A Privacy Regulation Food Fight

The EU is crafting rules to “better fight crime and terror.”  Earlier, the EU had tightened rules governing the EU peoples’ private information, and some EU nations are preparing their own versions of privacy protections.  Last week, the US Congress repealed Federal Communications Commission (FCC) rules governing internet service provider (ISP) use of consumers’ browsing history.  Countering the federal action, Minnesota is working on a law that approximately replaces the FCC’s repealed rules.  Harmony between the regulations adopted by the EU and those in place within the USA is important for economic reasons.  Without a concerted effort on both sides of the Atlantic, growing discord is more likely.

The EU especially wants cloud access for law enforcement and national security agencies probing for evidence of criminal activity.  In the EU, current investigations require a lengthy slog for law enforcement due to complex administrative and court procedures.  The EU wants speedy access allowing evidence collection before it is deleted by the perpetrators or the cloud service provider.   

The recent terror attack near UK’s parliament prompted fresh complaints over What’s App’s encryption of consumer communications because it blocks law enforcement’s timely access to the content in terrorist messages.  A year ago, means to break encryption had been considered for inclusion in the UK’s intelligence agency (GCHQ) surveillance authority (the so-called Snooper’s Charter), but that was omitted due to activist objections.  Today, the public climate in the UK may have tilted toward approving wider snooping tools for law enforcement, possibly including a means to read encrypted messages sent among terror suspects.  On-demand decryption may be wishful thinking.

Compliance with the obligation for internet edge providers to quickly remove hate or terrorist speech has not met the EU’s expectations.  Germany in particular plans to levy fines up to $53 million for internet sites that fail in compliance.  Law enforcement access, encryption, and rapid takedown of hate speech will be considered by the EU’s Executive body starting I June 2017.  The Executive body will need to wrestle with many individual EU nations’ homegrown obligations for monitoring and removal of “hate, crime and terror” messages that European persons can see on the internet.  Regulations that apply uniformly across all EU nations must be the goal.  However, this will require reconciling disparate public attitudes.  It is unclear that the EU might reach such a consensus.

Any EU law that governs what European persons can see on the internet (e.g., hate speech or information covered by “the right to be forgotten”) is likely to be felt in the USA.  US web site operators could make it difficult for EU consumers to reach the US versions of US sites.  That effort might make compliance with the EU’s law possible but it would be costly.  The extra effort directing traffic by country of origin and maintaining slightly different copies of each web site means higher costs for US operators.

US first amendment rights will play a role in what information or speech can be suppressed by US laws and regulations.  It seems our first amendment rights do not align well with the EU individual’s rights and exceptions to the rights.  Still, there are issues beyond cost and our first amendment.

A huge motivation for the US to harmonize privacy regulations with those of the EU is the Privacy Shield agreement that permits the flow of consumer data between the EU and the US.  That flow is an essential pre-condition for the US exports of high tech software and services.   Before engineering compliance with the EU’s new regulations for law enforcement access, individual privacy arrangements and fast take down, US edge providers and internet service providers need a stable set of US regulations that could meet Privacy Shield requirements.

The Congress recently stripped FCC’s ISP privacy regulation slated for effect in December 2017.   The Federal Trade Commission (FTC) already had regulations in effect that govern consumer privacy in the operation of edge providers and most of US industries.  Including ISPs in those obligations would make more sense than creating another set of idiosyncratic regulations administered by the FCC, an agency with little experience in internet privacy.

Unfortunately, the US regulatory scene just gets more challenging.  As noted earlier, the state of Minnesota is headed toward adopting its own consumer internet privacy rules, similar to those removed by congress from the FCC’s regulatory basket.  Other states may follow.  The chance of uniformity among state-level internet privacy rules is slim.  We see similar outbursts of state-peculiar regulation of commerce.  It is doubtful that each state has a unique and better insight on how to regulate ISPs, telephone companies, manufacturers, insurance companies, cosmeticians, physicians, etc.  The only credible excuse supporting unique regulations within each state is tax collection.  While state-by-state control over slivers of commerce may be a state’s right, it makes no sense.  It might play well with local voters, but it is expensive, inefficient, and it inhibits the free flow of commerce.

Consumers need this chaos fixed because it can impair their ability to earn a good income, and if done badly, it can make their internet experience tedious, expensive and unpleasant.  The first challenge for the EU is to get a privacy consensus among its nation-states that has a good chance of passing muster with the US views on consumer rights.  The first challenge for the US is to push for unified regulation of consumer internet privacy that could also pass muster with the EU.

Reaching that platform for one-on-one negotiation will require the EU and the US to pick a balance between safety and privacy, and we cannot demand a full quantum of each.  The sides will need to wear down loud privacy and law enforcement proponents.  There will be distractions such as Brexit, trade negotiations, and NATO that slow progress on privacy.  The EU and the US cannot expect a privacy accord without significant effort and compromise by senior leaders.

FacebooktwitterredditlinkedinFacebooktwitterredditlinkedin