Table of Contents

Over the last decade, perhaps no feature of the transatlantic relationship has been more fraught than our approaches to cyberspace. Issues such as technological competition, data protection, free speech, and cybersecurity have become sources of controversy. As U.S. technology companies and social media platforms have taken a commanding position on the internet, European regulators have increasingly (and understandably) focused on antitrust enforcement. Europe’s General Data Protection Regulation (GDPR) has subjected American companies to new requirements for ensuring data privacy and allowing users control over how their data is used. European approaches to hate speech and disinformation also differ from traditional laissez-faire U.S. practice. And, finally, while both sides of the Atlantic are concerned with securing the cyber domain, the United States has recently become more concerned about Chinese products on Western communications systems.

The apparent divide has been exacerbated by the approach of U.S. President Donald Trump’s administration, which has denigrated our European allies and NATO and has seemingly subordinated the value of our relationship to transactional attitudes on the trade deficit and defense spending.

Converging Transatlantic Cyber Interests

The good news is that U.S. and European approaches have been quietly converging, due in significant part to our common interest and values, and to strong relationships being fostered by members of the U.S. Congress and European legislators, as well as by civil society and the private sector.

Michael Chertoff
Michael Chertoff is the Co-founder and Executive Chairman of the Chertoff Group and a former Secretary of the U.S. Department of Homeland Security.

Even in the United States—home of the world’s biggest tech companies—concerns are growing about whether internet behemoths are too dominant in the marketplace. More specifically, public scandals like Cambridge Analytica’s use of citizens’ data have significantly increased public demands for data privacy protections. California, for example, has enacted a GDPR-like data protection law, and a number of tech firms now offer privacy controls as a positive feature for users. By the same token, European authorities are increasingly mindful of the free speech issues in hate speech and disinformation laws, with France’s highest court recently invalidating much of a new French speech code. And both the United States and Europe agree on the fundamental threats we increasingly face with respect to cyber attacks by malign actors, including nation state adversaries. In this respect, NATO has intensified its work in securing cyberspace and countering foreign disinformation campaigns.

The project for the next five years should be to build on these positive steps to create a truly common transatlantic strategy for cyberspace and the digital world. This will be more urgent than ever for three reasons. First, even in a post-pandemic world, more and more economic activity will be conducted online, and more of our critical infrastructure operating technologies will be managed digitally. Second, the increasing adoption of artificial intelligence–powered analytics means that the appetite and capacity to use (and misuse) personal data will increase, posing threats to our democracies and freedoms. Third, and relevant to the first two points, nations like Russia and China are becoming more aggressive in using cyber tools to subvert, dominate, and even attack nations around the globe.

Refining a Viable Transatlantic Cyber Agenda

What is to be done?

First, because U.S. and European human rights values are fundamentally alike, bearing in mind some differences in application, we should continue to build an increasing set of reciprocal agreements—like the U.S.-EU Privacy Shield—that allow for compatible transatlantic data protection standards. This does not require that the rules be identical, but that they be functionally similar in material respects.

Second, at the same time, the United States and European nations should enter into mutual legal assistance agreements that coordinate and streamline the process for enforcing appropriate law enforcement requests concerning data held by a country other than the requesting nation. These updated treaties should contain protections for human rights but not be overly bureaucratic. One model is the recently executed bilateral data access agreement between the United States and the UK.

Third, rules about hate speech and disinformation should be enacted with care so as not to create undue conflicts in U.S. and European legal regimes. Both sides of the Atlantic can agree that we can ban algorithms used for the manipulation of social media, foreign impersonation of domestic citizens, and incitement to violence and child abuse. But where European nations want to regulate content on the grounds that it is inaccurate or simply—as in the right to be forgotten—unfair, there should not be a European attempt to extend those rules to the operations of platforms in the United States, where the First Amendment applies.

Finally, even beyond what NATO is already doing, the United States and Europe should deepen cooperation on cybersecurity. In particular, in the wake of the pandemic, we can expect a strong drive to implement new 5G internet technology. Currently, few infrastructure providers are scalable and cost-competitive enough to displace Huawei. But allowing the Chinese company to dominate 5G as a sole source of supply is dangerous to security from a number of standpoints. If the United States and Europe combine to foster a market for transatlantic 5G providers, we can develop supply chain alternatives. Doing so would not only foster security and resilience but also would help all our economies.

Michael Chertoff is the Co-founder and Executive Chairman of the Chertoff Group and a former Secretary of the U.S. Department of Homeland Security.