Should governments be allowed to impose localisation requirements to protect privacy?

It’s a cliché that “data is the new oil”—a metaphor that dates back to at least 2006. Like oil, data is beginning to drive conflict, as different political blocs fight for control of how this valuable resource flows around the world. That tussle is at a critical juncture because of the confluence of three major factors: the Snowden revelations about massive online surveillance; key judgments by Europe’s top court; and attempts by the US to use major trade deals to lock in unrestricted data flows globally.

The growing awareness of the importance of data flows to both technology and the world’s economy is reflected in the number of reports on the topic that have been issued recently. For example, in April 2014, McKinsey published “Global flows in a digital age,” which noted:

Global online traffic across borders grew 18-fold between 2005 and 2012, and could increase eightfold more by 2025. Digital technologies, which reduce the cost of production and distribution, are transforming flows in three ways: through the creation of purely digital goods and services, “digital wrappers” that enhance the value of physical flows, and digital platforms that facilitate cross-border production and exchange.

A month later, the European Centre for International Political Economy (ECIPE) issued a report that aimed to “quantify the losses that result from data localisation requirements and related data privacy and security laws that discriminate against foreign suppliers of data, and downstream goods and services providers.” Data localisation in this context means keeping data within the same country—or legal bloc, in some cases—where it originated.

According to ECIPE’s econometric modelling, if the European Union were to introduce economy-wide data localisation requirements that applied across all sectors of the economy, its GDP would suffer a loss of 1.1 percent as non-EU companies run fleeing to the hills. ECIPE said domestic investments would fall by 3.9 percent, and the economic losses suffered by EU citizens would total £156 billion (€182 billion, $193 billion).

The Snowden revelations

One reason why many countries were and still are considering data localisation requirements that would force companies to keep data within national or legal boundaries, is the Snowden leaks. These showed the NSA and GCHQ carrying out surveillance on a hitherto unsuspected scale. In particular, Edward Snowden revealed that both agencies spied on data as it flowed across US and UK borders to and from other countries.

An obvious way to avoid this problem is to keep data in the country where it is generated, to minimise opportunities for foreign interception. That too has issues—for example, it’s easier for national governments to spy on and demand information—but it does place obstacles in the way of external intelligence agencies like the NSA and GCHQ.

One country that has already adopted this approach is Russia, which passed a data localisation law in 2014. LinkedIn’s failure to comply means that the soon-to-be Microsoft subsidiary faces the prospect of Russian ISPs blocking access to its site. As Ars has reported, China too is bringing in data localisation requirements.

Perhaps even more important than Snowden’s impact on governments’ future data localisation policies have been the knock-on consequences of his revelations for the “Safe Harbour” framework that has governed data flows from the EU to the US since 2000. In 1998, the EU’s directive on data protection went into effect, which prohibited the transfer of personal data to non-European Union countries that do not meet the 28-member-state bloc’s “adequacy” standard for privacy protection—in other words, that offered sufficient safeguards for personal data.

The Safe Harbour website explains: “In order to bridge these differences in approach and provide a streamlined means for US organisations to comply with the Directive, the US Department of Commerce in consultation with the European Commission developed a ‘Safe Harbour’ framework and this website to provide the information an organisation would need to evaluate—and then join—the US-EU Safe Harbour programme.”

Snowden’s leaks showed the NSA gaining access to personal data held by major US online companies like Facebook as part of the PRISM programme. As a result, the Austrian privacy activist Max Schrems brought a legal challenge to data transfers made between the EU and the US using the Safe Harbour framework. As his site puts it: “Safe Harbour does not allow for [data] forwarding as it is performed under PRISM. If it would allow such forwarding the ‘Safe Harbour Decision’ would itself be illegal under Regulation 95/46/EC [the EU directive on data protection].”

Since Facebook has its European headquarters in Ireland, Schrems took his complaint to the Irish data protection agency. According to Schrems, the Irish data protection commissioner argued that “he does not have any duty to investigate the complaint and later argued that the legal view expressed in the complaint is ‘frivolous’.” As a result, Schrems’ complaint was not investigated.

Schrems sought a judicial review by the Irish High Court, which then asked the Court of Justice of the European Union (CJEU) to rule on issues raised by the Safe Harbour framework. On October 6 last year, Europe’s top court handed down its judgment, which effectively struck down Safe Harbour. The central problem, the court found, was that PRISM allowed “access on a generalised basis to the content of electronic communications,” which the CJEU said “must be regarded as compromising the essence of the fundamental right to respect for private life,” and therefore unacceptable under EU law.

Unless a suitable replacement for Safe Harbour could be found, data flows across the Atlantic would be illegal, and companies continuing to transfer EU personal data to the US risked large fines. What was needed was an upgraded version of Safe Harbour, otherwise US companies faced the prospect of being forced to keep all the personal data of their EU users within the European Union, something they insisted they were reluctant to do.

After fraught negotiations, the new Privacy Shield framework was announced on July 8. The European Commission claimed it was “fundamentally different” from Safe Harbour, and ruled out “indiscriminate mass surveillance”:

The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.

Reactions to the new Privacy Shield were mixed. Microsoft called it “an important achievement for the privacy rights of citizens across Europe, and for companies across all industries that rely on international data flows to run their businesses and serve their customers.”

Schrems, by contrast, said: “Privacy Shield is the product of pressure by the US and the IT industry—not of rational or reasonable considerations. It is little more than an little upgrade to Safe Harbour, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU.” Joe McNamee, executive director of European Digital Rights, agreed with this view: “We now have to wait until the court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights.”

News that Yahoo had been secretly scanning customers’ e-mails greatly increases the likelihood of the Privacy Shield scheme being thrown out by the EU’s top court. Snowden tweeted that during the Privacy Shield negotiations the US insisted that this kind of spying would never occur. As a result, the CJEU judges are unlikely to be impressed by any claims that Privacy Shield complies with EU laws.

A legal challenge to the Privacy Shield framework has already been filed, but not at the Court of Justice, which heard and threw out Safe Harbour. Instead, Digital Rights Ireland is asking the lesser-known General Court of the European Union to annul Privacy Shield, still on the grounds that it affords insufficient privacy protection to EU citizens.

General Data Protection Regulation

A successful challenge to Privacy Shield would be a serious problem for US companies wishing to move personal data out of the EU. At the end of 2015, the European Parliament, the Council, and the Commission reached an agreement on “new data protection rules, establishing a modern and harmonised data protection framework across the EU,” including the General Data Protection Regulation (GDPR), which greatly extends the reach and force of EU privacy laws. Chapter 5 of the GDPR confirms the need for something like Privacy Shield to regulate the flow of data outside the EU, and spells out huge fines for companies that flout the new GDPR rules—up to €20 million, or four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Stricter GDPR rules, coupled with the prospect that personal data might need to remain within the EU’s borders, may represent a threat for US companies, but they are also a business opportunity for cloud computing services. For example, the newly-formed Cloud Infrastructure Services Providers in Europe (CISPE) recently announced that it had created “the first-ever data protection code of conduct requiring cloud infrastructure services providers to offer their customers the ability to exclusively process and store data within the EU/EEA territories.”

The CISPE added:

Under the CISPE Code of Conduct, cloud infrastructure providers cannot data mine or profile customers’ personal data for marketing, advertising or similar activities, for their own purposes or for the resale to third parties. The CISPE Code precedes the application of the new European Union (EU) General Data Protection Regulation (GDPR).

US companies are also cashing in on the demand for EU-based processing and storage. For example, last November Microsoft opened data centres in Germany, which it claimed would be immune to requests from the US government to hand over data—thus attempting to address the key problem of surveillance that emerged in the Schrems’ judgment. More recently, Microsoft announced it had invested a total of £2.3 billion ($3 billion) in setting up its European cloud computing facilities.

The New York Times quoted Microsoft CEO Satya Nadella as saying: “We’re building our global cloud infrastructure in Europe so it can be trusted by the multiple constituents. We can meet the data residency needs of our European customers.” The newspaper also noted that other US giants are also investing heavily in EU facilities: “Amazon Web Services, the largest player, announced last week that it would soon open multiple data centres in France and Britain. Google, which already has sites in countries like Finland and Belgium, is expected to finish a new multimillion-dollar data complex in the Netherlands by the end of the year.”

Trade deals

Although those moves might suggest that US Internet companies are resigned to a future where keeping the personal data of EU citizens within the EU will be the norm, that’s not the case. The main strategy of the online giants is doing everything they can to stop data localisation happening; the new data centres are more like an insurance policy, in case they aren’t successful.

These multinational megacorps have a range of weapons at their disposal, but the most powerful is trade agreements. As Ars has reported, today’s big trade deals go far beyond simply removing tariffs. Now, the emphasis is on harmonising national regulations in order to remove “non-tariff barriers.” Prompted by Stateside Internet companies, the US tries to use trade deals to persuade other countries to agree to unhindered cross-border data flows, and to ban data localisation requirements.

One of the main battlefields here is the Transatlantic Trade and Investment Partnership (TTIP). Recently, senior US politicians sent a letter to the US Trade Representative, Michael Forman, who is responsible for US trade negotiations. The politicians wrote: “TTIP must include clear and enforceable commitments on digital trade, but the EU has not engaged meaningfully in this sector, particularly regarding cross border data flows and data server localization requirements.” As part of the TTIP deal, the politicians say, the EU must permit easy cross-border data flows by loosening its stringent privacy protections, and forbid member states from requiring data localisation.

TTIP is in limbo after Donald Trump won the US presidential election, and may even be dead, so the argument over how data flows should be treated there will not re-commence for many months, if ever. But there are two other major deals seeking to regulate European data flows, the Trade in Investment Services Agreement (TISA)—an international treaty between 23 parties including the US and EU—and the Comprehensive Economic and Trade Agreement (CETA) between Canada and the EU.

A recent study, entitled “Trade and privacy: complicated bedfellows?”, suggested that new free trade deals should contain a binding provision which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of the agreements.

However, in a commentary on the report, the activist Ante Wessels had doubts about the efficacy of this approach. He wrote: “Trade and privacy are indeed difficult bedfellows. It is an open question whether data protection-proof free trade agreements are possible.” If, indeed, that is the case, the report further suggests “the EU should not enter into additional commitments concerning free data flows in new and enhanced disciplines that lack any reference to the party’s privacy and data protection laws.”

One of the organisations that commissioned the report, BEUC, explained its position as follows:

Consumer organisations are not opposed per se to the flow of data, as long as the privacy rights of all EU citizens are protected. The problem is that, by definition, data flows include personal data. The countries negotiating TiSA with the EU have very different data protection laws. They do not necessarily match the level of protection that is expected in the EU.

Data protection is a fundamental rights issue and is regulated by specific data protection laws, most notably the upcoming EU General Data Protection Regulation which contains a full chapter on international data transfers. That is why rules on data flows should not be part of trade agreements.

It’s still not clear what the European Commission intends to do on this important issue. According to a report on EurActiv, “European Commission officials have struck a deal that could put a clause guaranteeing international data flows into a trade agreement with 22 countries outside the bloc, including the United States and Australia [TISA]. But the commission is in deadlock over whether to cave to pressure from the US despite criticism that salvaging the pact on services could undermine EU privacy law.”

According to the EC’s summary of the latest round of TISA talks, data flows and localisation of computing facilities will “continue to require in-depth discussions between Parties.” Once again, the election of Donald Trump is likely to be a complicating factor here.

The position of the European Parliament is more straightforward, since it has adopted a text on TISA in which it calls on the European Commission “to immediately and formally oppose the US proposals on movement of information.”

Post-Brexit problems

Finally, it’s worth noting there are major implications here for the UK as it heads towards Brexit. The UK’s new Information Commissioner, Elizabeth Denham, recently gave a speech called “Transparency, trust and progressive data protection,” in which she directly addressed the question of what the EU’s new GDPR would mean post-Brexit:

The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards—the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent.

For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK.

Whether or not the UK is a member of the EU, and whatever its formal relationship might be, if British companies—for example, in the financial sector—want to process EU personal data, the protection in the UK must be “adequate or essentially equivalent” for data flows from the continent to be permitted. It is therefore likely that the UK government will need to bring in data privacy laws that align closely with the GDPR.

However, it’s worth remembering that the reason why Safe Harbour was struck down, and why Privacy Shield may suffer the same fate, is that the EU’s highest court deemed the surveillance carried out by the NSA as excessive and therefore illegal. But we know from Snowden’s documents that GCHQ’s Tempora programme is just as invasive—indeed, Snowden said that historically: “They [GCHQ] are worse than the US.” That raises the interesting question of whether the CJEU would find that GCHQ’s surveillance of data flows is also excessive and therefore illegal under EU privacy laws if a challenge were brought by someone like, say, Schrems.

The UK government has managed to sidestep this issue so far. But once the UK is outside the European Union, continental companies will not want to risk fines of up to four percent of their global turnover by sending personal data to a country which may be judged a privacy pariah by the courts.

As data progresses from being the new oil that helps powers modern economies, to becoming the very life-blood that keeps them alive, data flows will become a key strategic issue for all governments. That’s especially true for the UK, which will depend on them for its new, and as-yet undefined, relationships with the world’s nations, their citizens, and their companies.

Via: Ars Technica

http://arstechnica.co.uk/tech-policy/2016/11/eu-us-personal-data-flows-explainer/