WASHINGTON, July 9, 2018 – The European Union’s General Data Protection Regulation is raising the danger of the “splinternet” syndrome, as top tech companies prioritize international standards over American ones, warned experts at a June 28 event of the Federalist Society.
Officials from Google, Microsoft, and cybersecurity company Endgame addressed growing cybersecurity concerns that international industries serve to America’s national security, and not that of Europe.
Additionally, tech companies have also been upset about a new California data protection law, signed June 28, that requires companies to allow consumers to opt out of data collection.
Panelists warned that the law has the potential to alter a company’s entire business model surrounding revenue from data collection. The legislation has many similarities to the GDPR, in effect since May 25, that imposes heavy regulations on user data collection of EU residents.
The worrisome prospect of a ‘splinternet’ to the global internet
Andrea Limbago, representative of cybersecurity company Endgame, warned that new international regulations like the GDPR are moving the internet “more towards the ‘splinternet’ versus the global internet.”
Countries’ different privacy demands makes the internet more fractured and causes problems for the tech industry, she said. GDPR mandates and the idea of cyber sovereignty for government access to data “are directly in conflict,” Limbago continued.
She instead touted “cyber sovereignty,” referring to the concept that a government should have control over internet usage, access, and services within their own country, from the technological side to political.
Because GDPR applies to not only EU companies, but to any company that engages with EU online users, rules established by the GDPR potentially interfere with another country’s ability to collect data on their online servers if that data belongs to an EU online user.
Which international norms are likely to prevail?
In America, outrage over how American companies store user data recently bubbled over the boiling point in Congress with additional revelations about whether Facebook allowed for the storage of consumer data on devices manufactured by the Chinese telecom equipment company Huawei.
Huawei has well-known ties to the Chinese Communist Party.
According to Limbago’s argument, while the GDPR pushes for protections of the individual, such as the right to be forgotten, other countries--such as China-- could claim “cyber sovereignty” and enact laws that demand a company storing data on its land or of its people to provide that data regardless of an individual’s consent.
“If our tech or government in favor of democracy is not pushing forth these norms, others will push forward their own norms,” Limbago said, advocating for the U.S. government to enact firm, democratic rules of the road for the international cybersecurity space.
Google and Microsoft defend an increasingly beleaguered internationalism
When asked about how Microsoft and Google are responding to the flap over Facebook and Huawei, neither Google nor Microsoft expressed a desire to pull out of international agreements, despite legal complications that may arise.
Microsoft representative Angela McKay defended the practice of buying and partnering with other companies--including international companies--claiming it is good for competition in the marketplace. Managing Microsoft’s supply chain is a “way to use market forces to increase security over time,” McKay said.
Google representative David Lieber agreed with McKay. Lieber said that Google has many international partners within the supply chain, but looks to new methods of reducing the national security threat that supply chains can cause.
“One of the ways to reduce risk in a supply chain is to reduce complexity,” Lieber said. Regarding data storage, he suggested examining the infrastructure that stores the data. For Google Cloud services, “The servers that reside in those data centers storing Google account data are custom designed. They have a stripped down operating system,” he said, which can reduce the risk of cybersecurity threats.
New international pressures on Silicon Valley could overcome tech companies’ resistance
However, former National Security Agency General Counsel Stewart Baker raised concerns over how the pressures Silicon Valley faces from international regulations could overpower pressures from the U.S. government.
According to Baker, European policies such as GDPR are imposing “massive fines and liability” on tech giants. Silicon Valley is pressured to comply with international regulations while resisting American regulations.
“Frankly, it’s just easier to regulate it if you don’t have an industry of your own,” Baker said. “[The Europeans] don’t and so they’re happy to beat up big tech from the United States.”
He explained tech giants must cooperate with laws in Russia and China or face being banned in the countries, whereas in the U.S., the companies gain leverage by hiring lobbyists and massive numbers of employees, and thus “don’t mind fighting the U.S. government.”
Rekindling fears of foreign interference in the political space, Baker accused Silicon Valley of allowing European hate speech laws to undermine the free speech of Trump supporters.
“When they are told to eliminate hate speech online by the Europeans,” Baker said, “they just don’t have any trouble agreeing that hate speech is pretty much anything that Trump voters say--and finding ways to disadvantage it in subtle and unsubtle ways.”
(Photo of the Federalist Society event by Heather Heimbach)