Who Controls Your Digital Identity?

How Europe Wants to Become a Global Watchdog in the Internet Age

Check against delivery — October 11, 2016: The Utah Council for Citizen Diplomacy’s Ambassador John Price & Marcia Price World Affairs Lecture Series


Good evening, ladies and gentlemen. My name is Mark Scott, I’m a reporter with the New York Times, and am honored to be speaking to you tonight.

Before we get started, I would like to say a quick thank you to the Utah Council for Citizen Diplomacy for the invitation to speak to you this evening, and an especially warm thank you to Beth Martial for making me feel at home since I arrived last night. It is even her birthday today.

There are also a couple of points that I should get out the way before we get going.

I am the European Technology Correspondent for the New York Times, focusing on all things tech across Europe and sometimes farther afield. My lecture tonight, though, is based on my own thoughts and does not represent the beliefs of the New York Times.

I also want to make clear before we begin that while many of the examples I’ll be using tonight come from the world of technology, the main thrust of my argument — that Europe is increasingly becoming a global watchdog in the internet age — is not limited to just the likes of Google, Facebook and Amazon.

Digital information, like or not, is now the engine that powers many of our daily interactions — from posting something on Facebook to submitting payroll information about a company’s employees.

So while I’m going to be talking a lot about Silicon Valley giants, Europe’s efforts to control how data is accessed worldwide is not just limited to these well-known, multi-billionaire dollar corporations.

It applies to everyone in this room, even if you have never been to Europe. And it affects all businesses, from the Micro Focus offices down the road in Provo to the growing number of start-ups based here in Salt Lake City.

OK. With those points out of the way, let’s get started.

THESIS: Europe Wants to be the Global Cop for Digital Data

For many people unfamiliar with what Europe has been up to in recent years, the idea that a region thousands of miles away could police how you send tweets, Snapchats or interact with your friends and family here in the U.S. might sound a little weird.

Yet my thesis is a pretty simple one.

As data becomes a global currency — powering the likes of Amazon’s cloud computing business and Google’s dominant global search engine — European lawmakers, regulators and policy makers want to control who has access to your data and how that digital information is used. They also want to set restrictions for both companies’ and governments’ use of the data derived from your social media posts, online shopping habits and even what you watch on Netflix and iTunes.

This push-and-pull is playing out in some interesting ways.

After facing a number of privacy challenges in Europe, Facebook has altered its global terms and conditions several times to answer these concerns.

The likes of Amazon and Microsoft have set up complicated deals in Germany that allow people there to store their information close to home. These deals were done specifically to answer German data protection concerns and to comply with the country’s tough privacy rules, some of the strictest anywhere in the world.

And, most recently, a German regulator demanded last month that WhatsApp, the internet messaging app that has more than one billion users worldwide, stop sharing people’s information with Facebook, its parent company.

Sure, the ban only applies to WhatsApp’s 35 million users in Germany and Facebook is appealing. But other European regulators are thinking about imposing similar bans. Their main concern? That WhatsApp’s users hadn’t given consent for their data to be shared with Facebook, and that people’s privacy might be at risk.

I must add at this point that all of the companies I’ve just mentioned deny that they play free and easy with people’s digital privacy, and that they say they comply with all the necessary rules wherever they operate.

OK. So we can see that Europe is not afraid to go up against some of the world’s — and America’s — largest companies and how they use our data.

But it’s worth asking whether Europe’s strong-man approach is a actually good thing?

Many of the European regulators making these decisions are barely known in their own countries, let alone here in Salt Lake City and elsewhere in the world. Most, if not all, are unelected. Some may even be pushing an agenda that is not shared by those outside of Europe.

And what happens if more totalitarian governments also start imposing their own views of the digital world onto how we all use the internet? We are already seeing the likes of Russia take what has started in Europe and alter the global privacy agenda for their own purposes.

I do not want to be alarmist. But the push of one country or region’s view of how things should be done elsewhere should — and does — raise concerns about overreach. That is something to keep in mind as I sketch out Europe’s efforts in more detail.


Before we delve into the nitty gritty, I thought it would be good to spend a quick minute outlining what I mean by digital data.

To do this, I want to introduce you to José Antonio Rodríguez Salas.

José Antonio Rodríguez Salas, the mayor of Jun, a smaller Spanish town near Granada

I met José Antonio earlier this year for a story that I was writing about how Jun, a small town in southern Spain, was using Twitter as its main form of communication between locals and government officials. If you want to contact the police, you send a tweet. Trash on the sidewalk? Tweet the garbage men. That sort of thing.

José Antonio is the long-time mayor of Jun, and has more than 430,000 followers on Twitter. That’s not bad for a mayor of such a small Spanish town whose population barely tops 3,000.

But one of the most interesting things about José Antonio, and what is relevant for our discussion tonight, is what he did when his daughter, Martina, was born earlier this year.

Instead of sending around a photo to friends or family, or even posting an image of his baby girl on Facebook, José Antonio sent this tweet from a Twitter handle that he had set up specifically for his daughter.

The tweet says, and I remind you that this little girl was barely five minutes old at the time: “I’ve just been born at 3:55am and I weigh 3.1 kilograms.”

Now granted, this is an extreme example. But this is the type of digital data that I’m talking about. It’s the social media posts we all put up each day. The Google searches for a new pair of shoes that mysteriously lead to the same ads showing up on websites that we then subsequently visit.

And those are choices that we as adults are making.

This Spanish girl was less than five minutes old and her digital data was already being collected and shared online. In the future, what will that mean for her daily life? Will she have a right to ask for that information to be removed, if she so choses in the future? Should she have that right, even if technically the data is owned by Twitter, and not by her?

These are the questions we should all now be asking ourselves. And it’s what Europe is trying to get its head around right now.

I also wanted to share a couple of photos with you to illustrate how quickly digital data has become a fixture in our daily lives.

The first photo is from 2005 when Pope Benedict XVI was elected.

Now, this second one is from 2013 when Pope Francis was elected.

Spot the difference?

And this has all happened within the last 10 years. Imagine what the next decade has in store for us.

I also wanted to pose a couple of questions to you.

I think it goes without saying that most people here tonight have a Facebook account. I also know that I, maybe like you, could not do my job without Google and other digital services.

But do we really know where all of our digital information is going? Do we know which companies have control of it and what government agencies, both foreign and domestic, have access to it? And, maybe most important of all, do we even care as long as our lives are made easier?


For many in Europe, these questions form the basis for the region’s efforts to become a global data watchdog in the internet age.

Some of Europe’s skepticism is based on historical precedent.

During the Cold War, many in the East were exposed to routine government surveillance, so any inkling of overreach by the likes of Google or Facebook can quickly raise hackles from people with memories of what came before 1989.

Many people in Europe also remain skeptical about the often dominant role that many American companies, be they tech or non-tech, play in the local economy.

While Microsoft’s Bing search engine still gives Google a run for its money here in the U.S., Google has more than a 90 percent market share in online search in Europe. Facebook has seen off a number of European competitors to become arguably the most important social network in the world. And from Apple’s iPhone to Amazon’s online shopping services, many of the digital services on which Europeans rely are primarily Made in America.

Now you might be asking, what right does Europe have to police these American companies? Well — through a quirk of fate — Europe has more power than you might think.

For mostly tax reasons, many of the largest American companies have set up international headquarters in Europe, taking advantage of low corporate tax rates offered by the likes of Ireland or Luxembourg. That means these countries’ lawmakers and regulators have an oversized say in how these companies operate internationally because technically, many of their non-American users fall under the jurisdiction of European authorities.

This can lead to some odd outcomes.

Take this somewhat shabby-looking building in Portarlington, Ireland, roughly an hour’s drive from Dublin.

The office of Ireland’s Data Protection Commissioner in Portarlington, Ireland

Above a local supermarket sits Ireland’s Data Protection Commissioner.

Among other things, this agency, whose annual budget barely tops $4 million, has authority for policing how Facebook uses the data from its non-U.S. users. That’s roughly 1.5 billion people. As we will see later on, this can often lead to tension over Europe’s role in digital policing in the internet age.


At this point, I have to say a couple of words about the United States.

Europe is not alone in trying its hand at policing the internet. And some of America’s efforts date back to when horses were the most popular form of transportation.

For one, there’s the Fourth Amendment of the Bill of Rights that protects against unlawful searches and seizures. A number of industries, including the healthcare and financial sectors, also have their own privacy rules, including requirements to inform customers whenever their data may have been misused or stolen.

The Federal Trade Commission, the agency mostly in charge of such matters in America, also has extensive powers to fine companies that misuse our digital information. In truth, these fines — some totaling tens of millions of dollars — are significantly stronger in the U.S. than what currently can be levied in Europe.

But there is one major difference between the U.S. and Europe.

Right now, America does not have an overarching consumer privacy bill of rights. That would potentially give Americans a greater say over how their digital information is collected, stored and used by companies and government agencies, alike.

Contrast that to Europe, where something called Article 8 of the European Convention of Human Rights gives people the right to a “private and family life.” That, combined with subsequent European privacy rules over the years, has given the region some of the toughest privacy protections anywhere in the world.

And as the use of people’s digital information has come to form the backbone of the current internet age, European policy makers and even just average European citizens have not been afraid to invoke their rights beyond the 28-member European Union, including in the United States.



So now that I’ve laid out some of the background, let’s get down to business.

I want to walk you through a couple of recent privacy cases that have cemented Europe’s role as the arguably most active global regulator of the internet age.

To do so, I want to introduce you to another Spaniard. This time, his name is Mario Costeja. And here he is.

Mario Costeja González, who started the ‘right to be forgotten’ push in Europe in 2009

I think it’s fair to say that Mr. Costeja is an accidental poster child of Europe’s global regulatory push.

His story starts in 1998 when La Vanguardia, a Barcelona-based newspaper, published a list of forced property sales resulting from a number of people’s outstanding debts, including those of Mr. Costeja. The article ran in the print edition and then was posted online.

This is where Mr. Costeja got involved.

In 2009 — a decade after the information was first published — he contacted the newspaper saying that the information about his debts showed up when people searched his name in Google, and that he wanted the information to be taken down. La Vanguardia refused, saying that it had published the property sales as part of a legally-mandated process by the Spanish government.

Mr. Costeja did not stop with the newspaper, though.

In 2010, he also contacted Google directly, asking them to remove the links to the newspaper article. He told them the information was no longer relevant and that its availability online infringed his privacy rights.

At the same time, Mr. Costeja also made an official complaint to Spain’s national privacy regulator, an entity that does not have an equivalent in the United States. Basically, each European country has a non-elected regulator to oversee people’s privacy concerns. If you have a problem with how your data is used, then they are the people you turn to.

After some legal wrangling, the Spanish privacy watchdog sided mostly with Mr. Costeja. It rejected his claim against the newspaper, but demanded that Google remove the online links to the story, even though the article would remain online.

Not surprisingly, Google appealed. And when the case took on greater significance beyond Mr. Costeja, Spain’s courts referred the case to the European Court of Justice, roughly equivalent to the U.S. Supreme Court.

Why did this case become so important?

It focused on the ability of Europe’s privacy authorities to police the actions of an international company, in this case Google. It also raised questions about how far Europe’s privacy rights could stretch, and how internet giants like Google managed the reams of personal data that people produce everyday around the world.

And, finally, it highlighted an often overlooked right in Europe called the “right to erasure,” or, as it later become known as, “the right to be forgotten.” Without getting bogged down in legal nuances, this right gave people based in Europe the right to have their personal data erased and removed from publication under certain circumstances.

So it goes without saying that both sides — Europe’s privacy advocates and Google itself — took the case very seriously.

Fast forward to 2014, and the European Court of Justice made its ruling. And against most people’s expectations, the judges again ruled in favor of Mr. Costeja. They said that he and other people based in Europe had the so-called “right to be forgotten,” and that Google and other search engines must remove links to online material if people could prove their privacy had been infringed.

There were a couple of caveats.

Not everyone can ask for links to information to be removed. Anyone with a public profile — politicians, sports stars and even journalists — can’t wipe their online profiles clean. And the original online text, be it a newspaper article, blog post or social media image, remains online. Only the links to the content are removed.

In Mr. Costeja’s case, that meant Google must remove online search links to the original article in the Spanish newspaper. But the article itself remains online.

Ironically for Mr. Costeja, his role in the case has now made him so famous that he falls under the ‘public figure’ category and therefore can’t ask for links about himself to be removed from online search results. Such is life.

Given its enlarged — and unwanted — role in protecting European privacy rights, Google has reluctantly become one of the region’s most active regulators of online content.

As of last week, Google had received more than 560,000 requests related to almost 2 million web links, according to the company’s transparency report. It had removed just over 40 percent of these links, with people in France making the largest number of requests.

That has put Google arguably in charge of more privacy-related requests than any other agency, in Europe or the United States — something definitely not envisaged by Europe’s highest court.

The company has accepted this role, although has warned the privacy ruling represents an overreach by European regulators that undermines people’s freedom of expression and right to access unfettered information.

The company also has said more totalitarian regimes may follow suit.

That already has happened in Russia, where a ‘right to be forgotten law came into force earlier this year. The law goes beyond what is currently available in Europe, allowing public figures, for example, to ask for the removal of web links in Russia.

In Europe, Google also has not been above showing its disdain in some somewhat passive aggressive ways.

Whenever you search on Google in Europe, for example, this box appears at the bottom of each page as a reminder that not all of the links you’re looking for may be available.

Google’s Right to be Forgotten response on each of its search pages in Europe

There are a couple of points I want to make before we move forward.

First, Europe’s ‘right to be forgotten’ ruling currently applies only in Europe. Americans do not have the same right, and it’s unlikely they will ever do so because of the First Amendment.

Second, the privacy decision arguably represents a step change in how we define the internet of today.

For the last three decades, we’ve all pretty much had the same access to the online world. Whether you’re surfing the Web in San Francisco, Singapore or Spain, up until now, the information presented on search engines has been roughly the same, give or take.

That is no longer the case.

When I now search for something in Europe, there’s a chance that I won’t have access to the same information as when I search for the same thing here in Utah.

This ruling has meant that the world web web we have come to know and love has the potential to become increasingly balkanized, divided between how different regions approach the internet.

That increasingly means different regions or countries may impose their own rules — however justified they think they are — on what the internet looks like.

That is a worrying trend if, like me, you are a fan of freedom of speech and access to unfettered information.

Europe’s ‘right to be forgotten’ case, however, does not end with Mr. Costeja in 2014. And it is this next chapter that illustrates how far Europe’s reach can go.

So. I would now like to introduce you to another important person in this privacy puzzle.

Her name is Isabelle Falque Pierrotin, and she is head of the French data protection authority, known as the C.N.I.L. Isabelle also chairs a Europe-wide group of national privacy regulators, and has often taken a tough line against American companies in how they use people’s digital information.

Isabelle Falque Pierrotin, head of France’s privacy regulator and of a pan-European body of data protection authorities

Soon after the ‘right to be forgotten’ ruling in 2014, Isabelle made a simple request: that Google should apply the privacy ruling worldwide.

Her rationale actually was pretty straightforward. As it stood, Google was removing links to online content within Europe on its European domains. Google.de in Germany, Google.fr in France. But if people really wanted to get past these restrictions, all they would have to do was type Google.com (the company’s global domain) into a web browser and off they went.

Isabelle, along with some of Europe’s other privacy regulators, believed that this flouted Europe’s privacy decision. And that Google should extend the ‘right to be forgotten’ ruling worldwide to close this loophole.

To say that Google was not pleased would be an understatement. The company again claimed that Europe’s privacy watchdogs were going well beyond their remit, that the ‘right to be forgotten’ ruling could not be carried out in some countries, including the U.S., and that it would open the flood gates for totalitarian governments to ask for similar global restrictions.

As with many of these internet governance issues, this one ended up in court.

The French regulator gave Google a deadline to make the ‘right to be forgotten’ ruling global. The company refused. When a number of European regulators backed the French, Google tried to forestall further problems. Eventually, it agreed to block certain links from all of its global domains, including Google.com, but only to people in Europe.

That, however, did not go far enough for the French, who fined Google just over $100,000 in March for failing to comply with their demands. Google is appealing the decision.

Now, for a company whose annual revenue tops $75 billion, you would think they would take this financial slap on the wrist and just get back to business.

But for Google and other companies that rely on digital information to power their daily businesses, ‘right to be forgotten’ represents the potential thin edge of a wedge for future fights over how the internet is governed.

The idea is simple. If France and other European regulators can get Google to alter its global operations to comply with European rules, what comes next? Will Europe find it easier the next time to get its way? And how can American and other international companies balance how Europe views the world with other jurisdictions whose own domestic laws run counter to European demands?

It is also worth noting that Europe’s ‘right to be forgotten’ decision has not gone unnoticed by other countries.

We’ve already seen how Russia passed its own version of the rules.

In Japan, a man earlier this year initially won a legal case against Google over three-year-old news reports that could be found in online search results about his arrest in connection to child prostitution and pornography. The case, though, was overturned in the summer by a higher court.

In Mexico, regulators also are pushing their own form of ‘right to be forgotten,’ allowing people to request that online search links be removed. The right only extends to within Mexico’s borders, but already a number of high profile cases have been opened by Mexicans asking Google to remove online links. Google is appealing the cases, claiming — just as they have done in Europe — that the rules impinged on people’s access to information.

As you can see, where we are now — with ‘right to be forgotten’ rules springing up around the world — is a long way from where we began with Mr. Costeja and his efforts to remove information about his past debts from the online record.

It is a reminder of how quickly things can snowball.

Don’t get me wrong. I have a lot of sympathy for some of these right to be forgotten cases, many of which relate to people who have done stupid things and now must live a lifetime with that information readily available online.

At the New York Times, we have received a fair number of notices that some of our articles no longer appear in certain search results in Europe. Google must inform every website when links to information are removed. And while the company will not say who has made these requests, often it is fairly obvious who the individual is likely to be.

And these are not bad people looking to hide bad deeds.

In many occasions, it is someone looking to remove online references to a marriage that has gone bad. Or a write-up in the local newspaper of a petty crime committed while in college that now appears at the top of every Google search page when you put in their name.

Who would not have sympathy for such requests? And as we saw earlier — with the tweet from the Spanish mayor about his newly-born daughter — we are increasingly living in a world where we are defined, literally at birth, by our digital information.

Yet as a journalist, I have to admit that I find the removal of links to information unsettling. And I also have sympathy for Google’s argument that Europe’s privacy ruling may have long-term and unintended consequences.

There is no right or wrong here.

There is also no silver bullet that would solve people’s privacy concerns while also protecting freedom of speech.

Like in most things in life, something will have to give. And right now, it is Europe that mostly is leading the way in figuring out how that will work out.


So we have looked at how Europe has taken on Google to expand its control over some parts of the internet.

Now we turn to Europe’s efforts linked to another American tech giant: Facebook.

This story actually doesn’t start too far away from where we are tonight.

About six years ago, an Austrian student called Max Schrems was spending a semester as an exchange student at Santa Clara University’s School of Law in California.

And here is Max.

Max Schrems, a digital privacy rights campaigner that brought several complaints against Facebook

During the semester, a couple of Silicon Valley lawyers came to talk to one of his law school classes. As we’ve seen, many American tech companies have large operations in Europe, often to take advantage of low corporate tax rates.

During Max’s class, these lawyers laughed about Europe’s privacy rules. They did not take them seriously. Why? Because even if a company broke the law, these lawyers said, the penalties for bad behavior were so small that they really didn’t mean much.

Now looking back at what happened further down the line, what these lawyers said must go down as one of the most idiotic things to say to a bunch of law students. And that is particularly true for what Max Schrems did next.

Like many students, Max was not sure what to write about for one of his college papers. So, based on what he had heard the Silicon Valley lawyers say, he decided to write about how Facebook dealt with European privacy rules. Why Facebook? Mostly because at the time, it was gaining traction in Europe after becoming popular in the U.S. And, it was the first name that came to him.

So what did Max do? First, he sent a request to Facebook’s operations in Ireland — the company’s office that have official control of the data on its non-American users. He asked them for all of the data that Facebook had collected on him since he signed up in 2008.

Within a month, he heard back from Facebook. And, more important, Facebook sent him a C.D. that contained more than 1,200 pages of information — from his friend requests to what he had written on other people’s Facebook walls.

You can see some of the redacted information in this picture of Max.

Max Schrems with the redacted information that he received from Facebook

Now, most of us would have stopped there. But Max didn’t. Instead, he was shocked that Facebook had held onto digital information, including some very personal online messages, that he had deleted from the social network.

Under European law, this is not allowed. So, like any soon-to-be lawyer, Max filed a number of legal complaints in 2011 with the Irish privacy regulator against Facebook.

Remember this place?

It’s the Irish privacy regulator, sat above the local supermarket.

The main office of Ireland’s Data Protection Commissioner

On the back of Max’s complaints, Ireland’s privacy regulator eventually conducted an audit over how Facebook handled the online personal information of its non-American users. And while Max and other privacy advocates said the review did not go far enough, Facebook eventually agreed to make a number of changes to how it handled people’s data.

That included how long Facebook held onto some of people’s digital information.

It is worth stopping here for a minute.

Here we have a 24-year-old Austrian student taking on what would soon become one of the largest technology companies in the world. Max used European privacy rules to gain access to his digital information. He then brought legal complaints against Facebook to a European privacy regulator. And after a lot of legal wrangling, Facebook changed some of its ways.

It would be an example of things to come.

We must now fast forward to 2013 when Edward Snowden, the former contractor for the National Security Agency, or N.S.A., enters the story.

Edward Snowden, a former contractor for the N.S.A., published details about a number of clandestine programs run by U.S. intelligence agencies.

Now, Snowden deserves a lecture all to himself. So I will just focus on how his revelations about the N.S.A.’s alleged surveillance activities relate to Europe’s push to become a global internet watchdog.

Among his many revelations, Snowden claimed that American intelligence agencies had used a program called Prism to gain access to Europeans’ personal information held by Facebook.

I must also say here that Facebook denies these allegations. And the U.S. government has never officially confirmed that it has the surveillance programs that Snowden made public.

But allegations that Europeans’ digital data may have been unlawfully accessed by the N.S.A. was like catnip to Max Schrems.

Soon after Snowden’s revelations were made public, Max filed another complaint with the Irish against Facebook. This time, he accused the company of mishandling Europeans’ online information through their participation in Prism. Facebook denied these accusations.

The basic questions Max was asking was this: How safe is your data held by American tech companies like Facebook and what protections do Europeans have when that data is moved out of Europe?

Most American tech companies shift people’s digital information around a vast network of global servers, many of which are based in the United States. So by filing his complaint against Facebook, Max was questioning whether such practices were safe. And if they weren’t, should Europe do something about it?

Just like in the Costeja-Google case we talked about earlier, Ireland’s judges asked the European Court of Justice — the region’s highest court — to step in at this point to make a ruling because of the potentially global significance of the case.

At stake was whether companies could continue moving digital information between Europe and the United States.

As we have seen, data has become central to our everyday lives.

And any ruling that would limit such so-called cross-border data transfers would likely have a significant impact on thousands of businesses. Let alone how you and I use digital services.

So this takes us to October of last year.

In their legal decision, Europe’s judges ruled that Europeans’ data was not fully protected when sent to the United States.

They were saying that the U.S. — despite its own privacy protections and its longstanding rule of law — was not a safe place for Europeans’ digital data to be kept. This was specifically linked to the Snowden revelations. It focused on how some American government agencies may have illegally accessed Europeans information when it was transferred from Europe to the U.S.

To be clear, the U.S. government has never confirmed the existence of Prism or any of the other programs revealed by Snowden.

And in one fell swoop, these European judges cancelled a 15-year-old transatlantic data transfer deal known as ‘Safe Harbor.’

This agreement had allowed everyone from Google to General Electric to freely move digital information between Europe and the U.S. These interactions had underpin hundreds of billions of dollars of business and allowed you and me to readily access everything from Facebook posts to iTunes videos to Amazon shopping trends.

It is worth noting how many companies were affected by the ruling, which came into force overnight.

About 4,000 companies had relied on the ‘Safe Harbor’ agreement to move data across the Atlantic. These were not just the likes of Amazon and Facebook. It included non-tech businesses that moved payroll or pension information between Europe and the U.S., and American companies — maybe some from here in Utah — that had held information on their European clients.

Almost overnight, this digital highway between two of the world’s largest economies had been shut down.

It was an unprecedented move.

One that has without a doubt changed how digital data is shared between Europe and the U.S.

And it all stemmed from a twenty-something Austrian student who had once been told by a couple of Silicon Valley lawyers that Europe’s privacy rules were not worth the paper they were printed on.

The European court decision to cancel the ‘Safe Harbor’ data deal left American and European policy makers in a bind.

While many in Europe wanted the complete halt of digital data being moved from Europe to the U.S., many lawmakers understood that such calls were unrealistic. We live in an interconnected world. And, like it or not, moving information from one region to another is now part of everyday life.

More important, American and European law enforcement agencies still wanted to cooperate legally when sharing sensitive data between themselves. So something new to replace ‘Safe Harbor’ was needed. But this time, Europeans’ privacy rights had to be better protected.

That takes us to last summer.

In July, American and European officials finally announced a new data deal. This time, they called it the E.U.-U.S. Privacy Shield. It’s not the best name. But some of the safeguards that Europe was able to secure from their American counterparts go farther than what any other jurisdiction has ever been granted when it comes to checks on American government access to digital information.

Without getting too stuck in the weeds, the European safe guards include:

  1. Europeans have a greater say on how their information will be used once it’s moved to the U.S. That includes the right to use American courts when they think companies or the U.S. government may have misused their data.
  2. Written guarantees from American officials that U.S. government agencies will not indiscriminately collect and monitor Europeans’ data without cause.
  3. A specific individual in the State Department whose job it is to respond European complaints that U.S. government agencies may have unfairly collected and used Europeans’ digital data.

No other country or region has similar safeguards. And No other country or region would likely be able to secure such safeguards.

The new ‘Privacy Shield’ agreement really does show how far Europe has been able to go to extend its own view of privacy beyond its borders.

As always, there are a couple of footnotes that are worth mentioning here.

Do you remember the French privacy regulator we met earlier in the Google ‘right to be forgotten’ case?

Here she is again.

Isabelle Falque Pierrotin, head of France’s privacy regulator and of a pan-European body of data protection authorities

During the negotiations for the new ‘Privacy Shield’ agreement, Isabelle, the French privacy regulator who also chairs a pan-European group of data protection regulators, was skeptical that the new safeguards went far enough to protect Europeans’ rights.

And while she and other European regulators eventually gave their support to the deal, they said they would monitor how well the new deal performed. And at some point in the future, they left open the possibility that they could revisit the deal.

What does that mean? Well, after years of negotiation, the new agreement that allows data transfers to flow between Europe and the U.S. may still be in jeopardy. Europe’s regulators have the right to question if it’s strong enough. And if they don’t think it is, they could look at ways to change it again.

And one final point on Max Schrems, the Austrian who started off this whole process in 2010.

Max has become somewhat of another poster child for European privacy rights. And he has said that he does not believe that the new ‘Privacy Shield’ agreement goes far enough to protect Europeans’ rights.

So, just like in his initial Facebook complaints, he has started to test the legality of ‘Privacy Shield.’

This is a tweet that he posted at the end of September.

Max Schrems’ new test case for Privacy Shield is targeting Google.

This time around, he is focusing on Google to test whether it has broken Europe’s tough privacy rules. The company says that it complies with all necessary laws in Europe.

But with Max starting a new round of complaints, the future of ‘Privacy Shield’ and how data is shared between Europe and the U.S. is anything but secure.


So the question is: where do we go from here?

With the ‘right to be forgotten’ and ‘Safe Harbor’ cases that I just outlined, I hope I’ve shown that Europe — for the good, or bad — is taking on a greater global role in policing some of the basic tenets of our internet age.

And it does not stop there.

Europe recently passed another set of rules to give itself even more powers. And this time, the rules have real teeth.

Under new laws that will come into force most likely in 2018, European regulators will have the power to fine companies up to 4 percent of their global revenue, or $22 million, whichever is greater, if they misuse Europeans’ data.

And these rules don’t just apply to big companies like Google and Amazon. They will apply to almost all companies — from a small start-up here in Salt Lake City to some of the world’s largest companies — that have European clients.

This again represents a significant escalation of Europe’s potential powers in the internet age.

To conclude, I wanted to leave you with a couple of questions.

As I mentioned earlier, I remain somewhat agnostic to Europe’s push to become a global cop in the internet age.

I can see real merit in protecting people’s digital data, particularly when we now live in a world where even our first memories are projected to a potentially global online audience.

And I do have a lot of sympathy for people’s fears that too much of our data is being used in ways that we do not understand and can not control.

There are legitimate concerns here, and someone should be asking serious questions.

But should it be Europe that is asking these questions? What right does a regulator in Paris or Dublin have to ask an American or other non-European company what they are doing with someone’s digital information?

If Europe starts trying to move beyond its borders, what happens when the likes of Russia and China do the same? And where do American authorities fit into this global jigsaw puzzle? Should Congress, the F.T.C. or some other federal agencies step in to make its own presence felt on the global stage?

These are all legitimate questions to ask.

And as I conclude, I would like to put these questions of privacy, national sovereignty and the global internet age somewhat into perspective.

We all here rely on digital services. And we all want to keep the digital data about our friends and family safe.

But sometimes in our efforts to balance these two often contradictory forces, things can become a little absurd.

I want to leave you tonight with this image put on Twitter recently about Google’s somewhat misguided efforts to protect online privacy.

An Google Maps image uploaded on Twitter by David Shariatmadari, Head of U.S. Opinion at the Guardian

As you can see, the cow’s face has been blurred out to protect its privacy.

Sometimes, even Google, one of the largest companies in the world, can be a little overzealous.

Thank you for your time.