Two months ago, the European Court of Justice issued a ruling that effectively invalidated the Safe Harbor arrangement, an agreement that big U.S. multinationals and e-commerce firms use to move personal information across the Atlantic. The court’s ruling was largely motivated by the threat that U.S. surveillance undermined the privacy rights of European citizens.
This decision has led to consternation and outrage among American CEOs and politicians. Eric Schmidt, who heads Alphabet (the corporate entity that used to be Google) has said that the decision risks “destroying one of the greatest achievements of humanity,” the Internet. U.S. and European negotiators are trying to build a new deal before the end of January, when European privacy officials have threatened to confront U.S. businesses.
With the exception of privacy advocates (most of whom were delighted by this decision), American commentators have mostly been sharply critical of Europe’s decision. We have a piece in the new issue of Foreign Affairs which tells you why many of these criticisms are wrong. The real story is that US policies have created a backlash, and European officials are using America’s own tools against it.
Europe’s privacy concerns are not protectionism in disguise
Many of Europe’s critics claim that the E.U. isn’t trying to protect the privacy rights of its citizens – it’s trying to protect the profits of its businesses from U.S. competitors. For example, Oregon Senator Ron Wyden argues that the court’s “misguided decision amounts to nothing less than protectionism against America’s global data processing services and digital goods.” Before the Safe Harbor decision, President Obama similarly claimed that European privacy protections were more motivated by commercial selfishness than high-minded principle.
The problem is that this isn’t actually true. There wasn’t any big push among European firms or their political friends to sabotage Safe Harbor. Many important European firms used Safe Harbor too, for example to store data in the U.S. They are just as unhappy as their U.S. counterparts. At the same time, companies like Google, eBay and Apple employ thousands of workers across Europe. Compare this to the dozen or so employees at Runbox, a Norwegian company that promotes itself as a privacy-focused alternative email provider and has received attention in the wake of the Snowden affairs.
More generally, the Safe Harbor decision has generated a lot of uncertainty in transatlantic commercial politics, which isn’t good for anybody. Businesses like a stable political environment, not freefall.
They aren’t being hypocritical either
Other commentators, such as Joel Brenner, a former senior U.S. security official, accuse Europe of rank hypocrisy. The basic claim underlying this argument is that Europe spies too, surveilling its own citizens as well as the citizens of other countries (possibly including the U.S.).
Brenner is a canny observer, but his claim is subtly wrong. For sure, European spying and domestic security agencies do these things. But it’s a mistake to think of “Europe” as a single thing. Instead, there is a fight going on within the E.U. (and across the Atlantic) between pro-security officials and pro-privacy officials.
Neither side is being hypocritical about Safe Harbor. Pro-security officials in Europe – the ones, for example, doing the spying on European citizens – aren’t being hypocritical because they hate the Court’s ruling too. They would prefer to go on swapping information with the U.S. with no public controversy.
Pro-privacy officials and activists – now including, apparently, the judges in the European Court of Justice – aren’t being hypocritical either. They would love to get rid of both U.S. surveillance and E.U. surveillance on European citizens (and on U.S. citizens too). Pro-privacy activists have been taking court actions to the European Court of Human Rights exactly because they hope to take down domestic surveillance arrangements within Europe.
Pro-privacy Europeans are just playing Americans at their own game
If Americans want to understand what is happening in Europe, they should look to the behavior of their own country.
In the last 15 years, U.S. officials have forced reluctant European countries to implement and enforce anti-bribery legislation by taking actions against their firms. They have made Switzerland change its rules on bank secrecy, by creatively reinterpreting IRS regulations. They have used the Patriot Act to turn foreign banks into effective agents of the U.S. government, by designating certain financial institutions as money launderers, so that other banks who do business with them can fear regulatory action. Finally, they have forced a European financial messaging agency to break European privacy law by quietly providing information on international financial transactions to U.S. security agencies.
These actions have been motivated by increased economic and security interdependence. In an interconnected world, conditions in the U.S. are increasingly affected by conditions in other countries, meaning that the U.S. has an interest in shaping rules in other countries.
Increased interdependence creates tools as well as problems. Because businesses in other countries need access to U.S. markets and have to carry out transactions in U.S. dollars, U.S. officials are able to put pressure on foreign firms both to force their home governments to change their rules, and to make these firms enforce U.S. policies outside America’s home jurisdiction.
Nor can foreign firms easily push back against U.S. officials in law courts – U.S. courts grant a lot of deference to U.S. regulators in interpreting their own rules.
Since Sept. 11, this has started to go further. U.S. officials have been increasingly willing to “weaponize interdependence,” using U.S. economic dominance to make other countries acquiesce to U.S. national security goals. This helps explain why many European officials are upset about privacy. One of the things that the US has done is to use American dominance of the information technology sector to gather security relevant information. European privacy officials believe that this invades the privacy of US citizens.
However, weaponized interdependence is a two-edged sword. U.S. firms (including technology firms) are internationalized, making them vulnerable to concerted pressure from foreign regulators. Furthermore, as the U.S. weaponizes interdependence more and more, other big jurisdictions are likely to try to make the U.S. accommodate their preferences rather than vice versa.
This plausibly explains the Safe Harbor decision far better than accusations of economic protectionism or hypocrisy. The European Court of Justice isn’t trying to protect European firms or European spies. It’s trying to protect European rules and values, by forcing other countries to respect them better, just as the U.S. has obliged other countries to adhere to U.S. rules and values in the past. These judges are, in a sense, holding U.S. technology firms hostage — but again, this replicates U.S. operating procedure over the last 15 years.
The bad news for the U.S. is that this suggests the limits to the strategy of weaponizing interdependence. Interdependence cuts both ways, and as the U.S. gets more aggressive, it is likely to get more pushback. The good news, in this particular case, is that this conflict can be resolved through rule changes that would oblige U.S. officials to respect the privacy rights of Europeans. Yesterday, the need for America to find a solution became even more urgent – Europe has just agreed on a new law that allows privacy officials to fine businesses up to 4% of their global turnover when they breach European privacy rules.
Abraham Newman is an associate professor at Georgetown University’s School of Foreign Service.