That’s not likely to work this time. We need a new strategy. And most of all, we need to get serious about defending U.S. interests.
It’s no surprise that the US fight against terrorism depends crucially on the so-called 702 program, which allows the government to serve orders on social media, webmail, and electronic service providers who store their global customers’ data in the United States.
The intelligence we gather in this way protects Europe as much as the United States. Within days of the Paris attacks, the US agreed to give France direct access to much raw intelligence. Even more recently, the German government credited US (and French) intelligence with helping it thwart planned suicide bombings in Munich over the New Year holiday. The British communications intelligence agency, GCHQ, has a deeply integrated intelligence sharing arrangement with NSA. None of these countries, let alone the smaller members of the European Union, can hope to match the American intelligence resources that are now marshaled in their defense.
So it might seem odd that the European Union poses a threat to these capabilities. Odd but true. The problem has deep roots in Europe’s dysfunctional governance structure and in the mix of dependence and resentment that shape its relationship to the United States. In the name of protecting privacy, the EU has long insisted that personal data may not be exported to other countries unless those countries provide “adequate” legal guarantees for privacy, and it has frequently threatened to cut off data flows to the United States because of differences in US and EU data protection law.
The threats were grounded partly in economic interest – keeping data processing jobs and companies in Europe – and partly in a European enthusiasm for expressing its moral superiority to the United States. The EU and US have always been able to negotiate a solution as these crises have been created, but the dynamic changed this fall when the European Court of Justice (ECJ) was asked to rule on the adequacy of US privacy law. Relying in part on irresponsible and inaccurate statements by the European Commission, the ECJ declared that the Commission had not justified a conclusion that United States surveillance oversight is “adequate.” It overturned the “Safe Harbor” that had allowed US companies to send customer data across the Atlantic. Just as important, it authorized individual data protection agencies in each member state to adjudicate the lawfulness of data transfers to the United States. While the decisions of those agencies can be appealed, the EU has reached agreement on penalties for data protection violations that are a percentage of companies’ global revenue – billions of dollars in the case of big tech companies like Google and Microsoft. With those penalties hanging over their head, few companies will want to gamble that they’ll be vindicated on appeal. The data protection agencies, meanwhile, are delighted to have the US and its tech companies in their sights; they’ve said that enforcement actions are likely to begin at the end of January.
The European Commission has been trying to reach a new agreement with the United States to reinstate the Safe Harbor; the US has provided assurances that our intelligence oversight meets European standards. (Indeed, it far exceeds anything that French or German or British intelligence agencies put up with.) But the Commission’s authority to bind the data protection authorities is in doubt, and it is increasingly under the thumb of a reflexively anti-American European Parliament, which will be inclined to reject or cavil at whatever it negotiates. As a result, the Commission has dug in its heels, demanding wide access to (and implicit authority over) US intelligence programs. There’s a high probability that no deal, or at least no good deal, can be reached with the Commission.
Weirdly, the European institutions that have created this mess have no serious responsibility for stopping terrorism or for collecting and using intelligence. The European security agencies that have that responsibility are powerful in individual countries but have little sway in Brussels. This means that the machinery set in motion by the European Court of Justice will grind forward, with everyone doing what they’ve done before: The Commission will seek maximum concessions from US intelligence agencies. The European Parliament will deem the concessions insufficient. The data protection agencies will do all they can to punish American tech companies. Without a deal, tech companies may have to move their data centers out of the United States – making counterterrorism intelligence unavailable to our government. And they will be under heavy pressure to break with the US government on intelligence issues – to encrypt even more data to foil US intercepts, and to fight US intelligence orders in court and in Congress. US intelligence will suffer, perhaps greatly, and European and Americans will be at greater risk of terrorist attacks.
In short, if all the players in this drama just keep doing what they’ve always done, the result will be a disaster for US (and European) counterterrorism efforts. If we want to stave off that disaster, we have to shake up the peculiar European structures that are driving this outcome. We have to make clear that continued attempts to hold American companies hostage over intelligence collection is simply unacceptable to the United States. Up to now, the Administration has tried to appease Europe; it has not played hard ball. And Congress has been disappointingly inactive, except for the House of Representatives, which has gone from inactive to supine in a related dispute, proposing to amend US law to give greater privacy rights to Europeans without demanding even before the negotiations are complete.
What could the US do to change Europe’s negotiating calculus? It’s not that hard, if we have the will. Congress (or, frankly, the President) could simply prohibit the sharing of intelligence with any country whose data protection agencies take action that has the effect of undermining US intelligence capabilities; this would certainly include punishing private companies that send data to the United States. Such a measure would make clear the connection between European data protectionism and our lost counterterrorism insights. While it is harsh to cut off intelligence to countries that are often allies against terrorism, the fact is that their policies will slowly cut off US access to terrorism intelligence. (We don’t have to cut off access across the board; the measure could allow exceptions when the President certifies the need to share particular intelligence, but broad intelligence sharing would be barred with any country that takes action against US data access.)
Such a measure has the advantage of putting the onus of solving the problem on individual member states – the entities responsible for national security and for the actions of the data protection agencies. (It’s notable that data protection authorities have rarely or never tried to regulate their own national intelligence agencies; they don’t have the clout. Which strongly suggests that those agencies can bring the data protectors to heel if their access to US intelligence depends on it.) Negotiations with individual European nations, then, are far more likely to produce responsible results than negotiations with the neutered European Commission.
That’s one way of making clear to Europe that we’ve had enough. Here’s another. The US and Europe have been negotiating a Transatlantic Trade and Investment Partnership for years, and it’s likely that a deal will be presented to Congress for approval in 2016. This is part of the Obama administration’s ambitious effort to lock in a host of environmental, intellectual property, labor and trade policies via large multinational deals. You’d think that any effort to restrict protectionism and foster trade would address Europe’s data export restraints – probably the biggest trade issue between the US and the EU in the last fifteen years. You’d be wrong. Both the European Commission and the European Parliament have taken data protectionism off the table in this trade deal, insisting that their current rules must be untouched. The result is a trade deal that as a practical matter blesses the current EU attack on our counterterrorism intelligence programs. Unlike the European Parliament, Congress has said nothing about the issue, strengthening the European hand. Yet it is Europe that likely needs a trade deal far more than the US. Europe’s economy has lagged ours in growth and employment for decades, with the one economic bright spot being a consistently large trade surplus with the US. Congress should take a page from the European Parliament’s book, adopting a resolution stating that no transatlantic trade deal will be approved if it permits the EU’s current interference with both US technology trade and US counterterrorism capabilities.
There will be opposition to either of these measures. Many American businesses expect to get specific benefits from a trade deal, and they are reluctant to upset the apple cart. Refusing to share terror intelligence, meanwhile, has a cold-hearted air. But if we fail to deal with Europe’s data protectionism in this trade deal, we may never have another chance; that will be bad for US industry, which will increasingly be held hostage or forced to accept uneconomic restrictions on how they manage their data. And cutting off counterterrorism intelligence sharing with countries that are undermining the foundation on which that intelligence rests is simply a matter of self-preservation.
If Europe wants to cripple its intelligence agencies, it is free to make that choice. We should not let it cripple ours.