Surveillance Fears and Privacy Shield

It’s good to have a strong sense of self-worth but sometimes it can go too far. A January 2022 ruling by the Austrian Data Protection Authority (DSB) is an example of this. The DSB ruled that the use of Google Analytics by an Austrian health website violates the General Data Protection Regulation (GDPR) as it exports visitors’ data to servers in the United States, which the DSB believes opens the door for monitoring of individuals by “U.S. intelligence services.”

How should the United States break it to Austrians that their health data is not a priority for U.S. intelligence services and likely of no interest to anyone other than patient and medical staff? The same is true for the rest of Europe. Most people’s data is not interesting. The disparity between real intelligence needs and exaggerated European concerns over the risk of U.S. surveillance dates back to the Snowden affair, which seemed to confirm Europe’s worst fears. While the Snowden incident routinely inspires Europeans to justify decisions to block data transfers to the United States, it has become, after a decade of dramatic change in international relations and in technology, more of a rationalizing fable than an accurate depiction.

Key elements of the surveillance story that have a crucial bearing on intent and purpose are usually omitted. It was not that the United States had a sudden desire for the personal data of Europeans; surveillance was a post-9/11 effort to identify terrorists operating in or from Europe. This was often done at the request of and in cooperation with European intelligence agencies, an element of the story that is also usually omitted.

European concerns about U.S. surveillance of political leaders are based on fact but also omit a key detail. Other than the United Kingdom, which has an agreement with the United States not to spy on each other, a few leading European countries also attempt to spy on U.S. political leaders. No U.S. official or business executive would be surprised to discover they were that target of surveillance in some European countries. The U.S. activity may have been unwise, but it is scarcely unique.

The United States also began large-scale surveillance for counterterrorism purposes of its own citizens at the same time. This surveillance was similar to the data analytics techniques that have transformed business. After some years of experience, the United States found that mass surveillance was not very productive and ended its programs. But the damage has been done. The American misstep was gleefully exploited in Europe. 

It is not the analysis and use of surveillance data that aggravates Europe. The mere storing of such data without it ever being examined violates the sense of privacy held by many Europeans. That this collection is done by the United States is the key issue, since most European countries also engage in communications surveillance of their own citizens. Many Europeans were not aware of this surveillance, and one thing that came out in the Snowden investigation was the very low level of parliamentary or judicial oversight in European countries for their own for intelligence activities, something that has been partially remedied by new laws and procedures in places like the United Kingdom and Germany.

The usual explanation is that policymakers must take into account Europe’s dark history in the twentieth century. European sensitivities grow out of the behavior of their own governments in the nineteenth and twentieth centuries. This is not the place to speculate on the mental gymnastics required to transfer culpability to the United States for crimes committed by Europeans against Europeans, and despite denials, there is a strong element of protectionism and anti-Americanism behind privacy concerns.

The core of decisions like Schrems is the hypothesis that little has changed since 2013, when Snowden made his revelations, and that the United States continues to surveil in ways that threaten the privacy of Europeans. France’s state-owned news service, by no means a disinterested party, commented in 2021 that “The ambition of American cyber spies who want to wiretap the whole world, including their allies, is nothing new.” That there is, in fact, little value in mass surveillance of European personal data will not be enough to persuade a European audience that these concerns are unfounded, even though some European analysts now say the risks of U.S. surveillance are “hypothetical.” 

The fundamental point is that from an intelligence perspective, data on most Europeans (like their American counterparts), is of no intelligence value. Private individuals are not a worthwhile subject for surveillance unless they have some connection to terrorism, weapons of mass destruction (WMD) proliferation, or espionage. While a genre of Hollywood films may portray American intelligence services as deeply sinister organizations with nefarious aims, this remains a ridiculous fiction that says more about parts of society than espionage.

Will European privacy advocates be upset when under the terms of the new transatlantic privacy agreement they challenge “U.S. snooping” and discover it doesn’t exist?  Most likely they will assume that something is being kept from them. A failure to find harm to privacy will not change the narrative. Allegations of surveillance by U.S. intelligence agencies have become a justifying narrative for tech governance, data localization, and the European quest for tech sovereignty. 

The decision on a Schrems replacement is also unlikely to address the problem of reciprocity. There is no redress mechanism for Americans on European surveillance, nor would the commission be able to supply one, since, given the complexities of the European construct, it has no oversight or control over its members’ foreign intelligence activities. Intelligence is one of the activities from which member states exclude the European Commission, making the Schrems cases a lopsided conversation. National security remains the sole responsibility of each member state, and member states have been quick to guard against efforts by Brussels to extend EU competencies to their intelligence activities.

The transatlantic relation is in flux, and both sides of the Atlantic will need to think about what they want in security and in digital governance. Any information or assurances the United States can provide on collection practices will not pacify European privacy hawks. While there is general relief over the resolution of the Privacy Shield dilemma, the Ukraine crisis highlights the need for a stronger partnership. The United States and Europe need a deeper discussion of surveillance, when it is appropriate, and under what conditions. A case can be made that the United States can make concessions since mass surveillance provides little value, perhaps leading to some kind of binding limitations by both sides of the Atlantic. Until then, be prepared for Schrems III.

James Andrew Lewis is senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.

Image
James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program