. Her post inadvertently conveys the impression that the European Parliament is opening up a set of agreements on privacy and security for no very obvious good reason. It hence doesn’t pay attention to the actual reasons why some Europeans are unhappy with the United States. The SWIFT controversy, for example, began when a New York Times article revealed that the United States had secretly been requiring a Belgian based financial messaging service to break European law by secretly providing it with large quantities of financial data. The PNR saga began when the United States started obliging European airlines to break E.U. privacy law if they wanted to continue flying into the United States. Both cases led to bitter and protracted disputes, which have only become more bitter after the Snowden revelations. Cordero seems to think that it’s weird for the Parliament to take Edward Snowden’s word over that of U.S. officials over allegations that the NSA has been undermining the SWIFT agreement by secretly helping itself to financial data outside the agreed system. However, she doesn’t address documentary evidence that on its face appears to support Snowden’s story.
There is a more fundamental problem with Cordero’s argument (and, in fairness, the arguments of many other people writing about these issues). The real fights are not between the European Union and the United States. They are between two coalition of actors, each of which spans across the European Union and United States, one of which is focused on security, the other on privacy. If one actually reads the report that Cordero singles out carefully, its major targets aren’t U.S. firms, or even the U.S. administration. They are E.U. member states and the European Commission, which the Parliamentary committee believes to be privileging security over privacy. For example, the report questions “the compatibility of some Member States’ [read here: the UK] massive economic espionage activities with the EU internal market and competition law.” Our book will talk about this at much greater length. If one wants to understand what is really driving these fights, one has to look at how European and U.S. security officials have joined together to try to roll back European privacy protections, where they felt that they damaged security and intelligence gathering, and at how some members of the European Parliament have joined together with data protection officials and some activists on both sides of the Atlantic to try to fight back.
These fights are what is driving European policy on privacy and security, not protectionist impulses. Doubtless, there are some businesses and politicians who would like to seize on these battles for protectionist advantage (as Adam Segal has pointed out on Twitter, vague proposals for a “data Schengen” might easily turn in a protectionist direction). But the big transatlantic battles over privacy would be resolved tomorrow if the United States credibly agreed to respect the privacy rights of European citizens. This wouldn’t hurt U.S. businesses, but it probably would make life more difficult for U.S. intelligence agencies.
So what lessons can we learn?
There’s one straightforward lesson at least for U.S. officials (and it’s unfair to single out Cordero, who is representing a common set of views among people in the U.S. security establishment). U.S. security officials have been taken aback by the vehemence of the response to their incursions on other people’s privacy. They see themselves as doing the right thing and as trying to protect the security of American citizens (and, to a lesser degree, the citizens of America’s allies). This means that some of them are inclined to view people who disagree with them as either driven by knee-jerk anti-Americanism (a view sometimes propounded by Cordero’s co-blogger, and former senior DHS official, Stewart Baker), or driven by other sordid motives such as the zeal to destroy America’s companies. These beliefs don’t really accord with the empirical evidence. America’s officials don’t have to agree with Europeans who see privacy as a fundamental right, but they are less likely to make serious errors if they at least understand them.