Why Trump’s administration is going after the GDPR

U.S. troops being yanked out of Germany. A brewing trade war over digital tax. Now add this to the list of issues dividing Europe and the United States: a looming clash over privacy.

As the EU touts the “success” of its flagship privacy law, the General Data Protection Regulation (GDPR), Donald Trump’s administration is ramping up attacks on a system it says provides cover to cybercriminals and threatens public health.

In an interview with POLITICO, U.S. Deputy Assistant Secretary of State for Cyber Rob Strayer said he is raising concerns about the GDPR with counterparts in Brussels and EU capitals as a “top diplomatic issue.”

His lobbying focuses on “fixing interpretations” of the GDPR which he and several other parties, including EU law enforcement officials, said are protecting online scammers and fraudsters at a time of exploding cybercrime linked to the coronavirus pandemic.

"We do have serious concerns about its [the GDPR's] overly restrictive implications for public safety and law enforcement," said Strayer, who was at the forefront of efforts to convince EU allies they should dump Huawei from their 5G rollout plans. "We definitely find that divergent interpretations [of the law] are also an issue, chilling some of the commerce that could be taking place."

U.S. objections to the GDPR, which came into effect just over two years ago, are hardly new. Silicon Valley giants lobbied energetically against a law that many U.S. players said was a tool designed to limit the power and wealth of Silicon Valley giants like Google and Facebook.

Many of those arguments — namely, that the GDPR has rendered a database of domain name owners, WHOIS, far less effective in tracking down suspected cybercriminals — are the same today as they were two years ago.

Yet in the past few weeks, as EU privacy watchdogs wrapped up their first major probes into U.S. companies and Google lost an appeal against a €50 million fine in France, the criticism from Washington has grown more fervent, and a lobbying campaign has gotten underway in the U.S. to push back against the effects of the GDPR at home.

For now, the pressure is unlikely to trigger anti-GDPR action from the Trump administration — as the president is consumed by his reelection campaign.

But all of that could change this summer, when a Court of Justice of the European Union ruling could put privacy right back at the center of transatlantic tensions.

The ruling, expected mid-July, could find that heaps of data transfers from the EU to the U.S. are not legal under Europe’s privacy laws, putting billions of euros in digital trade at risk. Washington — for the second time — will face pressure to beef up privacy protections to keep doing business with the EU.

That's a worrying prospect for Washington, one that would be “so detrimental” to transatlantic trade, according to Strayer. “One thing we’re really pushing is concerns about these ECJ cases,” he said about recent discussions with the European Commission and various agencies.

At the heart of the issue for many U.S. critics of the GDPR is the WHOIS database, an online directory created in the 1970s, which became an important tool for global law enforcement agencies fighting cybercrime.

It has also come under fire over a lack of privacy protections.

GDPR critics say the rules have made it harder to identify cybercriminals. Before the law came into effect in May 2018, they could issue a request via WHOIS to identify the owner of a domain name in a process that many say was simple and straightforward.

After the law came into effect, however, it became much more complicated. Registrars — the entities that control domain names — became concerned that, if they complied with such requests, they could be sued for privacy violations under the GDPR. In many cases, law enforcement officials had to ask a judge to validate the request, a process that one EU law enforcement official said is "very slow" and "not effective."

In February, a Republican Congressman introduced a bill to the House of Representatives demanding that domain name information be made readily accessible via WHOIS. Two months later, a group of 40 companies, trade associations and interest groups wrote to Vice President Mike Pence urging him to force internet registrars to identify cybercriminals for law enforcement purposes.

Critics say that EU privacy authorities need to address the problem by creating an exception in the GDPR for law enforcement. They also complain that, despite numerous letters addressed to the European Data Protection Board (EDPB) over the past two years, the law around domain name requests remains unclear.

Asked about such complaints, a spokesperson for the EDPB, an umbrella group of privacy watchdogs, referred POLITICO to a letter from 2018 in which the body's chief argued that contact information for the holders of domain names need not be made available by default under GDPR.

Further correspondence from the U.S. was "for information only" and did not warrant a response, the spokesperson added.

Multiple parties, including ICANN, the nonprofit that maintains the WHOIS database, and law enforcement agencies around the world, have called for WHOIS to be replaced by a more privacy-friendly system that would provide the same functionality for cybercrime investigators.

In conversations with POLITICO, a range of critics including the U.S. Chamber of Commerce and two European law enforcement officials said that EU data protection authorities are refusing to clear up legal confusion about who could lawfully use such a system and under what conditions.

"All of this has been a frustration for two years that has been building and building," said Sean Heather, senior vice president for international regulatory affairs at the U.S. Chamber of Commerce. "The Europeans should make clear that this [identifying suspected cybercriminals] is not a violation of the GDPR," he added.

In response to such critiques, EU privacy officials said it is up to legal authorities in member countries to respond to law enforcement requests to identify domain name owners, and that no change to the GDPR is planned.

The European Commission's own evaluation report of the law, released June 24, also did not mention the WHOIS database as an issue.

But such responses have not satisfied critics who argue that the EU is failing to take steps that would help investigators clamp down on a major surge in online criminal activity, including phishing attacks that take advantage of health fears linked to the COVID-19 crisis.

"The GDPR makes it much more difficult to identify people," said Dennis Dayman, a cybersecurity expert and member of M3AAWG, an international tech forum that works to reduce the threat of online attacks. "That is a big problem at a time when we are seeing an increase in phishing attempts, a lot more blocking on IP addresses because people are at home."

Dayman and other U.S. parties said they would prefer to avoid any sort of high-level clash over the GDPR, as doing so would only undermine the internet's global nature. The fact that European law enforcement agents shared their concerns about domain names and cybercrime would help to speed up the development of a new database, they said — a point corroborated by EU security officials.

Meanwhile, though, the gulf between the two sides seems to be growing wider. In response to a consultation on the GDPR launched by the European Commission, the U.S. Mission to the European Union wrote in April "that the application of the GDPR is creating significant risks for public safety, both for the citizens of the EU and for citizens worldwide."

The harsher tone hints at growing concern over GDPR that goes beyond the WHOIS matter, to the perceived risk that EU privacy poses to U.S. interests abroad.

If the CJEU delivers another blow to transatlantic data flows in July, the tensions could reach a breaking point — resulting in even greater disparities between Europe and the United States over privacy.

from Politics, Policy, Political News Top Stories https://ift.tt/2YJGj5f
via 400 Since 1619

Hong Kong national security law unanimously passed by Beijing, expected to become effective on July 1

This story is being published on POLITICO as part of a content partnership with the South China Morning Post. It originally appeared on scmp.com on June 30, 2020.

Beijing’s top legislative body has unanimously passed a sweeping national security law for Hong Kong prohibiting acts of secession, subversion, terrorism and collusion with foreign forces to endanger national security.

The law, approved by the National People’s Congress Standing Committee (NPCSC) on Tuesday, is expected to carry a maximum penalty of life in jail.

Sources told the Post the law was approved unanimously by the standing committee’s 162 members, within 15 minutes of the meeting starting at 9am.

Only a handful of Hong Kong delegates to the national legislature saw a draft of the law before its passage, a major point of contention, with many in the city decrying the lack of transparency given the legislation’s far-reaching consequences.

On Sunday, the standing committee began a special meeting fast-tracking the bill, which was passed on the last day of the three-day session.

The Post has been told the Basic Law Committee, which advises Beijing on Hong Kong’s mini-constitution, would meet “immediately after the standing committee passed the law to discuss its insertion into Annex III of the Basic Law”.

A source familiar with the situation had said Xinhua, the official state news agency, would publish the details in the afternoon, marking the first time the law will be fully disclosed to the public.

All Hong Kong delegates to the nation’s top advisory body, the Chinese People’s Political Consultative Conference, and the NPC, have been asked to attend a meeting, believed to be a briefing on the bill, at the central government’s liaison office at 3 p.m.

The law is expected to come into effect on July 1, the 23rd anniversary of the city’s handover to China from British rule.

Passage of the contentious legislation came a day after Beijing announced visa restrictions on United States officials who have “behaved extremely badly” over Hong Kong.Beijing and Washington had been locked in an escalating diplomatic row over the year-long Hong Kong protests and the national security law.

The US earlier vowed to strip Hong Kong of its preferential trade status, and had enacted visa restrictions on Chinese officials deemed responsible for undermining local autonomy and freedoms.

Lam ducks questions on new national security law

Shortly before 10am, at her weekly media briefing, Chief Executive Carrie Lam Cheng Yuet-ngor said she would not answer questions on the new law until it was passed by the NPCSC, and had been listed in Annex III, for her government to promulgate it.

“It would be inappropriate for me to answer any questions and explain [the law] at this stage,” she said.

“What I can say is that when the law has been approved … My principal officials and myself will try our best to respond to questions about the law, especially those related to implementation and enforcement.”

Lam was asked if the police force would be appointing a new deputy commissioner to handle national security issues, whether those convicted under the new law could be jailed for life, under what circumstances Beijing would exercise its jurisdiction on Hong Kong’s national security cases, and what her role would be in implementing the new law.

The chief executive only repeated that she would not be answering questions on the new law. Without following the convention of answering at least one English question, Lam ended the briefing after answering a question on the United States’ latest sanctions on Hong Kong.

“That is it for today. I wanted to start my Executive Council on time,” she said.

from Politics, Policy, Political News Top Stories https://ift.tt/2AewPp2
via 400 Since 1619

Republicans have been skipping House Intelligence meetings for months

Democrats see a boycott motivated by partisan politics. Republicans argue they have legitimate security concerns.

Either way, GOP members of the House Intelligence Committee have skipped all but one of the panel's proceedings, public and private, since before Congress went into its coronavirus-lockdown in early March. And that impasse shows no signs of ending, even as the panel takes up issues like China, Covid-19 and the annual intelligence policy bill.

Democrats see it as yet another manifestation of the toxic partisan split dividing the panel during Donald Trump's presidency, in contrast to the still-bipartisan spirit that prevails on the Senate Intelligence Committee.

“It seems almost counterproductive on their part,” House Intelligence Chair Adam Schiff (D-Calif.) told POLITICO when asked about the Republican no-shows. “It seems rather childish but I hope that they will reconsider.”

The committee, with 13 Democratic and eight Republican members, has held at least seven bipartisan hearings and roundtables, both open- and closed-door, since the pandemic shut down much of Washington in March and April. The sessions, all unclassified, included a virtual hearing in mid-June where representatives of Facebook, Twitter and Google answered questions about foreign efforts to subvert the 2020 presidential election.

The lone session to have a GOP presence was an April 28 roundtable attended by then-Rep. John Ratcliffe of Texas, a week before the Senate hearing on his nomination to be Trump’s director of national intelligence.

Committee member Rep. Eric Swalwell (D-Calif.) noted that Republicans have expressed concerns about alleged political bias by those same big tech platforms. “How do you explain to your constituents that you have representatives from those three companies and you just chose not to show up?” he asked.

Republicans rejected the idea that they’re formally snubbing the committee’s work. The real problem, they say, is that Democrats insist on discussing sensitive information in virtual online sessions instead of meeting in person.

“These things get hacked. Why are we putting ourselves at that risk?” asked Rep. Brad Wenstrup (R-Ohio), a member of the committee. “You border on classified information and maybe sometimes even spill into it. It’s just not the way to conduct business. And there is no reason for it."

"Maybe it’s inconvenient for Adam Schiff to come back here from California," Wenstrup added. "It’s just not appropriate within the intelligence community and it’s not fitting of protocol.”

Rep. Chris Stewart (R-Utah) said: “I really don’t believe it’s a boycott. It’s not an organized effort at all. I would just say that we have concerns about the format.”

“We’re here. Why aren’t we doing it like we used to?” asked Stewart, who also serves on the House Appropriations Committee, which is slated to hold live markups where members can join remotely. “I think we can meet together and do it safely.”

The committee's top Republican, California Rep. Devin Nunes, repeatedly declined to comment when asked about the matter.

Democrats say the Republicans haven’t provided a good explanation about why they’ve withdrawn or indicated what could get them back to the table. But Rep. Jim Himes (D-Conn.) attributed the Republicans' absences to factors like Schiff’s leading role in the president's impeachment — and, before that, the years of acrimony caused by the panel’s GOP-led Russia investigation.

“They have their grievances, right?” Himes said. “The whole thing is absurd but they haven’t even really negotiated.”

Even before the pandemic shutdowns, Republicans on House Intelligence had boycotted a February hearing in Himes' subcommittee on emerging technology and national security, accusing Democrats of staging "publicity events" rather than looking into issues like alleged FBI abuses in domestic surveillance. That hearing occurred weeks after the end of Trump's impeachment trial.

The intelligence committee normally meets in a secure room in the Capitol — one that a specialized CIA cleaning crew had to scrub in March after Daniel Goldman, the panel's former impeachment counsel, tested positive for the coronavirus.

Since early March, the intelligence committee has held two open virtual hearings using Cisco Webex, the same video conferencing platform that other congressional panels have used.

The panel has also convened a series of closed but unclassified roundtable discussions with past government officials focused on aspects of the coronavirus — such as Chinese disinformation around the pandemic, biothreats and the intelligence community’s handling of Covid-19. Attendees included former Director of National Intelligence John Negroponte, former acting CIA Director Michael Morell and former Secretary of State Madeleine Albright.

The roundtables, including some that have been strictly Democrats-only by design, are conducted via Microsoft Teams, which features end-to-end encryption to prevent eavesdropping.

A senior committee official dismissed Republicans' cybersecurity objections as "non-concerns," saying the committee's staff had "consulted our security and the House security” about the risks of a breach. "There was actually less risk of that happening during a Microsoft Teams or WebEx session than there was logging into your House email or Gmail account from your home computer," the official said.

The impasse threatens to derail a series of products the panel is looking to issue in the coming weeks and months.

The committee plans to meet in person, or at least partially, to mark up its annual intelligence authorization bill by the end of July. But because of pandemic-era social distancing requirements, the panel will perform what’s called a “strawman,” where majority members are located in one secure room, the minority in another, with the budget directors and lawyers in another who then walk members through the entire bill by telephone.

The committee is also finishing up its so-called "deep dive" on China, investigating the various national security threats posed by Beijing's use of technology for surveillance, influence and political control domestically and internationally. The panel has been going back and forth with the intelligence community over the draft of its full report, and going through a classification review of the executive summary, which Schiff will make public when the review is finished, according to the senior committee official.

In addition, the Democrat-controlled panel is reviewing the Covid-19 pandemic and the intelligence community’s role in it. In particular, it's examining how the clandestine apparatus is postured to collect, analyze and disseminate intel on global health issues, including cross-border pandemics and epidemics.

Of the various policy efforts, lawmakers on both sides of the aisle believe that the intelligence bill has the best chance to bridge the latest divide.

“The IAA has historically been bipartisan," Swalwell said. "We have to signal to the Congress that we are aligned, as Republicans and Democrats, and that’s what helps us pass that” by wide, bipartisan majorities."

Wenstrup noted that the bill passed in previous years even during the height of the Russia investigation.

“The committee’s been able to work through things before,” he told POLITICO.

Wenstrup and Stewart insisted that if the panel began to convene in person, the GOP would show up.

“If it was in person I believe we would be there,” Stewart said.

from Politics, Policy, Political News Top Stories https://ift.tt/2YKtGXr
via 400 Since 1619