Blog Post

Data transfers under the threat of terrorist attacks

The recent terrorist attacks in Paris and elsewhere have created an atmosphere of insecurity and fear among the citizens of the main European capitals. They have also highlighted the necessity for more effective tools at European level in the fight against terrorism and the prevention of future attacks in the European soil.

By: and Date: December 15, 2015 Topic: Innovation & Competition Policy

In doing so, these incidents have also reawakened a long-simmering debate as to how best to reconcile these national security requirements both with individual privacy rights that we as Europeans hold dear, and with legitimate commercial use of personally identifiable data. The tensions among these three objectives are palpable, and have only intensified with the growing threat of terrorism and the growing value of personally identifiable data.

Data privacy implies restrictions on the free movement of data. Conversely, commercial efficiency in the digital world seems to require data flows that are restricted as little as possible. Intelligence services also have reason to want data to flow freely – in the absence of data flows, their surveillance would be undermined.

In particular, the recent decision of the European Court of Justice (ECJ) invalidating the Safe Harbour agreement between EU and US is legitimate in terms of protecting the privacy of Europeans, but at the same time raises the risk of “balkanisation” of data (notably between the US and the EU), with likely negative consequences on the digital economy.[1]

There is unlikely to be a simple, ideal solution at European level. What is likely needed are pragmatic compromises, solidly grounded in a clear understanding of the underlying tensions that we are trying to reconcile. To date, a clear understanding has not always been in evidence.

Georgios_Chart.jpg

The economic value of data

Data is often referred to as the “oil of the 21st century”. Data has an economic value that affects online platforms and their clients, namely, companies and consumers. Online platforms act as intermediaries that collect data from consumers and sell advertising slots to companies. By analysing the data they receive by consumers, they can design effective and personalised advertising strategies for the companies’ products and services. In this way, companies are more successful in placing their products, and consumers receive better recommendations based on their individual interests – potentially a “win-win” situation, or Pareto improvement.

The benefits from the use of personally identifiable data to the sector are manifest. The funds generated by such advertisements are the main source of revenue for platforms such as Google and Facebook.[2]

The benefits to the individual, and through spill-overs into the broader economy, are more easily overlooked, as are the benefits in internal efficiency to multi-national organisations. For example, Netflix provides personalised recommendations for movies and shows based on users’ explicit taste preferences and ratings, viewing history, or friends’ recommendations. These personal data are gained through both Netflix’s own service and from data provided by social networks such as Facebook. The consumer arguably benefits.

At the same time, concerns over potential misuse of consumer data are not misplaced. Consumers are not always aware of how their data can be used by online platforms. As the New York Times have pointed out in their influential article “Facebook Is Using You”[3], past experience has shown that “… you might be refused health insurance based on a Google search you did about a medical condition. You might be shown a credit card with a lower credit limit, not because of your credit history, but because of your race, sex or ZIP code or the types of Web sites you visit.”

The Schrems case and Safe Harbour agreement between the EU and the US

The Safe Harbour agreement between European Union and the United States dates back to 26 July 2000 and facilitates the ability of businesses to move personal data collected in Europe to servers in US[4] (for instance, a social-media profile or payroll information) on the strength of guarantees provided by US authorities to provide an adequate level of data protection. To date, more than 4,000 companies have used Safe Harbour for data transfer[5].

On 26 June 2013, Austrian privacy activist and Facebook user Maximilian Schrems filed a complaint against Facebook, arguing that his personal data is not adequately protected when it is transferred to the US from Europe because Facebook makes the data available to the U.S. National Security Agency (NSA), for which the Safe Harbour protections are either unavailable or irrelevant.[6]

The European Court of Justice (ECJ) ruled on 6 October 2015 that the Safe Harbour agreement with the US is invalid because it does not ensure adequate data protection, a fundamental principle of EU data protection.

This decision put an end to a practice that had been used extensively for fifteen years, not only by US-based online platforms but also by multi-national corporations and by European online start-ups and service providers.

High-tech giants that need to transfer data have resorted to a range of work-arounds. For instance, Deutsche Telekom agreed to act as data trustee for Microsoft customer data collected in Germany and Europe,[7] while Microsoft itself will increase its operations using its Dublin data centre. Among the other cloud builders, Google[8] and Amazon already operate major data centres in Dublin, while Facebook[9] and Apple[10] had announced plans to build major server farms in Ireland even before the Schrems decision. In addition, several US-based firms have rushed to put in place model contract clauses that the European Commission advocates as a means of enabling them to transfer data to the US.[11]

How effective these measures will prove to be remains to be seen. Ensuring that European data remains in Europe might possibly enable US-based firms to offer cloud services to Europeans, assuming that the firms can offering convincing assurances that the data will not be subject to surveillance; however, it does not solve the data transfer issue for data that truly needs to be transferred.

The model clauses would appear to be at best a weak and temporary circumvention of the ECJ’s decision in the Schrems case, since US-based firms cannot and presumably will not avoid making the data available to US intelligence services, and will be prevented by US law from informing surveilled entities and individuals that they have done so. The decision in the Schrems case, after all, had nothing to do with commercial privacy practices – it was all about government surveillance for purposes of national security. This cannot be governed by private contract. Given that Safe Harbour has already been invalidated, it seems unlikely that the ECJ in a subsequent case would permit the model clauses to stand.

Even if the current work-arounds were to prove to be sustainable, they would effectively increase economic transaction costs (i.e. overhead costs of doing business) significantly for the firms that are forced to use them, thus effectively throwing sand in the economic gears of both the US and the EU.

Terrorist attacks lead to short term pressure for enhanced surveillance

In the past, terrorist attacks have often led to calls in the short term for authorities in the Member States to intensify surveillance, even at some sacrifice to the rights of the individual, and to collaborate closely with one another in exchanging data. In the longer term, there tends to be a return to normalcy as surveillance is relaxed in order to better comply with the fundamental rights of citizens.

For example, in light of the major attacks in the underground of Madrid in 2004 and the London bombings in 2005, the EU launched the Data Retention Directive in 2006 which required the providers of publicly available electronic communications services and networks to retain traffic and location data belonging to individuals or legal entities for up to two years.  In April 2014, however, the ECJ concluded that the Directive interferes with fundamental rights of EU citizens and violates the right to protection of personal data.

A similar oscillation is visible in regard to airline Passenger Name Record (PNR) data, and to SWIFT[12] records of financial transfers. A balance is sought between national security and privacy concerns, but the pendulum swings over time as the perceived threat level waxes or wanes.

Conclusions and Suggestions

The use and transfer of personally identifiable data can have large benefits for society – not only for platforms that use and sell the data, but also for the individuals that provide it, and for the broader digital economy.

In the aftermath of the recent attacks and increased calls for surveillance, together with the Schrems decision that prevent transfers of personally identiable data when national security authorities might abuse it, the ability to transfer data is likely to be challenged severely.

The tension between privacy and national security surveillance is different in many important respects from the tension between privacy and commercial use of data. Notably, surveillance authorities do not expect the data that the collected, or the fact that they collected it, to become public; consequently, it will be exceedingly difficult to police or meaningfully enforce any agreement that is reached as an alternative to the invalidated Safe Harbour arrangements.

There are well documented cases where senior US officials were less than fully forthcoming in statements to the US Congress.[13] Can we reasonably expect the US to be more forthcoming with European officials than with their own Congress? Former US president Ronald Reagan often said that one should “trust, but verify”. How can any agreement about the use of national security data be meaningfully verified?

It is widely acknowledged that an alternative to Safe Harbour needs to be put in place at European level, and quickly, in order to retain as much as possible the benefits of the free transfer of data, while duly respecting the need for commercial privacy.

The question that European policymakers must now confront is how to craft practical arrangements in the face of genuine increased needs for surveillance for purposes of national security, challenges to reaching an agreement with major trading partners notably including the US, and the near-impossibility of enforcing an agreement if one can be reached.

It is by no means clear how such an arrangement could be reached, but it is clear that components must include (1) cooperation at European level and with the Member States, (2) extraordinary pragmatism and willingness to compromise so as to achieve as much as is reasonably achievable, (3) setting the expectations of Europeans to realistic levels, all coupled with (4) the ambition to achieve as much protection of the privacy rights of Europeans as possible, as part of a solution that balances this appropriately with national security needs, through international negotiations.

 

[1] Ilsa Godlovitch, J. Scott Marcus, Bas Kotterink and Pieter Nooren (2015, forthcoming), Over-the-Top (OTT) players: Market dynamics and policy challenges, study for the European Parliament.

[2] For example, according to Facebook annual report in 2014, advertisements corresponded to the 92% of the company’s revenue that year (http://investor.fb.com/annuals.cfm). Google’s revenues are also mainly (more than 90%) based on advertising (https://investor.google.com/financial/tables.html).

[3] http://www.nytimes.com/2012/02/05/opinion/sunday/facebook-is-using-you.html

[4] Under the EU Directive on Data Protection, transfers of personal data to non-EU countries are permitted only to countries that provide an adequate level of privacy protection.

[5] http://www.ft.com/cms/s/2/7544e716-6b87-11e5-aca9-d87542bf8673.html#axzz3tLgVZo89

[6] This claim is based on the revelations of the former NSA contractor Edward Snowden about the NSA’s PRISM mass surveillance program.

[7] See “Deutsche Telekom to act as Data Trustee for Microsoft Cloud in Germany”, 11 November 2015, at https://www.telekom.com/media/company/293260.

[8] Google also operates data centres in Finland, Belgium and Amsterdam.

[9] Jason Verge, “Facebook To Submit Plans For $220M Data Center In Ireland”, in Data Center Knowledge, 15 June 2015, at http://www.datacenterknowledge.com/archives/2015/06/15/facebook-submit-plans-220m-data-center-ireland/.

[10] Davin O’Dwyer, “Ireland’s data centre boom set to continue”, 5 March 2015, http://www.irishtimes.com/business/technology/ireland-s-data-centre-boom-set-to-continue-1.2126081.

[11] See “Silicon Valley fights European Court of Justice ruling with small print”, The Register, 7 October 2015, at http://www.theregister.co.uk/2015/10/07/us_cloud_giants_privacy_brief_safe_harbour/.

[12] SWIFT is the Society for Worldwide Interbank Financial Telecommunication.

[13] New York Times, 11 June 2013: ‘At the March Senate hearing, Mr. Wyden asked Mr. Clapper, “Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?” “No, sir,” Mr. Clapper replied. “Not wittingly.” Mr. Wyden said on Tuesday that he had sent his question to Mr. Clapper’s office a day before the hearing, and had given his office a chance to correct the misstatement after the hearing, but to no avail. In an interview on Sunday with NBC News, Mr. Clapper acknowledged that his answer had been problematic, calling it “the least untruthful” answer he could give.’


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read about event More on this topic

Past Event

Past Event

Protecting the privacy of electronic communications: getting the next steps right

Do the European Commission's recent initiatives put us on the right path?

Speakers: Nicholas Blades, Orla Lynskey, J. Scott Marcus, Alexander Whalen and Jeremy Rollison Topic: Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: April 25, 2017
Read about event More on this topic

Past Event

Past Event

Towards EU-MENA shared prosperity

The second edition of the "Platform for Advanced & Emerging Economies Policy Dialogue" will discuss global supply chains, energy and security.

Speakers: Abdelhak Bassou, Jean-Francois Dauphin, Maria Demertzis, Karim El Aynaoui, Larbi Jaidi, Marion Jansen, Giacomo Luciani, Rania Al-Mashat, Iverna McGowan, Jolana Mungengová, Francis Perrin, Francesco Presicce, Simone Tagliapietra, Valeria Talbot and Guntram B. Wolff Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: April 10, 2017
Read about event More on this topic

Past Event

Past Event

Artificial intelligence: challenges and opportunities

Rob Atkinson, the founder and president of the Information Technology and Innovation Foundation presented his research work on the impact of artificial intelligence on our lives.

Speakers: Robert Atkinson, Anna Byhovskaya, Merja Kyllönen and Georgios Petropoulos Topic: Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: March 23, 2017
Read article More on this topic More by this author

Blog Post

Scott Marcus

High expectations for 5G confront practical realities

The next wave of mobile network innovation is provoking great excitement in the industry. And indeed, there is substantial potential for improvement. However, the exact form of the technology and the appropriate policy support are still far from clear. And we should beware of over-ambitious promises about the impact and uptake of new network technologies.

By: J. Scott Marcus Topic: Innovation & Competition Policy Date: March 14, 2017
Read article More on this topic More by this author

Blog Post

Scott Marcus

How good a shield is Privacy Shield?

Privacy Shield was put in place in 2016 to ensure that transfers of personal data from the EU to the US would be in compliance with European Union privacy law, and thus permissible. The institutional framework of Privacy Shield was weak, and depended on the good will of the US administration. Recent actions by the new administration, including the famous executive order forbidding residents from 7 predominantly Muslim countries to enter the US, may have (presumably unintended) effects on Privacy Shield. To preserve the validity of Privacy Shield in European Courts, strong EU-US cooperation and potentially additional agreements may become necessary.

By: J. Scott Marcus Topic: Innovation & Competition Policy Date: February 7, 2017
Read article More on this topic More by this author

External Publication

9783319418445

Policy and Politics in the Era of the Industrial Internet: How the Digital Transformation Will Change the Political Arena

The digital transformation has already had an impact on policymaking, and this trend will continue in the years to come. How will the political process change and how can influencers guide this change?

By: Giuseppe Porcaro Topic: Innovation & Competition Policy Date: December 7, 2016
Read article More by this author

Blog Post

DSC_0794

Trump, NATO and European defence spending

US President-Elect Donald Trump made critical statements about low European defence spending during the election campaign - signaling an expectation that Europe should contribute more to the cost of its security. Indeed, most European NATO members have spending well below the 2% target that NATO membership entails. Reaching this target could cost the EU27 NATO members 96 billion USD per year.

By: Justine Feliu Topic: European Macroeconomics & Governance, Global Economics & Governance Date: November 15, 2016
Read article More by this author

Blog Post

Giuseppe Porcaro

The industrial internet will transform policymaking

The ‘internet of things’ will bring major changes in many areas of life, including the political arena. What will be the new communication tools, strategies and narratives for policymakers?

By: Giuseppe Porcaro Topic: Innovation & Competition Policy Date: September 28, 2016
Read article Download PDF More on this topic More by this author

External Publication

jsm-ext-paper-cover

New network neutrality rules in Europe: comparisons to those in the U.S.

This paper explains the similarities and differences between European and U.S. net neutrality rules.

By: J. Scott Marcus Topic: Innovation & Competition Policy Date: September 15, 2016
Read article More on this topic

Blog Post

Scott Marcus
IMG_20151119_103626

Brexit and its potential impact on international data transfers

If the UK exits the EU and the EEA, it will have to go to considerable lengths to enable continued data transfers from the EU. Without an agreement on data transfers and data protection, business in the UK and the EU will be disrupted.

By: J. Scott Marcus and Georgios Petropoulos Topic: Innovation & Competition Policy Date: August 4, 2016
Read article More on this topic More by this author

Blog Post

Scott Marcus

Mobile roaming, Brexit, and unintended consequences

The intermediate and long-term consequences of the UK “Brexit” referendum of 23 June 2016 are numerous and far-reaching. There has been much discussion of the impact on financial services, but very little to date on the likely implications for telecommunications regulation.

By: J. Scott Marcus Topic: Innovation & Competition Policy Date: June 28, 2016
Read article Download PDF More on this topic

Working Paper

WP 03 2016

Challenging prospects for roam like at home

In 2015 the European Union adopted new rules seeking to implement a roam like at home regime for member states. This Working Paper highlights challenges in implementing roam like at home, and it provides insights on the economics of international mobile roaming.

By: Georgios Petropoulos and J. Scott Marcus Topic: Innovation & Competition Policy Date: June 15, 2016
Load more posts