“Your objective is to make Europe a world leader in information and communication technology, with all the tools to succeed in the global digital economy and society. […] To do so, we will need to break down national silos in telecoms regulation, in copyright and data protection legislation, and in the management of radio waves.”

September 29, with its long nomination hearings in front of the European Parliament’s (EP) committees, was a busy day for Guenther Oettinger, the energetic German EU Commissioner. He is slated to become the new Commissioner Digital Economy & Security, picked by Jean-Claude Juncker to become a member of “my winning team.” Juncker is the new President of the European Commission (EC) and the respected former prime minister of Luxembourg. In total there are twenty-eight Commissioners, one for each EU member state. They may take over the EC’s business as early as November 1. MEP Jan Philipp Albrecht, also a German (Green Party) member and an outspoken data protection advocate, alleged that Juncker committed a “fatal mistake” by nominating Oettinger. Albrecht warned that Oettinger risks being “crushed” by his new portfolio. He added that Oettinger is a “man with absolutely no previous experience.” Other commenters mocked Oettinger’s nomination as picking “a new screen protector for Brussels.” Speaking in German throughout the three-hour EP hearings, Oettinger was grilled on various IT-related topics and struck an industry-friendly tone, stating that “Investment in ICT [digital] infrastructure is the key to growth.” These infrastructure investments, in particular in rural areas, are as important as investing in roads and electricity grids.

He may surprise his critics. If confirmed, this will be his second term as EU Commissioner. Oettinger has been the EC’s Commissioner for Energy Matters and is well connected in Brussels and with the Chancellery in Berlin. His skillful negotiations with the EU utilities over the last few years have cemented his reputation of a pragmatic, brainy manager, hard-working, ready to tackle new issues. His managerial skills were on display during the recent EU dispute with Russia about natural gas deliveries and Putin’s threats. In addition, Oettinger stems from an area in Germany where the German software giant SAP, as well as many other high tech companies, are rooted. So are other German global industry players, such as Mercedes-Benz and Bosch. Therefore, IT issues, such as the digitalization of the car industry, are significant to him. He already said that he is in favor of a strong EU player and knows a lot about grids. However, he will not be the only Commissioner driving the ball forward.

New Faces from Different Countries

Juncker’s “winning team” includes prime ministers, foreign ministers, finance ministers, or well-known MEPs, rather than EC bureaucrats. This is a substantial novelty. EC vice presidents already existed, but hitherto they were mostly symbolic. They could now hold real power, although Juncker insists that the new six vice presidents are not the bosses of the other Commissioners, but mere “coordinators.” One powerful new player in Juncker’s team is Estonia’s Andrus Ansip, the country’s former prime minister, who will become a the new EC vice president in charge of the digital single market and, in this function, Oettinger’s boss. Ansip’s country is technology-savvy: citizens vote online, it is also the birthplace of the communication service Skype. As guidance, Juncker wrote individual “mission letters” to each of the nominated commissioners that have been published. Ansip’s letter makes it clear what Juncker expects from him:

“Your objective is to make Europe a world leader in information and communication technology, with all the tools to succeed in the global digital economy and society. […] To do so, we will need to break down national silos in telecoms regulation, in copyright and data protection legislation, and in the management of radio waves.”

~ Mission Letter from Jean-Claude Juncker to Andrus Ansip (pdf)

Interestingly, the mission letters of other designated EU Commissioner also mention privacy issues. Vĕra Jourová (Czech Republic) is Juncker’s Commissioner-designate for “Justice, Consumers and Gender Equality.” Her mission letter states:

Contributing, as part of the project team steered and coordinated by the Vice President for the Digital Single Market, to the realisation of a connected digital single market by ensuring the swift adoption of the EU data protection reform and by modernising and simplifying consumer rules for online and digital purchases.

Mission Letter from Jean-Claude Juncker to Vĕra Jourová (pdf)

Another new Commissioner-designate with whom the U.S. government and the U.S. companies in the digital and social media sector should reckon is Margrethe Vestager, representing Denmark. Her portfolio is competition and antitrust and her Directorate General (DG), Competition, is arguably the most powerful within the EU Commission as it can impose huge penalties for foul play. Cecilia Malmström (Sweden), the old and probably new Commissioner for Trade, will complete the Juncker team for data protection matters. She has already been heavily involved in the Transatlantic Partnership (TTIP) negotiations, but she came under a lot of fire from the EP during the committee hearings for not defending EU interests vigorously enough. Her mission letter states:

Working towards a reasonable and balanced Transatlantic Trade and Investment Partnership with the United States of America, which neither threatens Europe’s safety, health, social and data protection standards, nor jeopardizes our cultural diversity. I will ask you to enhance transparency towards citizens and the European Parliament during all steps of the negotiations. Our aim must be to conclude the negotiations on a reciprocal and mutually beneficial basis.

Mission Letter from Jean-Claude Juncker to Cecilia Malmström (pdf)

The widely shared expectation in Brussels is that the new Commission will be approved. The EP can only reject the new Commission as a whole. However, it remains unclear who will actually perform the concrete tasks in the Juncker team. From the German perspective: How significant will Oettinger’s role be as a driver of the data protection reform, given his close—albeit sometimes strained—relationship with Chancellor Angela Merkel and her staff? For instance, will Juncker and his cabinet claim the last word when it comes to important privacy/data protection matters? Or will it be a team effort? How will the national governments, through their new Commissioners, influence the process? If the new EU Commissioners, most of them with own distinguished political careers, stand tightly together, it will difficult for the EU Council, the body representing the national governments, to derail the EC’s projects.

EU Council Likely Has the Last Word

Pressure from the EU Parliament on the EC to wrap up the data protection reform is mounting, patience runs short, and Juncker is well aware of it. Last week, parliamentary delegations from sixteen different EU member states assembled in Paris called upon the EU bodies to speed up the process. The European Parliament’s position is firm: The legislative package containing one directive and one regulation, proposed by the EC in January 2012, was adopted at first reading in the European Parliament in March 2014. The scope of the reform goes far beyond the scandal surrounding the U.S. cyber espionage programs, namely PRISM. The reform package contains an arsenal of measures to protect the personal data in the EU. Prominently, any company sending personal data outside the European Union without permission could face a significant fine of €100 million or 5 percent of their global revenues. One article in the reform package stipulates that requests from administrative or judicial authorities from third countries—notably from the United States—for access to the personal data of European citizens held by European companies would require prior approval by the member states’ national data protection authorities. Another section covers the hotly debated “right to be forgotten.” Data subjects may demand that their personal data be purged—a concept that the European Court of Justice endorsed earlier this year in a landmark ruling on search engines. Other parts of the reform package broaden the concept of having mandatory data protection officers (DPO) in each major company. Their mission is to monitor the data protection within the company and work with the relevant data protection authorities. German companies are already very familiar with the DPO concept—many other EU member states are not.

While there is broad consensus on those parts of the legislative package, other provisions of the data protection reform are still the subject of heated debate between the EU institutions and industry. One bone of contention is the concept of a “one-stop-shop,” whereby a service provider would be able to locate its headquarters in a country to be monitored by the local data protection agency—and not by twenty-six other agencies—has triggered criticism because this could lead to legal cherry-picking. For instance, a Belgian MP recently stated “if a Belgian complains of their personal data being abused in another EU country, they should be sure that this country shares the same values as their own.” She refers to a scenario that a U.S. company with business in the EU will register in Ireland, a popular place for this purpose. Ireland is known to be less rigid than, for instance, Belgium or France. Another issue the reform must address, in particular in Germany, is the fear that the new European data protection law may offer less protection than under the existing national legislation. “The new European framework should not lead to a reduction of existing protection in any of the different member states,” the representatives stressed in their Paris declaration. In any event, the reform package will not advance if the EU Council, the body representing the member states, does not approve it—and Germany is concerned that the reform in its current form will actually lower or dilute the national data protection standards for Germans.

Domino Theory

Other than dealing with new faces, ambitious EC mission letters, and internal EU quarrels—what does this complex scenario in Europe mean for the United States? On the economic level, U.S. companies want clear-cut rules that further investment and innovation. It is difficult for U.S. company to adjust their business model to the sometimes more rigid EU standards. On the political level, there are concerns in Washington about a domino theory. The suspicion is that the EU is trying to impose its concepts of privacy beyond the EU’s borders, such as by granting countries that comply with the high EU standards “adequacy” status. This would force U.S. businesses to follow the EU rules on a global scale. The French Council of the State (Conseil d’État) recommends vesting EU law with the “right to the international policing of international privacy law,” with the aim of ensuring the primacy of European law over foreign contractual law. The “adequacy” issue needs to be discussed. The United States and the EU also need to take stock of legal instruments that have worked, such as the widely used EU data transfer model clauses, and others that have not or are outdated, such as many of the Mutual Legal Assistance Agreements (MLATs) with EU member states. Many observers believe that these MLATs, based on the principle that the location of the data triggers jurisdiction over it, are is not up to the task to prosecute savvy criminals. There are also judicial proceedings and practices that both sides need to watch closely, such as a court proceeding concerning the access of the U.S. government to specific information that is stored outside of the United States. A civil case lodged in the Southern District of New York on this issue is currently pending on appeal. The forthcoming months will show whether Juncker’s “winning team” will score points and reach mutually acceptable compromises with their U.S. counterparts.

Dr. Axel Spies, Bingham McCutchen, Washington, DC