U.S. troops being yanked out of Germany. A brewing trade war over digital tax. Now add this to the list of issues dividing Europe and the United States: a looming clash over privacy.
As the EU touts the “success” of its flagship privacy law, the General Data Protection Regulation (GDPR), Donald Trumps administration is ramping up attacks on a system it says provides cover to cybercriminals and threatens public health.
In an interview with POLITICO, U.S. Deputy Assistant Secretary of State for Cyber Rob Strayer said he is raising concerns about the GDPR with counterparts in Brussels and EU capitals as a “top diplomatic issue.”
His lobbying focuses on “fixing interpretations” of the GDPR which he and several other parties, including EU law enforcement officials, said are protecting online scammers and fraudsters at a time of exploding cybercrime linked to the coronavirus pandemic.
“We do have serious concerns about its [the GDPRs] overly restrictive implications for public safety and law enforcement,” said Strayer, who was at the forefront of efforts to convince EU allies they should dump Huawei from their 5G rollout plans. “We definitely find that divergent interpretations [of the law] are also an issue, chilling some of the commerce that could be taking place.”
“All of this has been a frustration for two years that has been building and building” — Sean Heather, from the U.S. Chamber of Commerce
U.S. objections to the GDPR, which came into effect just over two years ago, are hardly new. Silicon Valley giants lobbied energetically against a law that many U.S. players said was a tool designed to limit the power and wealth of Silicon Valley giants like Google and Facebook.
Many of those arguments — namely, that the GDPR has rendered a database of domain name owners, WHOIS, far less effective in tracking down suspected cybercriminals — are the same today as they were two years ago.
Yet in the past few weeks, as EU privacy watchdogs wrapped up their first major probes into U.S. companies and Google lost an appeal against a €50 million fine in France, the criticism from Washington has grown more fervent, and a lobbying campaign has gotten underway in the U.S. to push back against the effects of the GDPR at home.
For now, the pressure is unlikely to trigger anti-GDPR action from the Trump administration — as the president is consumed by his reelection campaign.
But all of that could change this summer, when a Court of Justice of the European Union ruling could put privacy right back at the center of transatlantic tensions.
The ruling, expected mid-July, could find that heaps of data transfers from the EU to the U.S. are not legal under Europes privacy laws, putting billions of euros in digital trade at risk. Washington — for the second time — will face pressure to beef up privacy protections to keep doing business with the EU.
Thats a worrying prospect for Washington, one that would be “so detrimental” to transatlantic trade, according to Strayer. “One thing were really pushing is concerns about these ECJ cases,” he said about recent discussions with the European Commission and various agencies.
Privacy vs. law enforcement
At the heart of the issue for many U.S. critics of the GDPR is the WHOIS database, an online directory created in the 1970s, which became an important tool for global law enforcement agencies fighting cybercrime.
It has also come under fire over a lack of privacy protections.
GDPR critics say the rules have made it harder to identify cybercriminals. Before the law came into effect in May 2018, they could issue a request via WHOIS to identify the owner of a domain name in a process that many say was simple and straightforward.
After the law came into effect, however, it became much more complicated. Registrars — the entities that control domain names — became concerned that, if they complied with such requests, they could be sued for privacy violations under the GDPR. In many cases, law enforcement officials had to ask a judge to validate the request, a process that one EU law enforcement official said is “very slow” and “not effective.”
U.S. Vice President Mike Pence | Michael Reynolds/EPA
In February, a Republican Congressman introduced a bill to the House of Representatives demanding that domain name information be made readily accessible via WHOIS. Two months later, a group of 40 companies, trade associations and interest groups wrote to Vice President Mike Pence urging him to force internet registrars to identify cybercriminals for law enforcement purposes.
Critics say that EU privacy authorities need to address the problem by creating an exception in the GDPR for law enforcement. They also complain that, despite numerous letters addressed to the European Data Protection Board (EDPB) over the past two years, the law around domain name requests remains unclear.
Asked about such complaints, a spokesperson for the EDPB, an umbrella group of privacy watchdogs, referred POLITICO to a letter from 2018 in which the bodys chief argued that contact information for the holders of domain names need not be made available by default under GDPR.
Further correspondence from the U.S. was “for information only” and did not warrant a response, the spokesperson added.
Multiple parties, including ICANN, the nonprofit that maintains the WHOIS database, and law enforcement agencies around the world, have called for WHOIS to be replaced by a more privacy-friendly system that would provide the same functionality for cybercrime investigators.
In conversations with POLITICO, a range of critics including the U.S. Chamber of Commerce and two European law enforcement officials said that EU data protection authorities are refusing to clear up legal confusion about who could lawfully use such a system and under what conditions.
“All of this has been a frustration for two years that has been building and building,” said Sean Heather, senior vice president for international regulatory affairs at the U.S. Chamber of Commerce. “The Europeans should make clear thaRead More – Source