Although the US and the EU have been running mates in the international cybersecurity race, Europe has been a rather silent partner in this campaign. A recent ruling by the Court of Justice of the European Union (CJEU) underlines the unique features of European cyber power. The Privacy Shield verdict is a reminder that Europe is not like Russia. It is not like China. And it is not like the United States either.
The European Union has unique experience in and a distinguished reputation for building trust and sustaining international relationships across many disciplines. In a relatively recent dispute before the International Court of Justice, Uruguay singled out compliance with high European Union standards as a justification for its own solutions which were being contested in the Court. While the United States and China have commanded most of the attention in international cybersecurity debates, meeting EU standards and thresholds remains a significant milestone for countries stuck between competing world views.
The “Privacy Shield” ruling by the Court of Justice of the EU (CJEU) is one such significant milestone – and not just in the context of privacy and personal data protection. Demonstrating the continuity, coherence and consistency of EU data privacy legislation, the CJEU commends the legitimacy of European policies, and ultimately places them above Euro-Atlantic solidarity and political unity. The verdict has been hailed as “the most unambiguous message the EU has sent to the US yet on the subject of privacy: The United States theatre of surveillance is profoundly incompatible with EU rights“.
The CJEU’s Message
At present, there is little to distinguish the EU from the US in international cyber diplomacy processes. From the early years of the UN First Committee process, European countries have echoed Washington’s mantra of “no” to new binding obligations when it comes to states’ development and use of information and communication technologies (ICTs). In recent years, EU countries have voted as a bloc with the US in matters related to international cybersecurity processes. European governments and the EEAS have been strong supporters of voluntary and non-binding guidelines of state behaviour in cyberspace. Some have even mused about ways to build a European way of “defending forward”, following the US turn towards a more risk-tolerant method of power projection.
The Privacy Shield ruling, however, makes it clear that there are limits to a selective application of EU values and regulations, especially when it comes to relations with the United States, and that the Court may overrule policy decisions. The ruling makes it clear that European citizens’ rights cannot be made subject to annual blanket certifications of the United States Attorney General and the Director of National Intelligence. It also states that appointment of a Senior Coordinator for International Information Technology Diplomacy – a position without power to adopt decisions that are binding on the US intelligence services – is an insufficient measure to guarantee European citizens’ privacy.
The verdict serves as a reminder of what should constitute the centrepiece of the European Union’s cyber policy: the individual. European personal data protection regulation subjects the Union’s cyber policy to the inquiry and scrutiny of individuals and corporations if they so wish. Max Schrems has achieved clarity on data privacy issues where governments have chosen silence and brinkmanship.
Europe’s fundamental principles and values distinguish it from the cyber superpowers, including the US. The CJEU’s ruling should serve as a reminder that selective and casuistic reading of EU requirements will result in the policies that are built on such interpretations being overturned. In this context, the ruling highlights broader cybersecurity considerations. The Court reiterates that access to data in transit to the United States is not subject to any judicial review and that the current US policy allows ‘”bulk” collection … of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target’.
Although the three leading cyber powers (the US, China and Russia) have little to nothing in common, they all set bad examples of sustainable digital development, stability and peace in cyberspace. Russia and the US, although diametrically differing on whether further ICT progress is good or bad, are both locked in a battle over operational ambitions opened up by these technologies. Neither has much interest in resolving half-violent cyberconflicts, as long as they serve their larger political goals and objectives. China, while it currently has a significantly lower operational appetite, shares with the US an interest in ICT market domination (a theme that is effectively non-existent for Russia). No agreements on ICT standards or access to ICTs are likely between the US and China. Beijing’s unabashed engagement in cyber espionage and domestic control goes a long way to rule China out as a potential trusted partner in world affairs.
Can the EU Become an Independent Cyber Power?
The idea of the EU acting like an independent cyber power is strange to many European cyber diplomats. However, in the mid- to long-term, a strong and independent EU is a more useful ally than a few leading nations parroting US narratives. Between Europe and the US, there are no easy solutions on issues like global governance of cybersecurity, applicability of international law to cyber operations or the extent of human rights and freedoms online. On these issues, Europe must maintain and promote a more nuanced policy. There are a wide array of international cybersecurity issues, allowing Europe to lead in venues and processes well beyond the UN Disarmament and International Security Committee.
Taking an independent lead would require a strategy. There is little question about the comprehensiveness and depth of EU cybersecurity regulation. The Union boasts the experience of having created several generations of cybercrime, intellectual property, Internet infrastructure and privacy regulation. However, while these mechanisms may work for European states, some questions will need to be answered before they can serve as the foundation for European global leadership. For example, will the European approach scale up to national realities different from those in the European Union member states and the European Economic Area? And does it align with commonly accepted solutions for international peace, stability and security in cyberspace?
Furthermore, global leadership from the EU would require the injection of more autonomy into the Euro-Atlantic cyber partnership. Europe’s alignment with the US has put privacy, personal data protection and due diligence on the back seat – not only in the context of passenger name records or corporate data but also in the context of espionage and prioritisation of resilience. Issues of privacy in the digital age, on which Europe has a credible lead and deep experience, need to be connected to the international cybersecurity dialogue, or, better yet, into a future international digital development agenda.
As ICTs have become a tool of choice in international power projection, successful European leadership in cybersecurity would likely provoke more cyber and influence operations targeted at European states, institutions and citizens. Thus, sustainable leadership depends on member states, EU organisations and citizens all working to improve their cyber resilience. That includes improving their understanding of the real (rather than hypothetical) cyber risks associated with particular online ambitions and practices; allocating cyber risk mitigation cooperatively across all stakeholders; making necessary individual, organisational and technical safety and security investments; and cultivating a culture of transparency and accountability in online activities.
In sum, in the absence of appropriate investment in the ability to maintain an open, free, accessible and peaceful cyberspace, there cannot be credible and sustainable international cyber leadership. With little prospect of an international solution to cyberconflict – due to a widespread and systemic lack of resilience in national ICT networks and services – nations acutely need optimal approaches to and measures of cybersecurity. Rather than remaining a silent partner in the like-minded cyber bloc, Europe should build on its long-term experience in introducing, implementing, adapting and harmonising policies and laws in the field of ICT security. Solid administrative and judicial remedies support maintaining and deepening Europe’s reputation as a beacon against abuse and irresponsible behaviour online.
About the Author
Eneken Tikk is affiliate researcher of the Erik Castrén Institute of the University of Helsinki and the Executive Director of the Cyber Policy Institute. She is co-editor of the Routledge Handbook of International Cybersecurity (2020) and the editor-in-chief of the International Journal of Digital Peace and Security.