Viviane Reding's 'play by my rules' warning to the US tech industry

You will play by our rules or not at all! That’s the stark message to the US tech industry from European Union Justice Commissioner Viviane Reding in her latest bout of transatlantic sabre-rattling.

Ever since the NSA spying revelations went public, Reding (and some of her fellow commissioners) has upped the rhetoric over data protection and data sovereignty issues, placing particular focus on laying down the law to Washington in the form of a list of demands to ensure that the US steps into line with European law.

On Friday, Reding was in full flight, proclaiming that US firms that want to do business with European customers will have to agree to play by Europe’s rules:

In simple words: EU data protection law will apply to non-European companies if they do business on our territory.

Non-European companies with operations in Europe are currently obliged to comply with local data protection laws in the country, enabling them to set up shop in areas where the privacy regime does not conflict with their business model.

This has been a bone of contention in some circles for some time. Earlier this year, a German court ruled that Facebook was subject to German data protection law even if its European headquarters are located in Ireland. That’s something that has yet to be put to the test.

Reding admits that there has been resistance to her plans and is clearly frustrated that this is the case:

This might strike you as self-evident. But let me tell you: far from it. It was one of the most contentious points when I presented the data protection reform in January 2012. And companies still today argue differently, taking the matter to courts.

If only everyone would fall in line obediently instead of insisting on going to court. Anyone would think they had genuine objections and concerns!

Don't forget the right to forget

One court does meet with approval however - the European Court of Justice (ECJ), which last month came down on the side of the so-called ‘right to be forgotten’, a principle immediately impacting Google, but which potentially has far wider long term ramifications for the entire tech industry.

Reding was immediately enthusiastic about the ECJ ruling when it was made and her views have not altered in the interim, despite warnings of the burden that the new right brings with it for providers as well as the wider dangers of abuse of the right.

She told the BBC last week that meeting the requirements of the ruling is:

a small thing compared to the copyright things. It is possible to handle the copyright question, so it should also be possible to handle the takedown requests on personal data questions.

To date, removal requests have come from criminals, such as pedophiles, murderers and fraudsters. Asked who should decide whether a piece of information should be removed from search listings and no what basis, Reding shrugs:

Everything is subjective in human relations.

That might be read as the dogmatic response of a true bureaucrat of course. But then the suspicion is that Reding is woman who knows she is right and is just waiting for the rest of the world to catch up with that.

In reality, Europe is divided on data protection issues. The UK and Ireland, for example, are deeply uncomfortable with the near-jingoistic tone being struck by Reding and her supporters, while France has signalled its opposition to the idea of having one regulator take EU-wide decisions on privacy.

That last point illustrates Reding’s determination to push through her will as she insists that the single regulator is still something that’s needed, is for everyone's own good and is coming closer:

This will cut red tape for companies and citizens and make sure data protection rules are applied consistently throughout the EU.

Positions are coming closer to the model for such a system with the general understanding that there should be a 'lead authority' which works closely with other concerned authorities, notably the local authority with which citizens lodge a complaint (to ensure 'proximity’).

She’s equally bloody-minded on the subject of Safe Harbor, repeating again her inflammatory comments questioning whether the provision does afford protection to non-US customers when dealing with US providers:

Safe Harbor is not safe at all – that is why we have put 13 recommendations to our American counterparts – these are non-negotiable.

We can expect the same level of diplomatic flexibility later this month when Reding will meet with US Attorney General Eric Holder with a demand for the US to allow Europeans to sue in US courts over violations involving misuse of data:

When Americans come to Europe and they think the authorities have not handled their case correctly, they can go to a European court. However an EU citizen cannot do the same in the U.S. and go to an American court.

There is no reciprocity; we do not have the basis for judicial redress. You cannot make an agreement if you do not have judicial redress.

The US has recognised the importance of this request on several occasions- but they need to have a law. I have not yet seen it.

Tick tock

The problem with all these demands is that Reding’s time in office is running out, but she’s confident that her views will continue to be aired after she leaves her role in September, declaring that:

…if I say "we" I speak in the name of my institution.

We have an institutional continuity. Just because there is a change in Commissioner doesn't mean there will be a change in policy. Everything a Commissioner does is backed by the College.

Until September, it’s clearly the case that the Commissioner will continue to voice her opinions in pursuit of a more draconian data protection regime.

With the revelation earlier in the day from mobile operator Vodafone that in 6 of the 29 countries in which it directly operates, governments have direct access to customers phone calls and web communications, Reding is still getting ammunition handed to her to support her cause:

One year after the [Edward] Snowden revelations, this shows again the scale of collection by Governments of data being held by private companies.

Without commenting on the specific Vodafone reports today, what I can say is that data access should always be framed by clear laws or judicial warrants. There should not be unregulated, direct and automatic mass access by law enforcement authorities to data of citizens held by private companies. Only where there is a clear suspicion. Not with a hoover but with tweezers.

The current situation is also bad for business. Companies need legal certainty and trust from their customers. They need to be able to promise their customers privacy. Data protection generates trust - it is thus a profitable business model.

It’s little wonder perhaps that Reding clearly feels a sense of gratitude to Edward Snowden for his NSA revelations which have provided so much cannon-fodder for her and fellow Eurocrats to fire at the USA:

One year ago the Snowden revelations were a true wake-up call. In order to show that we do need laws and we do need rules that protect our business and citizens from undue snooping.

Now is the day for European ministers to give a positive answer to Edward Snowden's wake-up call.

My Take

As before - a dogmatic official armed with the absolute conviction that she is right and running out of time fast.

The reality of the situation sadly is far more nuanced that it looks from an office in Brussels.