As part of Cloudflare’s recent Privacy Week we hosted a series of fireside chats on security, privacy, and compliance. Many of these conversations touched on the intricate legal debate being held in Europe around data sovereignty. Here are some of the highlights.
Prof. Dr. Wilfried Bernhardt
Honorary professor — University of Leipzig,
Attorney, CEO Bernhardt IT Management Consulting GmbH
We have to agree to go down a common road, a common path. And this common path can really only consist of saying: let’s sit down together again. I’m talking about the European Commission and, above all, the new administration in the United States. We are all waiting for them expectantly.
And then we look at what our common fundamental values are and see if we don’t simply come together better than we have in the past. After all, our fundamental values are the same: human rights, democracy, the rule of law. You have to concede that there are some differences in understanding when it comes to interpreting what privacy means — well, in the US freedom of expression is sometimes considered more important than privacy. In Europe, it’s perhaps the other way around.
But if we look at it without ideological blinders, we can certainly come together. After all, when it comes to fighting terrorism and crime, it is common insights that play an important role. So it would be a great pity if we didn’t come together. But it is not permissible that, for example, American authorities simply say: we will allow ourselves access to European data of European Union citizens, we don’t have to ask anyone, and we don’t grant legal protection either. To be honest, that’s not how it works.
Director of the Europe Office, Center for Democracy & Technology (CDT)
My hope would be that we have a more global approach to international privacy standards. And I think for 2021 in Europe, it will be all about the Digital Services Act. And of course on the individual users’ rights as well, on free expression.
I think that human rights advocates will all have a lot of work to do to make sure that we guard our own rights to express ourselves online, but also protect people from harassment and hate. Getting that balance right in law and practice, I think, is going to be really important to maintain the Internet as a free and open space where we can organize and fight to protect human rights and democracy.
We at the Center for Democracy & Technology are strong advocates and practitioners of multistakeholder approaches. So these kinds of dialogues between the private sector and civil society to get into the details of, what are the technical solutions, what does that mean in different places? I think that’s going to be really important to get some of these policy challenges right.
Chief Security Officer, Mozilla Corporation
In the US we see a lack of a strong privacy regime, which is a problem — but also you don’t really see mandatory data retention and you don’t really see mandatory blocking in the US. Parts of Europe do have various sort of retention regimes or mandatory blocking regimes, or at least there is a desire within the policy space within Europe, to consider especially the DNS as a tool to facilitate content blocking.
Now, we think that’s a very bad idea for a number of reasons, partly because it’s bad on principle. It will result in risk to free expression. And also because it’s not a very effective way to address a lot of these serious content problems that bubble up today. And that’s the argument that I tend to make. We are actively thinking about the right set of solutions for malicious content on the Web. But blocking at this level, the stack through the DNS system — it’s a bad idea. It’s not going to work, and it will have serious free expression challenges.
Dr. Katrin Suder
Chairperson of the Advisory Council on Digitalization for the German Federal Government, Member of Cloudflare’s Board of Directors
I think a lot of realism has come in, realism about what is actually feasible and what is possible, and at the same time the recognition that we don’t want to lose the innovation that American companies in particular are bringing.
How will this continue? Of course, that’s always difficult to predict in a process like this. I think what is actually needed, and we have talked about this in various forums, is first of all a clean assessment process for the current situation. Where do we actually stand with sovereignty? We have to be honest about this. So, where are we actually dependent and how can we deal with this dependency?
Because there are dependencies where you can perhaps say, yes, so be it, maybe it’s not so bad. And then there are perhaps dependencies that are very critical. That’s where you have to invest, but not to replicate, rather to push the next generation, so to speak. And I think this process should be driven by the European Commission.
Director General, Policy — EMEA, BSA | The Software Alliance
One of the things that we spend time thinking about — and it’s going to be a long-term project, because it will not happen overnight — but it’s about: how can like-minded democracies find a way to create a standard? What will be the standard for acceptable government access to data and national security practices? What would be the ways that they would conduct these investigations? What would be the safeguards that exist? What would be the means of redress or of challenging those?
These are the things that need to happen between countries that are like-minded, that value privacy, but that also value the security of their citizens. And how can it go forward by creating this standard that would then bring a lot more clarity, a lot more certainty and a lot more appeased views in this entire debate. And that is the thing that we think is essential. We know that work is being done on this in certain fora — such as the OECD — and we very much encourage countries to think about this more, and to find a way forward.
Quotes have been lightly edited for clarity and length, and translated as necessary.