Facing Legal Challenges in U.S.-EU Relations

Remarks by U.S. Ambassador to the EU Gardner
Mackenzie Stuart Lecture, Cambridge University
January 29, 2015

(As prepared for delivery)

(Audio of lecture)

Introduction

Thank you, Professor Hill, for that introduction.  Thanks as well to Professor
Armstrong and the Centre for European Legal Studies, and to Shearman &
Sterling, for giving me the opportunity to deliver this year’s Mackenzie-Stuart lecture.  I am proud to be the first U.S. government official so honored.

I arrived in Brussels nearly one year ago to take up my duties as United States Ambassador to the European Union. It was a homecoming to the city where years ago I had begun my career, first in the European Commission and subsequently as a competition and trade lawyer.  The familiar topics of competition and trade law remain central to U.S.-EU relations, of course.

But today some of the most important bilateral issues between Washington and Brussels arise in areas that scarcely existed then.  One subject of increasing importance in our trans-Atlantic dialogue is the coordination of sanctions.  European sanctions policy today is made collaboratively in Brussels, rather than in individual European capitals. This evolution has given rise to intensive diplomatic and legal engagement between Washington and EU institutions.   The second new topic is digital law and policy, reflecting the information revolution and concerns about personal privacy and sovereignty.   I would like to offer a few observations on both.

Economic Sanctions

The U.S. Government coordinates sanctions with the European Union in many areas – including counter-terrorism, Iran and Russia.  The EU’s ability to coordinate and implement sanctions policy quickly and effectively, despite widely disparate national interests, is one of its signal foreign policy achievements of recent years. And the ability of the U.S. and the EU to coordinate sanctions has also been a notable example of trans-Atlantic partnership.  We are stronger and more effective when we send uniform messages to offending governments, companies and individuals; by acting in parallel we reduce possibilities for sanctioned entities to evade the bite of restrictive measures.

But at the same time the U.S. Government is increasingly concerned about weaknesses in the European sanctions mechanism, particularly when sanctioned individuals or companies challenge the correctness of their designations before the European Court of Justice.  There is nothing inappropriate about such challenges.  Indeed, due process – the right to a defense– is ingrained in legal systems on both sides of the Atlantic. The U.S. government has faced legal challenges like these in our own federal courts.    Now it is the turn of the European Union to face similar searching inquiry from the judges of the European Court of Justice in Luxembourg.

A recent case involved an alleged terrorist financier who challenged the EU’s implementation of counter-terrorism sanctions that had been agreed by the United Nations Security Council.  In the Kadi case the Court of Justice surprised the international law community by holding that the EU’s implementation of a UN Security Council resolution was subject to European fundamental rights law.  In other words, EU fundamental rights norms effectively were to be considered legally superior to primary international law.

Since that judgment, further lawsuits have uncovered a variety of structural and procedural weaknesses in the way the EU develops and administers sanctions measures.  The EU’s Iran sanctions, for instance, concentrate on penalizing entities involved in nuclear proliferation in that country.  Ferreting out the facts to justify such conduct-based listings is difficult: it requires teams of analysts working together across national borders, often in very time-sensitive circumstances.   The U.S. has learned this lesson the hard way: in the 1990’s, when our government first started using economic sanctions as a primary foreign policy tool, we lost some cases before U.S. federal courts because we hadn’t done our factual homework properly.  Today we have a sizeable staff in our State and Treasury Departments devoted to assembling detailed evidence that will stand up in court.  As a result, very few sanctions listings are successfully challenged in the United States.

The European Union has been slower to devote the additional resources needed to develop factual records that will withstand rigorous judicial scrutiny.  It has paid the price, most recently in the extraordinary decision by the Court in December of last year to annul the EU’s inclusion of Hamas in a list of terrorist groups. According to the Court, the EU had based its periodic relisting on “factual imputations derived from the press and the internet” rather than on its own analysis of the group’s actions. Some key member states, such as the UK, fully appreciate the problem; they have begun lending more experts to the European External Action Service and are providing it with better unclassified documentation.  The United States is also lending a hand by providing information and research support to the EEAS.

But satisfying the need for evidentiary support can sometimes be challenging, especially when countries act in a clandestine manner to pursue terrorism and illicit proliferation, for example. In these instances relevant evidence can only come from intelligence sources.  The General Court of the European Union, which hears sanctions challenges in the first instance, currently has no authority to receive or handle classified information.  In the United States, on the other hand, federal judges with security vetting are able to review both unclassified and classified portions of an administrative record.

Following several recent annulments by the Court of EU designations of Iranian entities, the EU has recognized the need for a change in the court’s rules to enable examination of classified information.  Although the divergence in member state legal traditions on the use of classified information in judicial proceedings has complicated the development of new common rules, approval appears to be within reach.  The United States is encouraged to see that the EU is strengthening its capability, administratively and judicially, to promulgate and sustain sanctions designations. This is not only of critical importance in our common efforts to combat terrorism and apply pressure on Iran, but also in our common efforts to apply pressure on Russia to change its aggressive policies toward Ukraine.

Data Privacy

Whereas the United States and the European Union are collaborating on sanctions, the issue of data privacy has been dividing us — even before Edward Snowden’s surveillance disclosures raised European sensitivities to a higher pitch.

This is a pity because it puts at risk important agreements that promote trans-Atlantic data transfer to facilitate commerce, protect privacy, and secure our borders.  For example, the 2000 Safe Harbor Framework regulates the export of personal data in the commercial context from the territory of the EU to the United States, and the 2012 Passenger Name Record Agreement similarly facilitates the flow of information on trans-Atlantic airline passengers for counter-terrorism purposes.   Today U.S. and European Commission negotiators are finalizing revisions to the Safe Harbor Framework that will modernize and improve its functioning.  At the same time, a separate team of negotiators is in the final stages of work on an umbrella law enforcement data protection agreement that would establish a comprehensive framework for information-sharing between law enforcement authorities.

But as we negotiate, rulings from the EU Courts are raising new challenges for the future of these agreements.  In April of last year, for example, the European Court of Justice invalidated the EU’s data retention directive, a law which had required member state communications providers to retain metadata for up to two years, so that it would be available when needed for law enforcement investigations.  Two features of the court judgment were particularly striking.  First, the court appeared to suggest that any retention of personal data in bulk was simply inconsistent with EU fundamental rights precepts.  Second, it criticized the EU directive for not requiring that collected data be retained within the territory of the European Union, where European data protection authorities could exercise supervisory control over it.

Not surprisingly, critics of international law enforcement information-sharing have seized upon this judgment to challenge the appropriateness of sharing of airline passenger name records.  When the European Commission asked the European Parliament to approve its conclusion of such an agreement with Canada, the immediate parliamentary response was to seek the Court of Justice’s opinion whether the envisaged information-sharing is consistent with EU fundamental rights.  It will take some time before we know the answer to that question.  This uncertainty could weigh on the revived discussion now taking place in the European Parliament on whether, in the wake of the Paris terrorist attacks, to create an EU system for sharing passenger record data among member states.

Over the next year the ECJ also will be examining the proposition that Facebook’s transfer of personal data from Ireland to the United States should not, in light of the Snowden revelations, any longer be considered conclusively to fall under the so-called ‘adequacy’ finding afforded to the U.S. Safe Harbor Framework.  If the Court agrees, all of the EU agreements with third states regarding data privacy would be at risk.  An “adequacy” finding by the European Commission would have no value if any European data protection authority could reach an independent national verdict.

Last year the Court also ruled that a search engine operator is obliged to remove from the search results initiated by using the data subject’s name as a search term any links to pages where information relating to the data subject is irrelevant or excessive. This also applies to information that is truthful, accurate and not prejudicial to that individual. The ruling in effect proclaimed an individual’s ‘right to be forgotten’.  And while the court’s ruling only addressed this requirement to internet search engines oriented towards persons within the EU, European national data protection authorities have quickly added their opinion that Google and its competitors also should honor such European requests worldwide, in other words by making deletions from search results generated in the United States – regardless of the First Amendment to the U.S. Constitution guaranteeing free speech and, implicitly, the public’s right to know. Some other countries which aim to control the Internet are only too happy to see free speech and the public’s right to information on the internet circumscribed in this way.

On the Continent, the Google Spain judgment was widely hailed as an appropriate step to preserve individuals’ sense of dignity in a brave new Internet world where one’s personal details are all too easily discovered.  But in some countries, particularly in the United States and the United Kingdom, other concerns have predominated: should search engines, which have become a fundamental research tool, be empowered to prevent public access to information?  Doesn’t this have significant adverse implications for the freedom of expression, a value that both the United States and European governments staunchly proclaim across the globe?  And should search engines or government officials be deciding what is relevant for researchers to see?

There are no easy answers to the legal policy challenges presented by the information revolution.  Part of the difficulty stems from markedly different American and European attitudes towards privacy.

According to a recent poll by a scholar, U.S. practitioners, for example, believe that the EU approach to privacy is mostly process, only occasionally enforced, largely blind to consumer and societal benefits of data flows, and hostile to innovative technology.  Their German counterparts believe that U.S. law lacks a full-bodied concept of individual privacy rights, that the government inadequately defends such rights, and that U.S. law is a confusing patchwork of federal and state statutes that are incomplete in their coverage.  I suspect that many privacy lawyers from other EU member states would share the German view.

But it is too facile to say that Americans are from Mars and Europeans from Venus when it comes to privacy protection.  Yes, data protection is a fundamental right expressly enshrined in the EU’s newly-developed Charter of Fundamental Rights, while the venerable U.S. Constitution of 1789 does not mention privacy explicitly.  But the Fourth Amendment of the U.S. Bill of Rights did establish the right of the people “to be secure in their persons, houses, papers and effects, against  unreasonable searches and seizures”,  a constitutional provision that has given rise to a rich and ever-evolving body of judge-made criminal law rules. In addition, over the years a series of Supreme Court cases have developed the concept of the individual’s reasonable expectation of privacy, to the point that today it is widely considered an implicit U.S. constitutional right.

Similarly, the Fair Information Practice Principles that lie at the core of both U.S. and European data protection law were first devised in the United States in the 1970’s before being imported to Europe.  Governmental enforcement of privacy laws in the United States is notably robust.  The U.S. Federal Trade Commission has wide authority to sanction consumer fraud and unfair trade practices, which it has used to construct an important common law jurisprudence of consumer privacy protections.  It ensures that companies comply with their announced privacy policies, including commitments they have undertaken under the Safe Harbor Framework.  Additionally, some U.S. states, including California, have legislated privacy requirements for local companies going beyond federal law. Just as significantly over the longer term, privacy norms are being increasingly internalized by U.S. companies that hire privacy officers, not only to ensure compliance with the law but also to be involved in strategy and risk management. This has been described as “privacy on the ground”, compared to the European approach of “privacy on the books”.

President Obama recognizes the need to adapt consumer privacy protections to the new realities of the Information Age.  Legislation creating a Consumer Privacy Bill of Rights is being introduced into the new Congress.  In announcing his proposal, the President observed: “We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.”

Another area where surely Europe and the United States can find more common ground is privacy enforcement.  Already a measure of practical cooperation exists: the U.S. Federal Trade Commission, for example, has relied on Ireland’s privacy regulator for information relevant to its proceedings against global technology companies.  A global privacy enforcement network of regulators, formed under the auspices of the Organization for Economic Cooperation and Development, enables such informal cooperation to deepen.  Formal arrangements between the FTC and its privacy enforcement counterparts in EU member states are starting to proliferate, and one with the European Commission is again under consideration.

Digital Benefits and Challenges

Finding durable accommodations between differing privacy law systems matters not only for the confidence of individuals and companies moving information across the Atlantic:  it also is crucial to the economic health of the internet, and of our respective economies as a whole.  Almost all of the growth in U.S. services imports and exports over the past decade has come from Internet-enabled services.

The United States and the European Union are each other’s biggest customers for digital services.  Both of us are net exporters of digital services to the rest of the world, and we use significant quantities of each other’s digital services in producing traditional exports as well.  Trans-Atlantic data flows not measured in trade statistics also are themselves important enablers of commerce, such as research data and cloud services.

The beneficiaries of the expanding digital economy are not just the American tech giants.  Successful European Internet start-up companies have emerged in substantial numbers, building, incidentally, off the platforms provided by some of those very U.S. companies. According to a 2014 study, Europe has produced 30 technology companies worth more than $1 billion since 2000, comparing well with the United States, which produced 39 billion-dollar companies between 2003 and 2013:  startups ranging from Sweden’s Spotify to the UK’s King Digital to Germany’s Zalando.

To cite just one example, the launch of Apple’s ITunes App Store in 2008 created an industry from scratch. This has not only delighted consumers worldwide; it has also spawned significant business and job growth, including in Europe. According to a report prepared for the European Commission, EU app developers took in 17.5 billion euros in revenue in 2013. That figure is forecast to increase to 63 billion euros by 2018. That same report predicted that the EU app developer workforce will grow from 1 million to 2.8 million over the same period.

Benefits also extend well beyond Internet-related companies, to other sectors including financial services, marketing and retail, manufacturing and heavy industry, and design and engineering. Germany has clearly recognized the economic growth potential of digitalizing traditional industries in the development of its Industry 4.0 strategy which will apply advances in the Internet of Things and Big Data Analytics to manufacturing, engineering, and logistics.

The digital revolution also holds great promise for improving the functioning of governments, increasing labor productivity and advancing social welfare.  According to the McKinsey Global Institute, the use of data analytics in the European public sector. could save more than 100 billion euros in operational efficiency improvements.  Big data analysis also offers many promising prospects for energy and transportation efficiency, healthcare and life sciences, and education, among others.  Estonia’s ambitious e-government and public data framework is a good example.  It allows all publicly-owned personal data, in anonymized form, to be put into the public domain for advanced analytics.  This led to a boom in new data driven businesses, fostering economic growth, and improved public services.

Awareness in Brussels of the centrality of digital trade to economic growth and social welfare in Europe has been rapidly increasing. New Commission President Jean-Claude Juncker therefore has put creation of a digital single market at the top of his agenda, stating that “the Internet and digital communications can transform our economies as profoundly as the steam engine did in the 18th century or electricity did in the 19th century.”

But we also must face the fact that rapid technological change has generated reaction, more so in Europe than in the United States.  Neelie Kroes, formerly the European Commissioner in charge of the digital agenda, has warned openly about the risks.  In an article entitled “Europe needs data protection, not data protectionism”, she warned that Europe will not be “connected, competitive, open and secure…if we run away from data.”  Data protection law is not the only area where there is a risk of protectionism at the EU level.  In recent months proposals for a “European Cloud”, and for a “Schengen for data” also have proliferated in Brussels and other European capitals.

France and Germany have been in the forefront of these efforts tending towards fragmentation of the Internet. In 2013 the French government released a national innovation plan, with the goal of “build[ing] a France of digital sovereignty,” that called for advancing “le cloud souverain,” among other measures.  At the same time, Deutsche Telekom launched, with the support of the Interior Minister, “E-mail made in Germany,” a service that routes data exclusively through domestic servers.

These measures, leading to a Balkanisation of the internet, or digital autarky, are not what Europe needs. A recent study, underwritten by the European Union, found that forcing localized data storage or routing would damage a free and open Internet, not be effective in protecting against foreign surveillance, and lead to an inefficient allocation of resources. In an era of digitally enabled global supply chains, manufacturing and exports are heavily dependent on secure, cost-efficient and real time access to data across borders.

As Neelie Kroes has argued: “Keep our data locked up in Europe, engage in an impossible dream of isolation, and we lose an opportunity; without gaining any security.” Information security is not simply a function of where data is physically stored or processed. Threats are often domestic, so storing information in only one physical location in fact could increase vulnerability.
The Transatlantic Trade and Investment Partnership we are negotiating with the EU will need to ensure that cross border data flows and data processing may take place free from discriminatory terms and trade distorting conditions, with exceptions limited to legitimate public policy objectives and only in full compliance with GATS.  With cloud computing blurring jurisdictional boundaries, we need to make sure that data protection doesn’t become a disguise for data protectionism.

Recently, ideas for “data taxes”, heightened scrutiny of Internet companies under competition laws, and even EU-level regulation of Internet service providers have garnered attention. Governments should take a cautious and balanced approach to such proposals to minimize the risk of unintended consequences from making data flows more costly.

In November the European Parliament recommended that the European Commission break up Google. Even though it was a non-binding resolution, it was noteworthy for a couple of reasons. First, it politicized a long-running and complex antitrust investigation at a time when the new competition commissioner had barely had time to acquaint herself with the file. In addition, it was clearly inspired by joint French and German government recommendations seeking specific regulation of internet platform operators, above and beyond existing antitrust laws, and treating such platforms as essential facilities – ignoring the distinctions between the fast- moving digital economy and traditional industries. The resolution triggered a strong reaction from the U.S. House and Senate; similar initiatives risk undermining support for T-TIP.

We believe that questions of market dominance are best dealt with by our rigorous competition authorities.  Continuing innovation and competitive challenge may, in the end, better guarantee fairness in the marketplace than new, prescriptive ex-ante regulations that inevitably will lag behind technological advancement.  Companies that today enjoy a strong position in the digital marketplace may not be able to sustain their positions as nimbler competitors continue to introduce new disruptive technologies.

Consumers are entitled to reasonable data protection, including against the potential abuse and misuse of their private data. But, as a Lisbon Council study concluded, these guarantees should not be allowed to “degenerate into disguised protectionism or the hidden promotion of under-performing national champions…” Policy initiatives in Europe appear to be obsessively preoccupied with the success of American companies, rather than focusing on laying the groundwork for future success of European innovation.

Too often in Europe we see policy initiatives grounded in the false assumptions that all data-driven businesses are violating consumer rights or abusing their data. As the European Digital Forum has argued, overreaction to data privacy concerns could lead to policy initiatives that prevent data analytics businesses from flourishing in Europe – a “mistake of historic dimensions.” Efforts to protect European consumers against successful U.S. digital businesses could damage European start-up entrepreneurship. “This, in turn could make Europe into a permanent “no-go” zone for data-driven businesses of all types, and further harm Europe’s economic growth prospects,” according to the European Digitial Forum.

Two decades ago, the United States telecommunications regulator, the Federal Communications Commission, led by my predecessor as U.S. Ambassador to the European Union, William Kennard, made a far-sighted decision not to regulate internet service providers in the same intrusive way as telephone companies.  Had the FCC decided differently, we very likely would not have seen the same scale and scope of innovation and value creation in this industry.

It is indeed an uncertain and evolving digital policy and legal landscape that the United States confronts in Europe.  But just as we and the EU have advanced our foreign policy goals through coordinating sanctions policies, I am confident that we will find a way forward together on the digital challenges.  European Commission Vice President Ansip has said that his aim is “to make sure that Europe – its citizens and businesses – get the best of the online world in the safest and most open environment possible. That means openness and opportunity. Not obstacles.”  We share his vision and look forward to collaborating in its implementation.  I appreciate your attention, and now would welcome your questions.