17 June 2019

Common Ground: Finding Transatlantic Solutions For Data Security


In the United States, navigating the issues of data privacy and security is a walk through a political, social and economic minefield. America’s stalwart commitment to capitalism and personal freedoms makes any regulation in that arena likely to face a fierce fight. Meanwhile, the European Union last year began enforcing its General Data Protection Regulation, or GDPR, widely seen as one of the most progressive set of laws regarding data. The clash continues, but the battles are less pitched as more groups partner to find global solutions for data security. A new book, Of Privacy and Power: The Transatlantic Struggle Over Freedom and Security, looks at how the EU and the U.S. are evolving in their common need to protect citizens and data. The authors are Abraham Newman, a government professor at Georgetown University’s Walsh School of Foreign Service, and Henry Farrell, a political science and international affairs professor at Georgetown. Newman joined the Knowledge@Wharton radio show on Sirius XM to talk about the topic. (Listen to the podcast at the top of this page.)

An edited transcript of the conversation follows.

Knowledge@Wharton: The political relationship between the U.S. and the EU can be strained at times. But how is the relationship on privacy and data?

Abraham Newman: The central argument of our book is that we want people to think of it not just as the EU versus the U.S., but that there are groups both within the EU and in the U.S. that have very similar views about security and privacy, and the way that this area is transforming is when those groups team up in the transatlantic space. Instead of a clash, it’s the security-minded groups and these privacy-minded groups, and they’re using this interaction globally to press their case.

Knowledge@Wharton: In what areas are you seeing that greatest partnership?

Newman: [Former Department of Homeland Security] Secretary Kirstjen Nielsen was in Europe, where she had her hand slapped because of it, or maybe she got fired because of it. But what she was doing there was trying to create connections with security actors in Europe to expand counter-terrorism and surveillance actions. That’s been going on since 9/11, where interior ministers in Europe and DHS secretaries in the U.S. have been working to find new ways to collect data for security purposes. On the opposite side, you have nongovernmental organizations, civil rights actors in the U.S. and Europe as well as data protection officials in Europe that have been working collaboratively to rein in companies and also governments.

Knowledge@Wharton: In the book, you mention the revelations of Edward Snowden — who leaked highly classified information from the National Security Agency in 2013 when he was a subcontractor — and how it has played a role in framing some of these concerns over the last few years.

“One of the major findings of the book is to say homeland security is global.”

Newman: We are still feeling the consequences of the Snowden revelations. A lot of people right afterwards kind of dismissed it and thought, “OK, everybody spies. That’s what we know from this.” But it has really undermined the key faith that partners in Europe have that the U.S. was a trusted actor, and even more so that the firms could be trusted to keep the data safe. There’s a court case pending that’s based on the Snowden revelations that could completely disrupt U.S.-European data transfer. So, even though it seems like it was a while ago, it’s still playing out in the transatlantic space.

Knowledge@Wharton: Even with all of the concerns, is there a belief that we need to come together in partnership over data and security?

Newman: Yes, and part of it is the result of Snowden playing out. For the first time I think since I’ve been studying these issues, you’re seeing a really radical transformation in U.S. views. This doesn’t mean that there’s a unified way that the U.S. thinks, but there are groups in the U.S. that have really moved their position. Apple and Facebook have both come out for GDPR-like legislation. You also have politicians like U.S. Sen. Elizabeth Warren saying we need to do these things, or U.S. Sen. Amy Klobuchar. You didn’t really have that alignment of politicians and firm actors, and in part that’s because of what’s just been happening in Europe, but also what’s happened in California. California passed a whole bunch of privacy laws that are then flipping these firms, making them think about what their preferences are in a global data environment.

Knowledge@Wharton: You say that even domestic security needs to have an international scope. What do you mean?

Newman: One of the major findings of the book is to say homeland security is global. A lot people like to look inward and think, how do we solve these problems? Well, we build a wall or we look inside our country. But the threats and the challenges of domestic security often emanate from international sources, and that requires a global perspective on how are we going to meet these challenges. We have to work with actors that span the globe, not just within our borders.

Knowledge@Wharton: The threats are not going to slow down, so will a continued higher level of security be needed to protect all this data?

Newman: Yes. What we’ve seen everywhere, from the spread of disease to terrorism to organized crime, is that actors are taking advantage of global networks. And that’s the bad side of globalization. But we have to be smart about that, too, and think about how can those who are trying to protect societies take advantage of globalization as well? If we don’t do that, we’re leaving tools on the table.

Knowledge@Wharton: How does the pullback on globalization by the Trump administration affect data security and privacy?

Newman: Several of these efforts, in my view, are just short-sighted. I think the administration’s view of Secretary Nielsen’s trip to Europe, for example, is very typical of the current administration. It was seen as a kind of boondoggle, that she was in Europe talking counter-terrorism. But in my mind, that’s exactly what we need to be doing. We need to be fighting these battles not just at home but globally, and we have these opportunities to do it. I think by only focusing at home, by cutting off relations with these people that have similar views, similar concerns, then we’re disregarding our major tools to address these problems.

Knowledge@Wharton: Are there examples of transatlantic business relationships that we can draw from as a parallel to where we need to go overall?

Newman: That’s an interesting question. People often underestimate the deep extent of cooperation that happens between the U.S. and Europe on a whole range of issues. The Justice Department and the European Commission are in contact with each other when new antitrust cases come up, and they talk to each other about what they should be doing. In medical devices, there are mutual recognition agreements. There are lots of places where government officials from the EU and the U.S. are really working to solve the problems and think together.

I think in the case of privacy, you have two different groups that are using those relationships, but they don’t always share the same view. The security group and the privacy group. Sometimes they’re working quite intensely with each other, but at cross purposes.

Knowledge@Wharton: In one chapter, you write about airline passenger data and how that is brought into this discussion. Tell us about that.

“This conversation of what’s the role of data in our society will only become more important as we move towards more machine learning, more artificial intelligence.”

Newman: What we’re trying to show in several of the case studies is that the laws that you have in Europe and the U.S. are being changed by these interactions. In Europe, they’re often hamstrung by privacy rules. The relationship that they built with U.S. security officials helped them create kind of transatlantic agreements, which then they then used to try to break apart their domestic bargain.

In the chapter on passenger name records, we showed how that happened, where the European security community was really locked out of this data and worked with European partners to create this transatlantic agreement, and then they came back to their European publics and said, “We have this U.S.-European agreement. We really need to change our domestic laws.” The main point we want to make is that politics is very local, but these global interactions are transforming the way domestic law works on very fundamental issues about how freedom, civil liberties, are being conceived.

Knowledge@Wharton: How important is the relationship between the public and private sector in tackling these issues?

Newman: That’s interesting because the private sector is often caught in a kind of Catch-22, where rules from one country like the U.S. conflict with the rules in Europe. We see this here in the privacy domain, where Europe has this GDPR, these very strong rules, the U.S. doesn’t. Companies want some amount of certainty. They’re worried that their business is going to get disrupted because they want to play in multiple markets. That’s where these transatlantic agreements can have a lot of power, because the companies can be willing to sign onto one of those to get rid of that uncertainty.

Knowledge@Wharton: Tracking the financial path of terrorists is part of the reason why the U.S. got into trouble with the EU, but it is such an important component to combatting terrorism. Do you agree?

Newman: I think what happened in the wake of 9/11 is that the U.S. Treasury Department realized it was sitting on this tremendous resource in information about financial flows. It tapped, in particular, this organization called SWIFT, which sits in Belgium. That organization is like a central hub. If you want to make any kind of bank transfer in the world, it goes through SWIFT, so they have all the records. One treasury official described it as the Rosetta stone for figuring out who our adversaries are and what they were doing.

And it’s not just terrorists. We use this also when we’re dealing with countries like Iran or North Korea. It allows for a level of forensics that you would not be able to have in any other way. The problem was, once again, that the U.S. went about this without getting any kind of agreement with Europe. They did it in secret. The New York Times ran an expose, and it threatened to crash down the whole program. It led to a series of tough debates between the U.S. and Europe about balancing the needs for security versus privacy rights.

Knowledge@Wharton: The EU’s progress on data privacy and security has been viewed as transformative. How do we take that perspective and make it a global one?

Newman: The EU started thinking about these issues in the early 1990s. It’s really hard to imagine, but it was before Google was even founded. We think of this as such an essential part of our life, but it’s a very recent phenomenon. So, the EU has long been working through these problems, and the GDPR is just the most recent incarnation of it.

“The whole 2016 election and the fallout for Facebook is just another very powerful example of what the future could hold.”

I think you’re totally right that this is having global consequences for people’s lives, for how companies work, their business models. I think that this conversation of what’s the role of data in our society will only become more important as we move towards more machine learning, more artificial intelligence. If we’re the oil, if we, the citizens, are making all this data that’s driving the economy, what are the ethics behind that and who should be able to use it? Who should be able to benefit from it? I think of all the countries in the world, the EU is really at the cutting edge of saying we have to think about the citizens and not just about what the government needs are or the company’s profits. They have sparked this conversation, and I hope that the U.S. government and our society will really engage with this. You are seeing this kind of movement in the U.S., but I would totally agree that we’re behind the curve.

Knowledge@Wharton: What has been the impact of the loss of data and the loss of privacy on global growth?

Newman: It’s a very complex question about how do you keep the trust level so that people continue to engage in these new forms of communication and new technologies? An important part both of the California legislation and the GDPR is the data breach notifications letting consumers know when their data has been lost. Since these laws have been passed, those notifications have just skyrocketed — tens of thousands of notices every year. If we’re going to keep this part of our digital economy going, we also have to secure, not in the terrorism sense, but secure in terms of the data maintenance and encryption sense, what’s happening with our data.

The problem is that, for a long time, actors in the U.S. saw this largely just as an economic issue that was going to have minor economic consequences, like maybe they’d lose a few customers. We’re seeing now that these data breaches are not just economic events, but they’re often linked to espionage both by businesses but also by foreign governments.

You see Chinese, Russian hackers using these data breaches for doxing campaigns, where they take the information and release it to embarrass political partisans or opposition opponents. When that starts happening, the businesses start to get involved in a new way that puts them in tremendous political risk. That’s a large factor behind Facebook’s change recently. They don’t want to be sitting on that data that’s going to get breached. Instead, they want to move to encryption, the kind of WhatsApp model. All those things take them a step back from this just mass data surveillance.

Knowledge@Wharton: How are the very well-known U.S.-based internet companies going to deal with these issues moving forward, especially considering this division between what you can do in the U.S. and what you can do in Europe? It feels like Facebook and Google and others are having to set their standard by Europe even though their primary market may be here.

Newman: For the last 15 years, U.S. companies have played kind of a dual game. They’ve complied with European standards in Europe, and then there’s been a wild west in the U.S.. I think what they’re running up with is on the government side, on the public sector side, they’re facing more and more demands, both from Europe but also internally from these fragmented rules, like California. Washington State is planning laws. As those things mount, they’re facing that pressure.

But they’re also facing the end of a robber baron phase. There was a phase where you could just do whatever you want, make a lot of money, surveillance capitalism’s amazing. Now they’re facing new political risks by that. The whole 2016 election and the fallout for Facebook because of that is just another very powerful example of what the future could hold. I think the companies are starting to see the end game of that model and they’re seeing a convenient path to exit, which are these laws that give them protection from just being blamed for doing nothing.

Knowledge@Wharton: How much impact will these transatlantic partnerships have in the current administration? Or do they chart a path for even greater partnerships in the next decade or two?

Newman: I think you’re seeing growing conversations both between NGOs and also politicians on both sides of the Atlantic on this privacy stream. I think the best example is Washington State. They’re not proposing the California law. They’re proposing a GDPR-like law. They have been in contact with politicians in Europe, learning about how this set of legislation works.

You also have NGOs in the U.S. who are learning from powerful NGOs in Europe about how to go after companies, how to bring lawsuits. I’m not convinced that this administration is going to make it. I basically think that this Congress is not going to have any time to pass a privacy law before the next presidential election. But I think afterwards, you’re going to see more and more movement on this.

No comments: