EU, US Diverge on Cybersecurity Post-Snowden, Conference Told
The U.S. and EU took divergent cybersecurity policy approaches in the almost three years since former NSA contractor Edward Snowden began leaking information about controversial U.S. surveillance programs, but they continue to maintain a strong cybersecurity partnership, said Andrea Glorioso, delegation of the EU to the U.S. counselor-digital economy/cyber. Glorioso and others at Wednesday's Georgetown University Law Center event said cybersecurity policy differences between the EU and the U.S. are reflected in the U.S. 2015 Cybersecurity Act and the EU 2016 General Data Protection Regulation (GDPR).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The 2015 Cybersecurity Act, passed as part of the FY 2016 omnibus spending bill (see 1512160068 and 1512180052), struck a balance between two competing information sharing bills by setting up the Department of Homeland Security's National Cybersecurity and Communications Integration Center as the U.S.' main civilian information sharing portal and including liability protections that extend to sharing information with the FBI and Secret Service. The bill also included substantial privacy protections but was criticized by civil liberties and digital rights groups.
The data protection-centric GDPR, passed in April, gives EU residents more control over how their personal information is used online and set limits on law enforcement use of that data. The law won't take effect until 2018 (see 1604140021). Negotiations are almost complete on a separate network and information security directive, Glorioso said. The directive will boost cybersecurity capabilities in and cooperation among European countries, and require operators of essential services such as search engines and cloud computing to install appropriate security systems and report incidents to national authorities (see 1601270014).
Both the Cybersecurity Act and GDPR were heavily influenced by the fallout from the Snowden leaks, Glorioso and others said. The Cybersecurity Act diverged significantly from the 2012 Cybersecurity Act championed by Sen. Susan Collins, R-Maine, and then-Sen. Joe Lieberman, I-Conn., said Georgetown Law Privacy & Technology Center Executive Director Alvaro Bedoya, a former aide to Sen. Al Franken, D-Minn. Snowden “changed everything” about the debate over cybersecurity information sharing because the NSA leaks confirmed “the worst fears of privacy advocates,” Bedoya said. The 2015 Cybersecurity Act resulted in some noticeable “practical improvements” in the information sharing landscape, said AT&T Vice President-Global Public Policy John Brueggeman. He said that since the government is still setting up rules on information sharing stemming from the bill, it's “early days.”
Privacy has become an increasingly important factor in both EU and U.S. cyber policymaking in recent years because of the Snowden leaks but remains far less important elsewhere, said U.S. State Department Coordinator-Cyber Issues Christopher Painter. Privacy appears to be an almost nonexistent factor in cyber policymaking in China and Russia, which have both pushed for data localization laws in recent years “because they're worried” about the “destabilizing effect” of outside information on the stability of their governments, he said. Data sovereignty laws are also a much more important cyber policy issue than privacy outside of the EU and U.S., Painter said.