EXPANDING COMMUNICATIONS SERVICE TO THE EU WHILE COMPLYING WITH MANDATES FOR PRIVACY AND LAW ENFORCEMENT
As American communications service providers expand their networks to the European Union they’ll confront a phalanx of new privacy laws and evolving mandates to assist law enforcement. The following examines the regulatory hurdles.
The Pro-Privacy Trend
The EU recently adopted its General Data Protection Regulation, which expanded and strengthened EU data privacy law, and scheduled it to take effect in May of 2018. Among other things, the GDPR restricts the manner in which the personally identifiable data of EU “data subjects” may be “transferred” outside the EU. The new law also increases the fines for privacy infringements. Accordingly, US communications providers that operate in the EU will soon be required to follow strict new protocols for the handling of EU subscriber data.
Further complicating the EU privacy landscape is Great Britain’s exit from the EU. Will the British apply the GDPR and ePrivacy Proposal or chart their own path to privacy protection? US service providers expanding to Europe may need to comply with one set of rules in Britain and another in the rest of the EU.
The world dominance of US Internet companies, along with disclosures about the vast surveillance capabilities of the US National Security Agency, continue to fuel EU demands for stronger privacy protection. These privacy fears may have been exacerbated by recent allegations regarding US surveillance of Russian diplomats and members of President Trump’s campaign staff. News reports like these can only motivate Europeans to toughen their privacy defenses.
The Pro-Law Enforcement Trend
Countering Europe’s pro-privacy trend are calls to give law enforcement more surveillance power to thwart terrorist attacks. The terrorist threat has continued unabated across the continent.
In response, some EU states have maintained or revised their data retention laws, even though the European Court of Justice struck down the EU-wide data retention mandate in 2014. Germany adopted a data retention law in December of 2016. The new law, which takes effect in July of this year, will require the retention of communications metadata by any communications provider with facilities in Germany.
Great Britain adopted its Investigatory Powers Act in Dec 2016, though it has not yet taken effect. Under this pro-law enforcement statute, the government may serve a “technical capability notice” on a domestic or foreign communication provider with facilities in the country and then compel the provider to upgrade its network with certain surveillance capabilities.
Most alarming to the communications industry, the EU and certain EU member states are considering “data localization” laws. These measures, currently adopted only in countries such as Russia, China and Brazil, would keep a nation’s communications data stored within its borders, thereby facilitating investigations of the data by law enforcement. Network owners loath the prospect of building a separate data center in each country they serve.
Recurring cyber attacks worldwide have stolen mountains of private information and paralyzed communications networks. This threat alone may lead governments in all jurisdictions, including the EU, to intensify law enforcement scrutiny of Internet activity. If so, the authorities will likely expect increased cooperation from network owners.
The Challenge for US Communications Providers
Any US company may face legal challenges when entering foreign markets such as the EU. But for US communications providers such expansion poses uniquely complex risks. American operators in Europe increasingly find themselves squeezed between demands for more privacy and more public safety.
How American competitors will contend with the EU’s regulatory tug-of-war is difficult to predict. In the age of cloud computing and virtualization it is unclear how a service provider will even know where to find a particular suspect’s traffic, let alone protect its privacy or help law enforcement monitor it. Let’s say a provider serves EU member state ABC and receives a court surveillance order from that state, but during the period of the intercept the suspect travels to EU member state XYZ. Must the provider maintain the intercept or wait for a second order from a judge in XYZ? What if the suspect goes to XYZ but his or her traffic remains in ABC?
The US communications industry recognizes the value of spreading its services to the EU. However, to take advantage of these opportunities it will need specialists to navigate the regulatory gyrations of privacy protection and law enforcement support.