Adrian Weckler: Privacy is not dead yet as Europe gives the US an ultimatum on spying
Change your laws or we'll change ours: Internet giants could soon face sanctions as the European Commission stands up for the little people on phone-tapping.
Published 28/11/2013 | 16:36
MIGHT Google and Facebook soon start facing big fines in Ireland? Yesterday, the European Commission put a gun to the head of big US companies in Europe. It said that unless the US government changes its phone-tapping ways, Facebook, Google and other big firms here will have screws turned on them.
It said that it will do this by imposing much stricter data privacy laws on the US firms, via suspension of the 'Safe Harbour' rule which allows US firms here to transfer data back to the US. Ultimately, that would mean large, ongoing fines on the companies here if current practices are maintained.
It's a pleasantly surprising intervention. Most people assumed that American and British secret services could just tap internet and phone lines with impunity. (Our own Taoiseach has indicated as much.) But there are some advantages to being an unelected body. One is that you don't give a damn about realpolitik rules which, in this case, dictate that European governments button it over their citizens' emails being tapped by the US.
And unlike government ministers fudging positions at 'European Presidency Summits', these threatened measures will actually happen. (It's a lesson Microsoft learned the hard way -- to the tune of 1pc of its annual revenue in fines -- earlier this year.)
Arguably, none of this is the fault of Google or Facebook. Each merely hands over information to the US authorities according to the law there. But do they facilitate wider US intelligence data hacking, as was alleged in the leaked documents revealed by the NSA whistle-blower Edward Snowden? Probably not, if you subscribe to the theory put forward by Ireland's Data Commissioner Billy Hawkes. That theory runs as follows: because the NSA, CIA and other intelligence agencies are so advanced in their hacking technologies, it is not reasonable to expect Facebook, Google and others to be able to protect against them. Thus, they are not breaching any enforceable duty of care to European users.
But this new diktat from the European Commission gets around the Catch-22 quite nicely. It's giving the US government an ultimatum: change your laws or we'll change ours.
So who stands to lose? Facebook, Google, Twitter and LinkedIn are the low-hanging fruit for the European Commission. But there are much bigger fish hovering over the frying pan, too. Apple is currently undergoing a major privacy audit by the Irish Data Protection Commissioner. It would presumably be in the firing line. (When it comes to fines, 1pc of Apple's annual revenue is over €1bn.)
In fact, any firm that sends personal data from the EU to the US is now in the European Commission's crosshairs.
"The personal data of EU citizens sent to the US under Safe Harbour may be accessed and further processed by US authorities in a way incompatible with the grounds on which the data was originally collected," said a Commission document on the matter, revealed first by 'The Financial Times' earlier this week. "The Commission has the authority to suspend or revoke the Safe Harbour decision if the scheme no longer provides an adequate level of protection."
What this would effectively mean is that Facebook, Google and other organisations would have to set up completely new companies within the EU and without the ability to send personal data to the US.
Don't bother asking any Irish government official about this, by the way. For (understandable) geopolitical and economic reasons, they can't be seen to lead on the matter. In fact, they don't really want to be quoted at all on it. Even when informed that his own phone calls, texts and emails were likely tapped by American agencies, Taoiseach Enda Kenny effectively shrugged his shoulders.
And while all of this will be applauded in countries such as Germany, which takes data protection seriously, in Ireland the only weighty consideration is whether it will affect investment.
Quite simply, most people here do not care about data protection. Tell someone their account has been hacked and they'll perk up. But tell them that data protection issues have been violated en masse by a corporation and they'll merely tut, assuming it's a technical standard that probably won't affect their real lives. Others here don't even get that far: they simply glaze over when 'data protection' or 'data privacy' crops up as a topic, regarding it as a topic for sticklers and nerds. Here, they are largely at one with our elected representatives.
Irish businesses are also largely blasé about data protection issues. The most recent widescale survey of senior IT managers in large Irish companies and public sector bodies indicated that 40pc of firms have had at least one data breach in the last year.
Nevertheless, privacy is not totally dead yet, despite what Facebook's Mark Zuckerberg, the CIA and Ireland's Taoiseach tell us. It's a pity that it has taken an unelected body like the European Commission to stand up for us.