News hit Tuesday (Feb. 2) that the U.S. and the European Union had agreed to a deal on data transfers. The deal, according to an initial report from The Wall Street Journal, had the U.S. agreeing to “binding assurances that personal information about Europeans wouldn’t be subject to mass surveillance when it is copied to U.S. servers.”
I hoped that something had been lost in translation from the Brussels agreement, but apparently that is indeed the gist of the deal. What it means is that the U.S. has promised something that it absolutely can’t deliver.
The U.S. negotiators almost certainly knew that. But the EU negotiators had to know it just as well. This is all politics and diplomacy, my friends, where both sides can agree to something that neither side believes, while hoping that their citizens won’t notice.
So the EU gets a solemn promise of privacy protections, which its voters want. And the U.S. gets no delays in data transfers, which U.S. companies want — a win-win in diplomatic terms, but a lose-win in reality, though one that the Europeans can stomach. Why? Because the inevitable privacy invasions will happen very quietly.
Let’s start with the basics. Even if we assume — which I don’t — that the U.S. can control every tentacle of its military and intelligence operations, it certainly can’t control private businesses, Congress (which would have to pass deals to punish those private businesses, which won’t be happening) or private citizens (some of whom are cyberthieves).
Hence, U.S. assurances that “personal information about Europeans wouldn’t be subject to mass surveillance when it is copied to U.S. servers” is simply not something that any government official can honestly promise. Indeed, it’s not something that anyone can promise.
For starters, there are no laws (yet) that would prohibit any company from analyzing and mining all data about its customers, as well as anyone who interacts with that company, whether it’s a Web/mobile visit, a call to a call center, a conversation with an employee or anything else.
And if there’s nothing to stop corporate employees and private citizens from whatever snooping they want to pursue, although there are laws that make it illegal — assuming any of them realistically think they’ll get caught. And the rules don’t say that the data won’t be sniffed by Americans, but that it simply won’t be sniffed. What if Chinese, Russian or Iranian cyberthieves hit the servers and bring the data back to their corporate backers?
But this goes further than that. What kind of data are we talking about? All kinds. Indeed, the Journal story specifically referenced that this deal was intended to address earlier concerns including “Web-browsing habits” and “salary details.”
Sign up for CIO Asia eNewsletters.