1

Why Europe Won't Combat Huawei's Trojan Tech

October 2, 2019 Topic: Security Region: Europe Tags: TechnologyChinaHuaweiEuropeNational Security

Why Europe Won't Combat Huawei's Trojan Tech

Europe is wary of its U.S. counterpart's intentions. But U.S. tech companies will be the least of Europe’s concerns if Huawei hands over European data to the Chinese government.

The United States has been unsuccessful at getting European countries to ban Huawei from building their fifth-generation wireless (5G) networks. It’s not for a lack of trying. Washington has used a variety of approaches to attempt to win Europe’s support on this issue. Washington has tried leading by example, hoping its decision to ban Huawei from U.S. networks would prompt Europe to do the same. U.S. officials have discussed providing subsidies to those countries that purchase 5G equipment from Huawei’s competitors. They have threatened to reduce intelligence sharing if Europe integrates Huawei into its telecommunications infrastructure. They have also highlighted the risks of espionage and threat to critical infrastructure that arise from the use of Huawei equipment. But there is a tactic that the United States hasn’t yet tried—data privacy. Talking to Europe about data privacy and pointing out the risks that Huawei would pose to Europe’s data privacy standards could resonate and help peel Europe away from the technology company.

Europe has long prioritized data privacy. In response to a long history of communist and fascist surveillance of its citizens, Europe has since viewed data privacy as a human right. No one knows this better than the U.S. government and private companies in America. Europe bitterly resisted the United States’ implementation of the Passenger Name Record, which requires the collection of airline passenger data for law enforcement purposes, due to a fear that it endangered data privacy. Edward Snowden’s revelation of the National Security Agency’s spying on European governments sparked outrage and demands for greater oversight of European intelligence agencies who cooperate with the NSA. The EU’s data privacy crusade even focused on private U.S. firms, most recently with Facebook over the Cambridge Analytica scandal of 2014 and other privacy concerns. 

In light of these events, the EU put into action the General Data Protection Regulation (GDPR) of 2018—legislation that pushed high standards for regulating data privacy and protection. These regulations, which characterize data privacy as a human right, have made Europe the gold standard for data privacy globally. 

However, there’s tension building in Europe between the GDPR and EU states that want to continue using Huawei in their 5G networks. By providing network access to Huawei, European governments are potentially putting data privacy at risk. 5G is revolutionary because it provides consumers with up to one hundred times faster connections than 4G while expanding the capacity of networks to handle many more devices. Some 5G-enabled technologies, such as autonomous vehicles or the internet of things devices, involve near-persistent data transfer, meaning a user’s device is constantly sending and receiving data from the network. As data travels from Point A to B, there is a risk that Huawei could capture this data by rerouting it through servers that allow Huawei to copy the data. China has a history of similar actions. In 2010, China Telecom rerouted 15 percent of Internet traffic for eighteen minutes, including from sensitive U.S. government websites. A similar move over 5G networks, given the significant increase in data that will be transmitted over 5G networks than 4G networks, would put the data of over 512 million EU citizens at risk of exploitation by the Chinese state. 

The vulnerability that Huawei’s equipment creates stands in stark contradiction to the EU’s own laws. The GDPR’s stance on third country/party usage of EU data is clearly defined in Chapter 5 of the regulation. The express purpose of this chapter is to ensure “adequate levels” of data protection, defined as protections “essentially equivalent” to those offered to citizens in the EU. Certain countries, like the United States under the Privacy Shield arrangement, have been found to meet this standard and are allowed free flow of personal data. China, however, is not listed, and therefore must ensure not only the adequate protection, but also “enforceable . . . rights and legal remedies” in order to be certified by the EU under GDPR. 

Huawei claims that they can meet these standards. Huawei rotating chair Ken Hu, the official policy on Huawei’s website, analysis submitted by the China-based firm Zhong Lun, and a (confidential) opinion by the UK-based firm Clifford Chance have argued in various statements that Huawei can fully comply with external data privacy regulations. Even some U.S. observers claim that fears over Huawei’s threat to data privacy and U.S. and EU national security are overblown. However, despite their protestations, the evidence suggests that Huawei and China fall well short of GDPR’s data security standards.  

First and foremost, Chinese laws are incompatible with the GDPR. The oft-cited Article 7 of China’s National Intelligence Law requires Chinese citizens and companies to “support, assist, and cooperate with state intelligence work according to law.” If used, this law would essentially force Huawei’s hand if the Chinese government requested data transmitted over 5G networks. This would also apply to Europe’s data. Article 7, when paired with Article 14—which grants state intelligence organs the ability to demand this support—legally obligates Chinese citizens and companies to provide this information on demand. Huawei CEO Ren Zhengfei has often stated that he would “definitely refuse” a request from the Chinese government for data. However, Article 7 and Article 14 seem to make such a refusal the equivalent of domestic legal suicide.

Legal commentators also express serious doubt about the extent that Chinese law can restrain the Chinese government or apparatuses of communist leadership to enforce promises they make to ensure “legal remedy” for EU citizens. To some degree, the court system still functions largely under the control of the communist party. Therefore, the courts are highly unlikely to challenge the actions of the state. Even if one assumes that Huawei wants to cooperate with GDPR, the lack of an independent judiciary in China means that Huawei would have no recourse to push back on Chinese government requests for EU data. Ultimately, anyone alleging that the judiciary, especially through legal claims from foreign entities or citizens, can constrain the Chinese state and its purported interests blinds themselves to the realities of their regime. There cannot possibly exist true “legal remedy” or “enforceable rights” in a nation which does not have an established and transparent rule of law. Such a legal climate makes it impossible for EU data privacy regulators to ensure EU data that becomes entangled in Huawei networks will be safe from overreach by the Chinese state. 

Even though Huawei’s inherent inability to comply with European GDPR standards poses an unsustainable contradiction in European policy, EU leadership has been disturbingly muted on the matter. Member states recently submitted risk assessments to the European Commission concerning the risks of implementing 5G equipment in Europe. Data privacy has been a glaring omission from these conversations. In the United Kingdom’s Huawei Cyber Security Evaluation Centre Oversight Board annual report, data privacy is not mentioned at all. While the Prague Proposals, a statement resulting from the Prague 5G Security Conference, include a nod to data privacy concerns, they are non-binding and have yet to produce tangible results in the member states. 

The National Security Agency, Passenger Name Record, and U.S. tech companies will be the least of Europe’s worries if Huawei hands over European data to the Chinese government. So if you want to pry European capitals away from Huawei, then start with privacy concerns. Citing privacy concerns via GDPR would allow Europe to address the threat posed by Huawei and China on its own terms and through pre-existing European regulations (GDPR). Allowing Europe to find Huawei’s safeguards against Chinese state interference to be inadequate would be tactically smart move—one that allows Europe to properly uphold GDPR protections. Huawei’s inability to comply with the EU’s GDPR presents an opportunity for the United States’ campaign to eliminate Huawei 5G infrastructure in Europe. Let’s not squander it.

Carisa Nietsche is a research assistant for the Transatlantic Security Program at the Center for a New American Security. Bolton Smith is a JD candidate at the University of Virginia School of Law.

Image: Reuters