After the death of the EU/US Privacy Shield, Jan Oetjen, CEO at GMX explains why it is now essential for Europe to develop its own internet industry.
Ever since Snowden revealed the extent to which the US intelligence agencies routinely access individual and company data without so much as a warrant, people are becoming increasingly mistrustful of US companies.
A survey by GMX last year, for example, revealed that 73% of British internet users mistrust US companies over data protection concerns, which is more than double that of a similar survey in 2015 which showed that only 35% had such concerns.
8% of UK internet users have even left a US online service due to privacy concerns within the last twelve months, while 11% are planning to do so.
The death of Privacy Shield
Reflecting these concerns over the misuse of EU citizen data, the European Court of Justice ruled in July to overturn Privacy Shield, one of the most widely used mechanisms to allow US commercial companies to transfer and store personal data from the EU in the US.
The heart of the problem is obvious: GDPR (General Data Protection Regulation) stipulates that the data of European citizens must be protected regardless of its location and prohibits European firms from transferring personal data to overseas jurisdictions with weaker privacy laws. That is exactly what Privacy Shield failed to do, hence why the highest European court ruled it illegal.
The US does not have its own direct equivalent of the GDPR. Further adding significantly to the EU’s concerns is the US CLOUD (Clarifying Lawful Overseas Use of Data) Act (H.R. 4943) which effectively erodes data protection by allowing US federal law enforcement agencies to compel US-based technology companies to provide requested data stored on their servers, irrespective of whether the data resides within the US or not.
In other words, even if you choose to store your data on GDPR-compliant servers in Europe, if the data is stored by a US company, it can still be handed over to US authorities.
Would you be comfortable giving your data to US companies in Europe, knowing this law exists? The European Court of Justice had a clear answer to this question and confirmed the discomfort of 73% of Great Britain’s internet users who had concerns about saving their private data with American companies.
There is also the urgent question as to the status of UK data once the EU withdrawal transition period comes to an end on the 31 December.
While the GDPR, the globally esteemed Gold Standard of data protection, is currently enshrined in UK law, the scope for changes after Brexit remains unclear according to the recently launched National Data Strategy by the UK government.
Can Europe catch up in the digital race?
Besides the two failed data agreements Safe Harbour and Privacy Shield, the last ten years have not been good for Europe’s digital economy.
The global digital industry is still dominated by US, and increasingly, Far Eastern companies. From Google to Facebook, Amazon, Apple, Alibaba, and TikTok, none of the big names reside in Europe.
With little dominance in the global digital industry to drive new, higher standards in data protection, what are Europe’s options going forward?
This question is particularly urgent for the UK as it will rely heavily on its service and knowledge-based economy post Brexit.
Constructing a third data agreement with the US to supersede Privacy Shield is destined to fail because it will inevitably be incompatible with the GDPR’s requirement for EU data. So, what should Europe do?
Time for European tech to gain relevance based on world-leading privacy standards
Instead of wasting time trying to find a solution between two irreconcilable differences, Europe should use its data privacy leadership to its advantage.
Europe must become a relevant technology player before it can be the bearer of better standards for the world. But it has a lot of catching up to do.
As a first step, Europe must make a level playing field. As the digital infrastructure is dominated by the US players, Europe has to make sure that components such as operating systems, app stores, browsers, etc. are acting one hundred percent neutrally and not abusing their position nor dictating their own rules of play.
As all attempts to regulate players like Google took a long time, and besides a couple of billion Euro fines, did not have any effect on the market, Europe urgently needs a legal basis to secure access to digital platforms, especially those that have infrastructural character.
The UK might have a strong tech start-up community, but a level playing field will become vital especially after Brexit for it to flourish and break through to meaningful levels.
Still, that alone does not generate European alternatives. We also need to push open standards that will generate synergies within and across industries.
Heavy investments are prerequisite if we want to build up relevant competitors that differentiate themselves in the European B2C and B2B markets by keeping European data in Europe.
Time to get moving
Europe’s digital companies will need to work fast to agree on the necessary open standards to foster competition.
At the same time, politicians will need to act just as quickly to ensure these new legal frameworks are presented as a viable alternative to those dictated by US and in the future Chinese companies.
Only by investing in Europe’s own digital industry and promoting open standards would European digital companies have a chance.
The UK has shown clear commitment to the principles of consumer protection and empowerment. Its willingness not to just introduce standards but also to apply them is perhaps one of the most promising areas of common interest between the EU and the UK.