German and U.S. Approaches to Protecting Privacy and Information

March 12, 2014

AGI held a transatlantic cyber dialogue on March 12, 2014 to address the core challenges that have grown out of the debate on data privacy and security this past year. The meeting included experts from government, business, and civil society from both Germany and the United States.

Summary

Cyber issues have been brought to the forefront by Edward Snowden’s release of classified National Security Agency (NSA) documents last year that described various surveillance activities, including the collection of information from Chancellor Angela Merkel’s cell phone. These revelations have strained the relationship between the two countries and have sparked an emotional debate.

The discussion showed that U.S. and German governments and businesses alike are struggling to balance privacy demands with the opportunities and risks associated with the exponential increase in internet users and the ever-expanding flow of data between states. Some reports estimate more than a 30 percent increase in global data traffic every year. Meanwhile, civil society actors have also struggled to clearly articulate the problems and costs associated with this rapid change and its impact on privacy.

This is not just a German-American problem, but both countries are crucial to addressing it—even though they have different privacy regimes and traditions. The workshop participants showed that a lot of trust has been lost (“friends do not spy on friends”), especially in Germany, and that it will take a long process for the United States to regain this trust. Europeans clearly expect “something” for the apparent violation of their privacy, such as the revision of the U.S.-EU Safe Harbor framework. Yet this will not necessarily lead to a transatlantic “grand bargain.”

Data Privacy, Protection, and Regulation

The NSA’s phone tapping program brought to light by Edward Snowden seemed to have surprised European officials, who were unable to explain why the United States would deceive its allies. Further infuriating many Germans and other Europeans has been the Obama administration’s slow response and the limited communication across the Atlantic on the topic. As a result, the public debate that has ensued has confused a number of issues and led to heightened expectations about what can be achieved.

One of the first issues discussed at the workshop was whether the U.S., Germany, and the EU can come to a broad agreement on privacy regulation. The answer was probably “no.” In the United States, data is seen as a commodity once an individual releases their information into the public domain. Privacy as a concept is mainly used to avoid intrusions by the government under the Fourth Amendment. In contrast, Germany defines privacy (“data protection”) as a right that the government must protect under the Constitution (Basic Law)—even between companies and consumers. This lack of a common definition of privacy has complicated the discussion on data transfers.

Furthermore, until there is agreement on data transfers between the German and U.S. governments, businesses will have to deal with different privacy/data protection regulations in Europe and the United States. New approaches addressing European and German concerns will be considered at European Privacy Association meetings in 2014 and discussions regarding the U.S.-EU Safe Harbor Framework may begin this summer, but a final solution is unlikely in the medium term. At the very least, it is important to send a signal that the current trade talks (TTIP) should not be hijacked or stalled by the privacy topic and that lost trust must be rebuilt to resolve global threats jointly.

From Government to “Googlement”

Workshop participants discussed the shift of power from government to “Googlement,” which refers to private companies taking over IT functions traditionally provided by government. This includes data transfer, storage, searching, and other data processing. Government bodies often use the private sector for purposes of efficiency, but they have not fully realized how outsourcing these functions has limited their control over data. On the one hand, the private sector has taken advantage of this “knowledge gap,” but the public sector has also gained greater power in terms of its ability to collect and analyze information about its citizens and external threats.

The U.S. Congress has typically been “tech neutral” and defers to experts in technical debates, but this has turned into an excuse to remain ignorant about the implications of new technologies. Once in place, technical systems are very difficult to scale back as each success at identifying a threat and every new technology creates new demands to collect more and more data. Government’s power to determine the future of privacy lies not so much in legislative or regulatory measures to control data collection, but more in choosing the appropriate partners and agencies that have a tested track record in protecting privacy and civil liberties and who keep the data safe. What are the controls on the information and who gets access and what level?

Cyber Security

In Germany, several cyber security issues have been mixed up in the public debate. The first has been concern with the German government’s ability to protect its citizens’ data from outside private or public intruders, like the NSA. Second, the German government (like in the United States) has had challenges in  sharing information between relevant agencies and in updating its own laws on bulk data collection, as came to light during the trial of members of the extremist National Socialist Underground (NSU). Third, there has been public concern of the consequences of U.S. tech companies’ dominance in Europe and how they use EU customers’ data. Some of the potential outcomes of these different debates may contradict each other (deeper integration vs. more privacy).

In the United States, the NSA’s “eye-watering” capability to store and analyze data has been at the center of the debate. It was stressed that NSA officials take seriously their oath to protect American citizens. But how do we reconcile protecting Americans with the demand to collect private data en masse and what protections, if any, should be extended to non-U.S. citizens? Though much of the criticism leveled at the NSA may be uninformed, it is clear that the Agency can do better to explain why it collects certain data and why this is justified given the threat level (i.e., the principle of “proportionality”).

This also raises the issue of “privacy by design,” where engineers need to be more conscious of and responsible for the privacy implications of what they build. Does the technology actually accomplish what it’s for (“realm of the possible”)? Are there better ways to provide the services without collecting personal data (principle of data scarcity)? Politicians and law enforcement officials must also determine whether a data collection is really necessary to fend off criminal activities.  Just because we can do it, should we do it? The mere purpose (e.g., protection against terrorism) may not necessarily justify all (collection) means.

What Is the End Game?

The workshop participants were unanimous in the need for policy leaders to define the “end game” of the current debate on cyber issues. This would allow for a more focused and technically-informed debate. For now, participants suggested several “bridging mechanisms” to restore trust and signal to the public that there will be some compromise between the United States and Europe. Some of the discussed measures include a “no spy agreement,” “Schengen Clouds,” additional binding corporate rules and transparency reports, a U.S. ban on bulk data collection as currently proposed in the USA Freedom Act (H.R.3361), and possible revisions to the U.S.-EU Safe Harbor Framework.

There was some disagreement among the participants as to whether a German-U.S. “no spy agreement” was useful or even realistic. The idea may provide “emotional relief” to Europeans, but the decades-old “Five Eyes” agreements are unique and, in any case, the absence of such a formal agreement with Germany does not preclude useful intelligence collaboration with the United States. That said, “mischief is borderless,” and more transparency between allied intelligence services could lead to better ways to share threat information in real time.

Another issue addressed was “technological sovereignty” for Germany. Germany is concerned that it has lost sovereignty over its citizens’ personal data and that this makes it easier for foreign intelligence agencies to spy on the German government or industry. Some European industry players have even floated the idea of creating a German or “Schengen Cloud.” But participants concluded that this is not realistic as it would require massive changes to existing infrastructure and impose huge economic costs.

Reforming or updating the U.S.-EU Safe Harbor Framework could be a more practical next step.  Both sides must first understand, however, that the long-standing U.S.-EU Safe Harbor Framework and the NSA issues are not connected. There is no evidence of violations by U.S. companies and threats to suspend the agreement may be advantageous for those running for reelection, but are preventing the debate from moving forward. It is important that there be an open discussion about what works and what doesn’t work under the current Safe Harbor framework—this has never happened.

Questions for Further Debate

  • Do Americans and Europeans have fundamentally different values when it comes to data privacy and protection?
  • Are there better ways of identify and sharing information about threats to the economies and societies on both sides of the Atlantic?
  • If government is increasingly dependent on the private sector, leading to the “Googlement” of our institutions, who should ultimately be in control of collecting and using data?
  • What are the economic incentives for business to join the public forum on these issues?
  • How can policymakers learn more about technical issues in order to make sound decisions?
  • What privacy issues should be prioritized in order to rebuild trust and confidence across the Atlantic?  Should there be increased integration or privacy? Do you improve existing infrastructure or rebuild it in a different way?
  • What should be the final goal and how should it be articulated?