The EU fired its privacy blunderbuss against Yahoo, Facebook and What’s App, but that gun fires both ways. If and when the EU bothers to probe who actually is dropping the privacy balls, it will need a mirror and the full dossier on its own security agencies and success against hackers.
EU wrote stern letters to Yahoo and Facebook on violating the recently minted Privacy Shield agreement between EU and US. One violation claimed stems from What’s App sharing its European customer data with What’s App’s parent company, Facebook. A second potential violation involves the hacker theft of 500 million Yahoo customers’ data. Some of those were Europeans, and the EU holds Yahoo accountable for the privacy consequences of the hacker’s crimes. The EU also wants Yahoo to implicate itself by confirming that Yahoo scanned its customers’ email metadata on behalf of US law enforcement and intelligence agencies. Yahoo denied the allegation. The facts offered by the EU vaguely support its privacy grandstanding, but the facts are both incomplete and the complaint is hypocritical.
Privacy is prized on emotional or pragmatic grounds by people in the US and EU, but in the EU, privacy has been elevated to the level of a human right. The relevant principle of EU privacy seems to be that people can limit others’ use of their personal information and can demand that their personal history is suppressed in databases (the so called the “right to be forgotten”). The result is that companies (including US companies) must have that European individual’s agreement to use their personal information. Because Facebook now owns What’s App, the user agreements that What’s App obtained are being used not so much by a different company, but by different owners of What’s App. The EU may regard that as sinful, but it seems more like a pettifogging interpretation of who are the parties to the “agreement.”
Until 2015, an agreement called Safe Harbor showed mutual respect for the privacy of an individual’s personal information transferred between the US and EU. Snowden’s revelations of the NSA’s massive surveillance in Europe embarrassed leading European politicians and led them to condone the European Court of Justice’s order that the EU withdraw from the Safe Harbor agreement. After much haggling and conceding that an agreement was critical to EU and US trade, the EU and the US forged “Privacy Shield,” wherein each side promised to protect the privacy rights of the other parties’ citizens as if their data resided in their native country.
An important part of the European surveillance story is routinely suppressed in Europe. Before Snowden, European countries such as France, Germany and Great Britain conducted surveillance on their own populations and sometimes on each other. Because of its prowess and the common mission to prevent terrorism, they gladly accepted help from NSA. EU countries may have reduced their level of surveillance in the wake of Snowden, but they resumed aggressive surveillance in the wake of the Charlie Hebdo and Brussels terrorist attacks. Pragmatism triumphed over nationalist posturing.
The current EU’s states own intelligence surveillance (especially by France, Germany, Britain and Spain) breaches the “privacy” of European residents and should be a violation of the Privacy Shield, especially where an EU member surveils people in another member state. Some states such as Belgium may lack the volume of cyber-skills needed to chase Islamic terrorists and they can borrow surveillance help from other EU members. But that’s nothing the EU wants to discuss, so there is no stern letter forthcoming to EU’s intelligence agencies. The EU fails to see that it is selectively enforcing the Privacy Shield and exhibits hypocrisy in its complaints against Yahoo.
That Facebook owns What’s App should insulate it from privacy violation claims that stem from the parent-child relationship.
Yahoo faces a double witching in this imbroglio. Allegedly, law enforcement and intelligence agencies “asked” Yahoo for help identifying metadata for some customers. When police and spooks tell you to cooperate and the Department of Justice is not on your side, resisting requires a preternatural will. When hackers attack large companies seeking customer data, they often win and harvest the data or cause havoc. This is true whether the victim is the US DoD, Target Stores, France’s DGSE, the US IRS, 19,000 French websites, or UK’s GCHQ or even Yahoo.
Yahoo operated with good security, but not perfect security, much like every other prominent entity. To blame Yahoo for the hacker’s assault on EU citizen’s privacy is unreasonable, especially when the EU’s much vaunted government agencies cannot resist hackers either. The EU would better devote its resources to hardening its entities resistance to hacker attacks rather than attacking well-behaved entities for succumbing to forces the EU itself cannot resist.
If EU wants to move beyond the pretense of a commitment to privacy, it should start by criticizing its own surveillance of its own citizens.