Crisis of Command
America’s Broken Civil-Military Relationship Imperils National Security
The modern innovators of Internet human rights are not U.S. leaders or bold Silicon Valley entrepreneurs. They are stodgy bureaucrats, politicians, and lawyers in Brussels, Berlin, and Strasbourg. As the National Security Agency (NSA) and American firms have relied on sucking up massive amounts of data to observe citizens and create and serve consumers, the European Union has fought to establish privacy rights. Over the last ten years, however, the EU initiative seemed to be on the ropes as the United States pressed Europeans to water down their privacy protections in a number of key sectors. But now, the tables are turned.
This month, the European Court of Justice, Europe’s closest equivalent to the Supreme Court, ruled that Google must delete search results linked to the name of a Spanish citizen that the citizen had found outdated and upsetting. The ruling obliges Google and other Internet firms to respect a limited version of the “right to be forgotten” -- the right to have certain kinds of information, such as former debts or inappropriate photos, removed from the public sphere. In its most extreme form, an individual could request that search engines remove all links to their name, making them virtually anonymous in the Internet. The right to be forgotten will be enforced by national data protection authorities, for example by the Federal Commissioner for Data Protection and Freedom of Information in Germany or the Information Commissioner in the United Kingdom.
The ruling could transform e-commerce and privacy in the digital age. To begin with, the European Court of Justice has challenged the very business model of U.S. e-commerce firms, which use vast pools of personal data to sell ads and model consumer behavior. After the ruling, doing so will become increasingly difficult in the important European market. Facebook alone booked nearly $500 million in ad revenue in Europe in the third quarter of 2013, making it the second biggest market after North America. With the rise of privacy concerns in Europe, companies such as Runbox, a Norwegian-based email hosting firm that puts a premium on privacy, have already seen a spike in users. At the same time, non-U.S. cloud computing firms have cancelled ten percent of their contracts with U.S. firms over privacy concerns.
Americans -- who usually prize free speech over privacy -- may find this turn of events upsetting. European officials can now tell U.S. businesses -- and Washington -- what information they can and cannot disseminate about European citizens. Yet Americans’ reflexive distaste for speech regulation should not blind them to realities. First, free speech isn’t what it used to be: U.S. courts are increasingly redefining it as a right to corporate bad behavior, striking down economic regulation in the name of free speech. Second, Europeans have legitimate human rights concerns. As technology expert Bruce Schneier has warned, surveillance is the business model of the Internet, and Europeans have no choice but to reshape this business model to accommodate individuals’ privacy rights, if those rights are to have any meaning.
If the ruling is a European overreaction, as Google Executive Chairman Eric Schmidt has argued, it is the child of U.S. overreach. The European Court of Justice’s newfound activism is just one of a broader set of European initiatives that push back against U.S. surveillance practices. The European Union is set to introduce new legislation in late 2014 that will formalize the right to be forgotten and impose massive fines on firms that do not comply with EU law. It is almost certain to restrict the existing “safe harbor” arrangement, in which U.S.-based multinationals may transfer data out of Europe and thus create global consumer profiles to avoid investing in redundant data storage facilities. Finally, the EU is pushing the United States to introduce safeguards against NSA collection of data on European citizens.
This time, Washington and its business allies cannot compel Europe to simply submit to U.S. values and interests, as they have in the past to great effect; such as when they pressured European airlines to hand over passenger data for European travellers or European banks to do the same for international money transfers after 9/11. In fact, they now have relatively few ways to influence Europe’s national privacy authorities, and even fewer ways to pressure the European Court of Justice. They may be able to influence forthcoming legislation, but they will not be able to overturn it. Nor can the United States rely on moral force. It is no longer the acknowledged protector of civil liberties on the Internet. To maintain legitimacy, it has to engage with other states that have valid, if different, civil rights concerns.
Rather than simply demanding information exchange, the United States must favor respectful conversation with Europe about how best to balance free speech and privacy rights. This means, first of all, that the United States needs to do better itself. If its government and industry genuinely respected consumer privacy, rather than just paying lip service to it, Europe would be far likelier to implement its new laws in carefully targeted ways; limiting, for example, the right to be forgotten to factual errors and information from the distant past or about one’s childhood. The United States should therefore introduce new binding rules to protect the privacy of both U.S. and European consumers -- for example introducing national data breach legislation, increasing the authority of the Privacy and Civil Liberties Oversight Board to include the private sector, and expanding the jurisdiction of the Privacy Act to cover non-citizens -- and make real concessions on the surveillance of its allies.
Equally, Europe needs to recognize that overly sweeping privacy regulation would hurt free expression as well as U.S. business interests. Not only U.S. firms, but the European media was alarmed by Tuesday’s ruling, which may make it harder to report on the misdeeds of the powerful. The Internet rights conversation is no longer a monologue but an argument between competing visions of privacy in a digital age.