Cameron Kerry today blasted E.U. efforts to start a digital trade war using European outrage at NSA surveillance as a pretext. In a speech given given today at the German Marshal Fund, Kerry, outgoing General Counsel of the U.S. Department of Commerce and brother of John Kerry, compared calls in Europe to cut off the flow of Europeans’ data to U.S. companies to the Chinese “Great Firewall” and outlined three constructive responses to EU concerns:
- Surveillance. Kerry declared the Administration’s commitment to greater transparency around surveillance but offered scant details.
- Law Enforcement Access. Kerry affirmed support for ensuring that law enforcement has to get a warrant before accessing the emails and other communications stored with U.S. companies — ECPA reform.
- Commercial Privacy Regulation. Kerry provided key details, for the first time, about the baseline privacy legislation the Commerce Department has been working on for months. Their legislation would empower the FTC to directly enforce the “Consumer Privacy Bill of Rights” issued a year and a half ago.
Surveillance. Kerry stated the Administration’s commitment to greater transparency around surveillance, including “directing the U.S. intelligence community to declassify more information” but didn’t get into much more detail. He debunked, rather pointedly, the idea that U.S. government surveillance is worse than surveillance by European governments, pointing to a new Hogan Lovells report that concluded: “the U.S. government requests information from [cloud service] providers at a rate comparable to – and sometimes lower than – that in other countries, including many European Union member states.” The numbers speak for themselves: EU intelligence agencies and law enforcement spy and grab data at least as much as the U.S. government.
Law Enforcement Access. Kerry affirmed support for ensuring that law enforcement has to get a warrant before accessing the emails and other communications stored with U.S. companies. A broad ECPA reform coalition has succeeded in getting five bipartisan bills introduced in Congress. The Yoder-Graves Email Privacy Act has 138 sponsors in the House. In the Senate, the Leahy-Lee ECPA Amendments Act has been voted out of committee favorably — but is now stalled because the Securities & Exchange Commission has demanded an exemption so they (and other regulators) can continue getting emails without a warrant. I asked Kerry what the Administration would do to break the impasse and prevent the SEC from holding ECPA reform hostage. His response: “The SEC is an independent agency. We’re working with Sen. Leahy and others to make progress on ECPA reform.” So… without more from the Administration, let’s not get our hopes that ECPA reform will pass any time soon.
If it does, it should go a long way to demonstrating that, as Kerry quoted de Tocqueville, “The greatness of America lies not in being more enlightened than any other nation, but rather in her ability to repair her faults.“ A consistent warrant requirement would be a major competitive advantage for U.S. cloud companies among consumers eager to find secure places for their data, given exploding demands for access to user data from governments around the world.
Commercial Privacy Regulation. Most controversially, Kerry provided key details, for the first time, about the baseline privacy legislation the Commerce Department has been working on for months. Their legislation would empower the FTC to directly enforce the ”Consumer Privacy Bill of Rights“ issued a year and a half ago — but also to certify, as “safe harbors” voluntary codes of conducted created by a single company, an industry or multistakeholder group. In theory, it’s a better approach to privacy regulation than most. But it’s also fraught with peril in practice. A few questions illustrate the problem:
- How, would the White House framework be formalized in regulation?
- The FTC already has sweeping privacy enforcement powers — truly a “national baseline” for consumer protection — but uses that power to bully companies into settling cases so the FTC can build law through poorly explained consent decrees without any meaningful judicial adjudication. (Read our amicus brief in the Wyndham case.) How would FTC enforcement become any more rigorous or consistent with the rule of law?
- The FTC has built informal regulation instead of using its actual rulemaking authority (under Magnuson-Moss), which it wants Congress to replace with streamlined rulemaking powers. But where it has issued regulations, it has paid scant attention to the impact of regulation on the private sector, as in revising its COPPA rules. Can the FTC really strike the right balance between consumer privacy protection and the new
- The power to certify systems will, in practice, likely become the power to dictate the contents of “self-regulation” — in truth, more akin to European “co-regulation.” What will stop the FTC from abusing certification the way the FCC abuses merger review to extract “voluntary” concessions?