U.S. troops being yanked out of Germany. A brewing trade war over digital tax. Now add this to the list of issues dividing Europe and the United States: a looming clash over privacy.
As the EU touts the “success” of its flagship privacy law, the General Data Protection Regulation (GDPR), Donald Trump’s administration is ramping up attacks on a system it says provides cover to cybercriminals and threatens public health.
In an interview with POLITICO, U.S. Deputy Assistant Secretary of State for Cyber Rob Strayer said he is raising concerns about the GDPR with counterparts in Brussels and EU capitals as a “top diplomatic issue.”
His lobbying focuses on “fixing interpretations” of the GDPR which he and several other parties, including EU law enforcement officials, said are protecting online scammers and fraudsters at a time of exploding cybercrime linked to the coronavirus pandemic.
“We do have serious concerns about its [the GDPR’s] overly restrictive implications for public safety and law enforcement,” said Strayer, who was at the forefront of efforts to convince EU allies they should dump Huawei from their 5G rollout plans. “We definitely find that divergent interpretations [of the law] are also an issue, chilling some of the commerce that could be taking place.”
U.S. objections to the GDPR, which came into effect just over two years ago, are hardly new. Silicon Valley giants lobbied energetically against a law that many U.S. players said was a tool designed to limit the power and wealth of Silicon Valley giants like Google and Facebook.
Many of those arguments — namely, that the GDPR has rendered a database of domain name owners, WHOIS, far less effective in tracking down suspected cybercriminals — are the same today as they were two years ago.
Yet in the past few weeks, as EU privacy watchdogs wrapped up their first major probes into U.S. companies and Google lost an appeal against a €50 million fine in France, the criticism from Washington has grown more fervent, and a lobbying campaign has gotten underway in the U.S. to push back against the effects of the GDPR at home.
For now, the pressure is unlikely to trigger anti-GDPR action from the Trump administration — as the president is consumed by his reelection campaign.
But all of that could change this summer, when a Court of Justice of the European Union ruling could put privacy right back at the center of transatlantic tensions.
The ruling, expected mid-July, could find that heaps of data transfers from the EU to the U.S. are not legal under Europe’s privacy laws, putting billions of euros in digital trade at risk. Washington — for the second time — will face pressure to beef up privacy protections to keep doing business with the EU.
That’s a worrying prospect for Washington, one that would be “so detrimental” to transatlantic trade, according to Strayer. “One thing we’re really pushing is concerns about these ECJ cases,” he said about recent discussions with the European Commission and various agencies.
At the heart of the issue for many U.S. critics of the GDPR is the WHOIS database, an online directory created in the 1970s, which became an important tool for global law enforcement agencies fighting cybercrime.
It has also come under fire over a lack of privacy protections.
GDPR critics say the rules have made it harder to identify cybercriminals. Before the law came into effect in May 2018, they could issue a request via WHOIS to identify the owner of a domain name in a process that many say was simple and straightforward.
After the law came into effect, however, it became much more complicated. Registrars — the entities that control domain names — became concerned that, if they complied with such requests, they could be sued for privacy violations under the GDPR. In many cases, law enforcement officials had to ask a judge to validate the request, a process that one EU law enforcement official said is “very slow” and “not effective.”
In February, a Republican Congressman introduced a bill to the House of Representatives demanding that domain name information be made readily accessible via WHOIS. Two months later, a group of 40 companies, trade associations and interest groups wrote to Vice President Mike Pence urging him to force internet registrars to identify cybercriminals for law enforcement purposes.
Critics say that EU privacy authorities need to address the problem by creating an exception in the GDPR for law enforcement. They also complain that, despite numerous letters addressed to the European Data Protection Board (EDPB) over the past two years, the law around domain name requests remains unclear.
Asked about such complaints, a spokesperson for the EDPB, an umbrella group of privacy watchdogs, referred POLITICO to a letter from 2018 in which the body’s chief argued that contact information for the holders of domain names need not be made available by default under GDPR.
Further correspondence from the U.S. was “for information only” and did not warrant a response, the spokesperson added.
Multiple parties, including ICANN, the nonprofit that maintains the WHOIS database, and law enforcement agencies around the world, have called for WHOIS to be replaced by a more privacy-friendly system that would provide the same functionality for cybercrime investigators.
In conversations with POLITICO, a range of critics including the U.S. Chamber of Commerce and two European law enforcement officials said that EU data protection authorities are refusing to clear up legal confusion about who could lawfully use such a system and under what conditions.
“All of this has been a frustration for two years that has been building and building,” said Sean Heather, senior vice president for international regulatory affairs at the U.S. Chamber of Commerce. “The Europeans should make clear that this [identifying suspected cybercriminals] is not a violation of the GDPR,” he added.
In response to such critiques, EU privacy officials said it is up to legal authorities in member countries to respond to law enforcement requests to identify domain name owners, and that no change to the GDPR is planned.
The European Commission’s own evaluation report of the law, released June 24, also did not mention the WHOIS database as an issue.
But such responses have not satisfied critics who argue that the EU is failing to take steps that would help investigators clamp down on a major surge in online criminal activity, including phishing attacks that take advantage of health fears linked to the COVID-19 crisis.
“The GDPR makes it much more difficult to identify people,” said Dennis Dayman, a cybersecurity expert and member of M3AAWG, an international tech forum that works to reduce the threat of online attacks. “That is a big problem at a time when we are seeing an increase in phishing attempts, a lot more blocking on IP addresses because people are at home.”
Dayman and other U.S. parties said they would prefer to avoid any sort of high-level clash over the GDPR, as doing so would only undermine the internet’s global nature. The fact that European law enforcement agents shared their concerns about domain names and cybercrime would help to speed up the development of a new database, they said — a point corroborated by EU security officials.
Meanwhile, though, the gulf between the two sides seems to be growing wider. In response to a consultation on the GDPR launched by the European Commission, the U.S. Mission to the European Union wrote in April “that the application of the GDPR is creating significant risks for public safety, both for the citizens of the EU and for citizens worldwide.”
The harsher tone hints at growing concern over GDPR that goes beyond the WHOIS matter, to the perceived risk that EU privacy poses to U.S. interests abroad.
If the CJEU delivers another blow to transatlantic data flows in July, the tensions could reach a breaking point — resulting in even greater disparities between Europe and the United States over privacy.