USA Must Not Dictate Global Data Protection Law

Last week, whilst Republican Presidential candidate Donald Trump was dominating worldwide headlines, a serving representative of the US government slipped into Europe and also made some controversial comments… but gained less attention because the subject was data protection law. However, the world should take notice, and international comms providers need to be acutely aware of the USA’s perilous approach to negotiating data protection safeguards across our joined-up planet. Speaking at a Chatham House event in London, US Attorney General Loretta Lynch (pictured, speaking) reproached the European Union for putting a high priority on the privacy of its citizens:

It is certainly highly concerning to us that data privacy legislation advancing in the European Parliament might further restrict transatlantic information sharing… [it] ignores the critical need for that information sharing to fight terrorism and transnational crime, but also overlooks the important steps forward that the Obama administration and Congress have taken to protect privacy.

Speaking in the wake of the recent collapse of the EU-US Safe Harbor agreement, which was meant to protect EU citizens whenever their personal data was processed in the US, Lynch also said:

It was particularly disappointing that the European Court of Justice – in a case based on inaccurate and outdated media reports – recently struck down the Safe Harbor Agreement…

I should avoid getting too angry at statements like this, because Lynch is both a lawyer and a politician, and hence doubly deceitful. And I should refrain from pointing out the impertinence of an American lecturing others on how to use data to counter terrorism, whilst the US provides sanctuary to only a trivial number of refugees because of a paralyzing fear of outsiders. But I will stoutly defend the European Court of Justice, whose decision had nothing to do with ‘inaccurate and outdated media reports’ and everything to do with the plain facts of how the US government accesses personal data in ways that European governments have made illegal.

Like it or lump it, Harvard-educated Lynch should appreciate that European law is written by European governments, and not by the government of the USA. There is hence every possibility of those different governments passing laws that contradict each other. The likelihood of misaligned national laws grows worse every year, because our communications and information technology systems have rendered borders obsolete.

In the case of data protection, we have already endured over a decade of conflicting laws. The Europeans passed laws that prohibit personal data being used in certain ways. The Americans passed laws that say they will use personal data to protect themselves… especially when the subject of the data is not a US citizen. Hence the laws clash, but governments have chosen to hear no evil, see no evil, and speak no evil. Between the US and the EU, this pretense took the shape of a Safe Harbor deal which was meant to negate the contradictions in law. To do this, the Safe Harbor said American corporations could be relied upon to (1) obey European law, and (2) break US law, just because they explicitly said they would do the former, even though it implicitly requires the latter. When given their chance, the lawyers who work for the European Court of Justice reached the straightforward and obvious conclusion, which was that the Safe Harbor agreement could not be legally upheld. Those lawyers did their job, as judges of the law. In contrast, Loretta Lynch is also doing a job – the political job of trying to manipulate the priorities of other governments. As such, Lynch deserves none of the respect due to the European Court of Justice.

Both Lynch and the US government are entitled to their opinion, but let us be clear about what is at stake. For well over a decade, governments in both Europe and the USA have been lying that there is not much difference between data protection in Europe, and in the USA. That is not a good thing for anybody, least of all those individuals and businesses who have interests on both sides of the Atlantic. Nobody wants to be sued, or go to prison, because they broke one government’s law in order to obey a different government’s law.

When it comes to the differences in law, I could go into detail, but the problem with legal detail is that it leads to misty eyes and a general indifference to data protection. The distance between European and US data protection law is so great that we might as well compare a manned mission to Mars with a bike ride to the local grocery store. Europe’s data protection is ambitious to a fault, making extravagant promises that have not and will not be kept, not least because the Europeans lack the technology to deliver on those promises. In comparison, US data protection is realistic but trivial. American expectations are set so low that US authorities are content to limbo underneath bars that Europeans try to vault over.

In the middle of this messy situation we find thousands of lawyers are employed, on both sides of the Atlantic, to reassure us that everything will be fine, even though personal data criss-crosses between the two continents. Mostly the lawyers are right, though not because the law is on their side. The lawyers also get away with this ridiculous situation because the authorities which have the power to enforce the law are selective when choosing to do so. That leaves everybody stuck in a messy quagmire which nobody wants to talk about, and this usurps the essential purpose of the rule of law by making the law arbitrary and unreliable. That was why the European Court of Justice had to come to the conclusion that many people employed to uphold European law were actually guilty of ignoring it.

When Loretta Lynch argues that the Obama administration has enhanced civil liberties and privacy, she has effectively stated that Obama put a new bell on his rickety old bike. Attaching a bell is a safety improvement, but it hardly bridges the gap to the rocket science which European governments have promised to their citizens. Whilst EU protections gift its citizens extraordinary powers to censor the web through ‘the right to be forgotten’, US privacy initiatives are so pathetic that they result in ‘do not track’ standards that nobody follows. Lynch is unwilling to admit the privacy protections in European law make Obama’s privacy safeguards look petty and thin. In contrast, European governments are unwilling to admit how often they fail to deliver on their promises. Because neither side is prepared to state the whole truth, we end up with an even more absurd situation where an intelligent lawyer pretends a rickety bike is capable of space travel.

Meanwhile, private enterprise is delivering real solutions for data protection. This is because businesses have to be practical, and must satisfy their customers, whilst politicians and lawyers can thrive on make-believe and words. Encryption is a better defender of data protection than any law, and it is thanks to corporations like Apple and Google that Obama had to back down over plans to force tech and comms companies to insert ‘back doors’ that would compromise security in order to assist surveillance. We should congratulate American companies for preventing Lynch from doing something else that would be contrary to European data protection law, and ignore Lynch’s pretense that her administration cares for data protection as much as Europeans do.

There are plenty of indications that tech businesses are leaving the US, or choosing to start up in other countries, because of the weakness of privacy protections in American law. Lynch can make as many speeches as she likes, but businesses that compete for privacy-minded customers cannot thrive if they are subject to the whims of governments that do not care about privacy. Whilst the EU’s data protection regulations create a burden for businesses in Europe, the absence of privacy safeguards can also hamper business.

Lynch’s speech is a warning from the US, telling the Europeans they will have to compromise and make their laws more like those in America. I agree that the Europeans should be much more realistic, and this is necessary for sensible global compromises on data sharing and use. On the other hand, US privacy protections are laughably flimsy. Instead of demanding that other nations should lower their standards, the Obama administration should focus on raising standards in the USA. Both the EU and the USA are a long way from a sensible middle ground that would protect privacy whilst giving governments the powers they really need. As a consequence, this may create an opportunity for so-called ‘developing’ countries to show they can do better than following the lead of Western powers. Whilst they may want to do business with the West, the data protection expectations promulgated by Western governments are so divorced from reality that other nations might win more business by setting their own standards, and providing an honest and transparent framework for data protection that everyone can see is delivered in practice. At the very least, when the US tells other nations how to do data protection, everyone else should ignore the bad advice being offered.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.