Tomorrow the European Commission publishes its second ever review of the EU-US Privacy Shield - and shows the extent of Europe's preeminence in cyberspace
Can Europeans defend their values in the American- and Chinese-dominated Digital Age? The short answer is: only if they play to their strengths, making use of the European Union’s influence as a regulatory superpower.
Encouragingly, they are beginning to do so – albeit belatedly. But it remains unclear whether Europeans are sufficiently determined to make their values count in the long term. The European Commission’s annual review of the EU-US Privacy Shield, due to be published tomorrow, should shed some light on the matter.
The World Wide Web is splintering. Broadly, it is bifurcating into a Chinese web – walled off from the rest, where the state is striving to establish total surveillance of its citizens, while Chinese technology firms expand their foothold across Europe – and an American web, where the state does nothing to prevent private companies from implementing a business model based on something that resembles total surveillance. Europeans increasingly doubt that they can afford to ignore these trends.
Few European countries seem surprised at China’s approach – or that other authoritarian states are trying to emulate it. Yet there was once rough alignment between European and American interests in the digital sphere. As in trade and security, most Europeans regarded the United States as the pioneer of a global system in which it was the chief guarantor of neutrality, equal access, and mutually beneficial cooperation. This was never entirely true, of course – the US and its companies took advantage of American hegemony in many ways. Nonetheless, such opportunism sparked little opposition from EU states, as they did not perceive it as a gross violation of their interests and values.
The European Commission should declare US privacy protections inadequate in its forthcoming review
This is no longer the case. Europeans are increasingly isolated in their fight for a global order based on rules rather than force alone. Acknowledging this reality, they should seek to stand up for their values using a strategy that insulates Europe’s internet and sets new rules for global digital relations – as they have, to a degree, with the General Data Protection Regulation (GDPR). With the internet fragmenting, Europeans need to consider how they can direct the EU’s influence as a regulatory superpower towards governing global data flows and building a digital l’Europe qui protège.
The EU’s enactment of the GDPR in May this year was a milestone in the effort. The GDPR regulates data usage in a vast array of areas and provides a governing framework for a European internet in the single market. The EU has also protected its citizens in their data relations with companies across the world, with European legislation fundamentally reshaping the data processing practices of many multinational firms. In contrast to America – one of the only major economic powers not to directly regulate cross-border data transfers – Europe has forged ahead in setting global standards.
However, several factors will determine the extent to which states outside Europe truly enforce the GDPR. This is where the EU-US Privacy Shield and the European Commission’s yearly review come into play. One striking paradox of the data economy is that, by helping prevent European social media firms from becoming competitive, Europeans’ attitudes towards privacy actually contributed to the success of Facebook and other American companies geared around “surveillance capitalism” – even as these companies profited from transferring Europeans’ personal data overseas and violating their privacy there.
In theory, the Privacy Shield should have prevented this from happening. But, so far, the EU has not pushed hard enough for the measure to be rigorously implemented. Since 2016, Brussels has required many major US companies to abide by EU privacy standards. In its 2017 review to ensure that US technology firms upheld European standards when processing Europeans’ data, the European Commission criticised the US but concluded that American standards were adequate overall.
It is with good reason that Mark Zuckerberg is rumoured to be watching privacy lovers in Europe, especially Germany, with some concern
However, things have changed. As binding EU law for any company that deals with Europeans’ data, the GDPR is much stronger than the Privacy Shield, a voluntary pact that only covered some companies. Now, the European Commission is legally required to declare a third country’s privacy protection inadequate if it does not follow EU rules, and to prevent the transfer of Europeans’ personal data to that country.
And while Europe has tightened its rules, scandals in the US have multiplied. For instance, the Cambridge Analytica affair has made it next to impossible for the European Commission to convincingly argue that there is no problem with privacy in the US. For some Europeans, it may have been fitting that the consultancy firm obtained the bulk of personal Facebook data it allegedly used to influence the US election for the candidate most opposed to a rules-based order. In any case, the way in which the company illegally accessed highly sensitive data about political and psychological preferences alarmed many in Europe. Further doubts about the protection of data on US firms’ servers have arisen from the recent hack of 50 million Facebook accounts and the egregious problems that prompted Alphabet to shut down social network Google Plus – to name just two examples.
If it wants the GDPR to be fit for purpose, the European Commission should, therefore, declare US privacy protections inadequate in its forthcoming review. Yet, with the transatlantic relationship becoming more tense and midterm elections looming in America, it is possible that the European Commission will avoid a confrontation, leaving it to the European Court of Justice to strike down the Privacy Shield at some point. Otherwise, EU-US data relations could tumble back into the kind of uncertainty that reined in 2015 and 2016, after the court declared the Safe Harbour agreement between the sides inadequate for European privacy protection.
In either scenario, Europe will need a strategy for building a more robust European internet in a splintering digital world, and for protecting its citizens from the consequences of American and Chinese dominance. It is with good reason that Facebook CEO Mark Zuckerberg – who seems to fear few governments – is rumoured to be watching privacy lovers in Europe, especially Germany, with some concern. The global competition for governing cross-border data flows is now in full swing; with the right decisions, Europe could begin to restore its digital sovereignty.
The European Council on Foreign Relations does not take collective positions. This commentary, like all publications of the European Council on Foreign Relations, represents only the views of its authors.