Billions of euro worth of transatlantic trade took another giant step towards an economic cliff's edge this week, thanks to a swift and spectacularly stupid vote by the US Congress.
Though the new US legislation – which only awaits a virtually guaranteed presidential signature – involves US consumers and companies, the implications are sure to reverberate in Europe. The adequacy of the transatlantic data exchange agreement Privacy Shield, the increasingly thin tissue allowing the ubiquitous data exchanges underpinning transatlantic trade, comes under hard scrutiny in June when it is up for formal re-evaluation.
Yet on Tuesday, the Republican-party-dominated Congress voted to wipe out important Obama-era privacy protections on personal data, ranging from sensitive medical and financial information to, apparently, even the content of emails and online chats, according to Motherboard.
Such data from the internet browsing history of customers may now be sold on to third parties by internet service providers in the US. These companies, including Verizon, Comcast and AT&T, have millions of subscribers between them.
This reverses Federal Communications Commission (FCC) protections intended to fill a critical gap existing between privacy rules that could be enforced by the Federal Trade Commission (FTC) and companies that may not fall under the FTC's regulatory remit, because of a 2016 US court decision regarding the "common carriers" designation (https://arstechnica.com/tech-policy/2017/03/isps-cheer-pause-of-rule-that-guards-private-data-from-security-breaches/).
And not only reverses them, but does so in a particularly malevolent way. Apparently it wasn't enough to take the normal route of bringing forward a standard Bill. Instead, the GOP, acting on a proposal from Rep Marsha Blackburn, a Tennessee Republican who has received significant donations (over half a million dollars) from ISPs (http://www.vocativ.com/415350/house-rep-pushing-to-set-back-online-privacy-rakes-in-industry-funds/), passed the law as a resolution.
Protection gone
A resolution bars the FCC from ever introducing such protections for consumers again. Full stop.
The Republicans, in this almost entirely partisan vote done quietly on Tuesday, argued that they wished to “streamline” all US internet privacy regulation under the FTC, rather than have it split between the FCC and the FTC.
But privacy protections are sure to be watered down by this deceptive hogwash. First off, ISPs are designated common carriers in the US, and common carriers cannot be regulated by the FTC.
As the Washington Post noted: "Tuesday's vote may release internet providers from the FCC's privacy regulation, but the FTC would also be unable to enforce its own guidelines on the industry without new authority from Congress." Such authority is unlikely.
The FTC also does not view data generated from browsing history, or from using apps, to be in need of privacy protections.
So we can all see where this “streamlining” is heading. Data belonging to individuals will not be within their control but instead be a cash cow fully owned and controlled by internet service providers, including cable companies. And US consumers have little opportunity to move to a more privacy-friendly internet provider, as many regions see just one or two big name operators supplying services.
So, this vote is an alarming own-goal on two fronts. First, it affects and damages all US citizens who, in repeated surveys, have expressed concern about corporate use of just this type of sensitive information. By Wednesday morning, even the comments section of ultra-right wing website Breitbart was full of angry Trump and GOP supporters outraged by the new law.
Second, this vote cannot but be seen in Europe as yet further damning proof that the US, in between lax corporate scrutiny and weak oversight of its spy agencies’ surveillance activities, takes a cavalier approach to online privacy.
Privacy Shield
That makes it increasingly ludicrous for US negotiators to argue – as they have on behalf of Privacy Shield – that the data of Europeans somehow will be given extra, EU-adequate protections once it journeys into US servers. Especially so, as Trump has already sent many mixed messages, from an administration that now supports warrantless border searches of any traveller’s personal devices.
Complicating matters ahead of the formal Privacy Shield review, a decision is shortly due in the Irish Data Protection Commissioner’s case on the adequacy of private model contracts for transatlantic data transfers (stemming from Max Schrems’s case over Facebook’s handling of his data). These contracts have been touted as an option providing protections similar to Privacy Shield.
And Digital Rights Ireland is awaiting a decision on whether it may proceed with a direct European court challenge on the adequacy of Privacy Shield.
US and EU negotiators must be feeling queasy.
So too, should every European government and company.
If neither Privacy Shield, nor model contracts, are deemed adequate for transatlantic data transfers, what then? Look over that cliff edge. You won’t see a plan B.