Blog Post

Data transfers under the threat of terrorist attacks

The recent terrorist attacks in Paris and elsewhere have created an atmosphere of insecurity and fear among the citizens of the main European capitals. They have also highlighted the necessity for more effective tools at European level in the fight against terrorism and the prevention of future attacks in the European soil.

By: and Date: December 15, 2015 Topic: Innovation & Competition Policy

In doing so, these incidents have also reawakened a long-simmering debate as to how best to reconcile these national security requirements both with individual privacy rights that we as Europeans hold dear, and with legitimate commercial use of personally identifiable data. The tensions among these three objectives are palpable, and have only intensified with the growing threat of terrorism and the growing value of personally identifiable data.

Data privacy implies restrictions on the free movement of data. Conversely, commercial efficiency in the digital world seems to require data flows that are restricted as little as possible. Intelligence services also have reason to want data to flow freely – in the absence of data flows, their surveillance would be undermined.

In particular, the recent decision of the European Court of Justice (ECJ) invalidating the Safe Harbour agreement between EU and US is legitimate in terms of protecting the privacy of Europeans, but at the same time raises the risk of “balkanisation” of data (notably between the US and the EU), with likely negative consequences on the digital economy.[1]

There is unlikely to be a simple, ideal solution at European level. What is likely needed are pragmatic compromises, solidly grounded in a clear understanding of the underlying tensions that we are trying to reconcile. To date, a clear understanding has not always been in evidence.

Georgios_Chart.jpg

The economic value of data

Data is often referred to as the “oil of the 21st century”. Data has an economic value that affects online platforms and their clients, namely, companies and consumers. Online platforms act as intermediaries that collect data from consumers and sell advertising slots to companies. By analysing the data they receive by consumers, they can design effective and personalised advertising strategies for the companies’ products and services. In this way, companies are more successful in placing their products, and consumers receive better recommendations based on their individual interests – potentially a “win-win” situation, or Pareto improvement.

The benefits from the use of personally identifiable data to the sector are manifest. The funds generated by such advertisements are the main source of revenue for platforms such as Google and Facebook.[2]

The benefits to the individual, and through spill-overs into the broader economy, are more easily overlooked, as are the benefits in internal efficiency to multi-national organisations. For example, Netflix provides personalised recommendations for movies and shows based on users’ explicit taste preferences and ratings, viewing history, or friends’ recommendations. These personal data are gained through both Netflix’s own service and from data provided by social networks such as Facebook. The consumer arguably benefits.

At the same time, concerns over potential misuse of consumer data are not misplaced. Consumers are not always aware of how their data can be used by online platforms. As the New York Times have pointed out in their influential article “Facebook Is Using You”[3], past experience has shown that “… you might be refused health insurance based on a Google search you did about a medical condition. You might be shown a credit card with a lower credit limit, not because of your credit history, but because of your race, sex or ZIP code or the types of Web sites you visit.”

The Schrems case and Safe Harbour agreement between the EU and the US

The Safe Harbour agreement between European Union and the United States dates back to 26 July 2000 and facilitates the ability of businesses to move personal data collected in Europe to servers in US[4] (for instance, a social-media profile or payroll information) on the strength of guarantees provided by US authorities to provide an adequate level of data protection. To date, more than 4,000 companies have used Safe Harbour for data transfer[5].

On 26 June 2013, Austrian privacy activist and Facebook user Maximilian Schrems filed a complaint against Facebook, arguing that his personal data is not adequately protected when it is transferred to the US from Europe because Facebook makes the data available to the U.S. National Security Agency (NSA), for which the Safe Harbour protections are either unavailable or irrelevant.[6]

The European Court of Justice (ECJ) ruled on 6 October 2015 that the Safe Harbour agreement with the US is invalid because it does not ensure adequate data protection, a fundamental principle of EU data protection.

This decision put an end to a practice that had been used extensively for fifteen years, not only by US-based online platforms but also by multi-national corporations and by European online start-ups and service providers.

High-tech giants that need to transfer data have resorted to a range of work-arounds. For instance, Deutsche Telekom agreed to act as data trustee for Microsoft customer data collected in Germany and Europe,[7] while Microsoft itself will increase its operations using its Dublin data centre. Among the other cloud builders, Google[8] and Amazon already operate major data centres in Dublin, while Facebook[9] and Apple[10] had announced plans to build major server farms in Ireland even before the Schrems decision. In addition, several US-based firms have rushed to put in place model contract clauses that the European Commission advocates as a means of enabling them to transfer data to the US.[11]

How effective these measures will prove to be remains to be seen. Ensuring that European data remains in Europe might possibly enable US-based firms to offer cloud services to Europeans, assuming that the firms can offering convincing assurances that the data will not be subject to surveillance; however, it does not solve the data transfer issue for data that truly needs to be transferred.

The model clauses would appear to be at best a weak and temporary circumvention of the ECJ’s decision in the Schrems case, since US-based firms cannot and presumably will not avoid making the data available to US intelligence services, and will be prevented by US law from informing surveilled entities and individuals that they have done so. The decision in the Schrems case, after all, had nothing to do with commercial privacy practices – it was all about government surveillance for purposes of national security. This cannot be governed by private contract. Given that Safe Harbour has already been invalidated, it seems unlikely that the ECJ in a subsequent case would permit the model clauses to stand.

Even if the current work-arounds were to prove to be sustainable, they would effectively increase economic transaction costs (i.e. overhead costs of doing business) significantly for the firms that are forced to use them, thus effectively throwing sand in the economic gears of both the US and the EU.

Terrorist attacks lead to short term pressure for enhanced surveillance

In the past, terrorist attacks have often led to calls in the short term for authorities in the Member States to intensify surveillance, even at some sacrifice to the rights of the individual, and to collaborate closely with one another in exchanging data. In the longer term, there tends to be a return to normalcy as surveillance is relaxed in order to better comply with the fundamental rights of citizens.

For example, in light of the major attacks in the underground of Madrid in 2004 and the London bombings in 2005, the EU launched the Data Retention Directive in 2006 which required the providers of publicly available electronic communications services and networks to retain traffic and location data belonging to individuals or legal entities for up to two years.  In April 2014, however, the ECJ concluded that the Directive interferes with fundamental rights of EU citizens and violates the right to protection of personal data.

A similar oscillation is visible in regard to airline Passenger Name Record (PNR) data, and to SWIFT[12] records of financial transfers. A balance is sought between national security and privacy concerns, but the pendulum swings over time as the perceived threat level waxes or wanes.

Conclusions and Suggestions

The use and transfer of personally identifiable data can have large benefits for society – not only for platforms that use and sell the data, but also for the individuals that provide it, and for the broader digital economy.

In the aftermath of the recent attacks and increased calls for surveillance, together with the Schrems decision that prevent transfers of personally identiable data when national security authorities might abuse it, the ability to transfer data is likely to be challenged severely.

The tension between privacy and national security surveillance is different in many important respects from the tension between privacy and commercial use of data. Notably, surveillance authorities do not expect the data that the collected, or the fact that they collected it, to become public; consequently, it will be exceedingly difficult to police or meaningfully enforce any agreement that is reached as an alternative to the invalidated Safe Harbour arrangements.

There are well documented cases where senior US officials were less than fully forthcoming in statements to the US Congress.[13] Can we reasonably expect the US to be more forthcoming with European officials than with their own Congress? Former US president Ronald Reagan often said that one should “trust, but verify”. How can any agreement about the use of national security data be meaningfully verified?

It is widely acknowledged that an alternative to Safe Harbour needs to be put in place at European level, and quickly, in order to retain as much as possible the benefits of the free transfer of data, while duly respecting the need for commercial privacy.

The question that European policymakers must now confront is how to craft practical arrangements in the face of genuine increased needs for surveillance for purposes of national security, challenges to reaching an agreement with major trading partners notably including the US, and the near-impossibility of enforcing an agreement if one can be reached.

It is by no means clear how such an arrangement could be reached, but it is clear that components must include (1) cooperation at European level and with the Member States, (2) extraordinary pragmatism and willingness to compromise so as to achieve as much as is reasonably achievable, (3) setting the expectations of Europeans to realistic levels, all coupled with (4) the ambition to achieve as much protection of the privacy rights of Europeans as possible, as part of a solution that balances this appropriately with national security needs, through international negotiations.

 

[1] Ilsa Godlovitch, J. Scott Marcus, Bas Kotterink and Pieter Nooren (2015, forthcoming), Over-the-Top (OTT) players: Market dynamics and policy challenges, study for the European Parliament.

[2] For example, according to Facebook annual report in 2014, advertisements corresponded to the 92% of the company’s revenue that year (http://investor.fb.com/annuals.cfm). Google’s revenues are also mainly (more than 90%) based on advertising (https://investor.google.com/financial/tables.html).

[3] http://www.nytimes.com/2012/02/05/opinion/sunday/facebook-is-using-you.html

[4] Under the EU Directive on Data Protection, transfers of personal data to non-EU countries are permitted only to countries that provide an adequate level of privacy protection.

[5] http://www.ft.com/cms/s/2/7544e716-6b87-11e5-aca9-d87542bf8673.html#axzz3tLgVZo89

[6] This claim is based on the revelations of the former NSA contractor Edward Snowden about the NSA’s PRISM mass surveillance program.

[7] See “Deutsche Telekom to act as Data Trustee for Microsoft Cloud in Germany”, 11 November 2015, at https://www.telekom.com/media/company/293260.

[8] Google also operates data centres in Finland, Belgium and Amsterdam.

[9] Jason Verge, “Facebook To Submit Plans For $220M Data Center In Ireland”, in Data Center Knowledge, 15 June 2015, at http://www.datacenterknowledge.com/archives/2015/06/15/facebook-submit-plans-220m-data-center-ireland/.

[10] Davin O’Dwyer, “Ireland’s data centre boom set to continue”, 5 March 2015, http://www.irishtimes.com/business/technology/ireland-s-data-centre-boom-set-to-continue-1.2126081.

[11] See “Silicon Valley fights European Court of Justice ruling with small print”, The Register, 7 October 2015, at http://www.theregister.co.uk/2015/10/07/us_cloud_giants_privacy_brief_safe_harbour/.

[12] SWIFT is the Society for Worldwide Interbank Financial Telecommunication.

[13] New York Times, 11 June 2013: ‘At the March Senate hearing, Mr. Wyden asked Mr. Clapper, “Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?” “No, sir,” Mr. Clapper replied. “Not wittingly.” Mr. Wyden said on Tuesday that he had sent his question to Mr. Clapper’s office a day before the hearing, and had given his office a chance to correct the misstatement after the hearing, but to no avail. In an interview on Sunday with NBC News, Mr. Clapper acknowledged that his answer had been problematic, calling it “the least untruthful” answer he could give.’


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article Download PDF

Policy Contribution

European Parliament

Hybrid and cybersecurity threats and the European Union’s financial system

The authors document the rise in hybrid threats and cyber attacks in the European Union. Exploring preparations to increase the resilience of the financial system they find that at the individual institutional level, significant measures have been taken, but the EU finance ministers should advance a broader political discussion on the integration of the EU security architecture applicable to the financial system.

By: Maria Demertzis and Guntram B. Wolff Topic: European Macroeconomics & Governance, European Parliament, Finance & Financial Regulation, Testimonies Date: September 12, 2019
Read article More on this topic More by this author

Blog Post

Breaking up big companies and market power concentration

Senator Elizabeth Warren proposes the break-up of big tech companies. A report for the UK government presents another approach for regulating the digital economy. And IMF research serves as a reminder that concentration of market power extends beyond digital. This blog reviews the debate.

By: Konstantinos Efstathiou Topic: Innovation & Competition Policy Date: April 29, 2019
Read article More on this topic More by this author

Podcast

Podcast

Director’s Cut: How to make Industry 4.0 work for Europe

Bruegel director Guntram Wolff talks to Padmashree Gehl Sampath, a Berkman Klein fellow at Harvard University, on the consequences of ‘new manufacturing’ for European industrial policymaking.

By: The Sound of Economics Topic: Innovation & Competition Policy Date: April 2, 2019
Read article More on this topic More by this author

Podcast

Podcast

Director's Cut: Balancing free trade with national security interests

In this episode of Director's Cut, Stephanie Segal of CSIS joins Bruegel's Guntram Wolff and Maria Demertzis for a conversation about the tension between free trade and national security issues, and the emerging threats to multilateralism.

By: The Sound of Economics Topic: Global Economics & Governance Date: February 19, 2019
Read about event More on this topic

Past Event

Past Event

Civil society for the digital age

What is the place of civil society in the digital age as well as the role of technology in society?

Speakers: Eline Chivot, Orla Lynskey, Bertin Martens, Georgios Petropoulos, Thiébaut Weber and Glen Weyl Topic: Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: December 4, 2018
Read article More on this topic More by this author

Podcast

Podcast

Backstage: How think-tanks can make themselves heard in an information-rich world

Think-tanks have come a long way since their organisational blueprint was first conceived, but they have work to do in order to adapt to meet the needs of both policymakers and the general public, and transmit their signals above the noise of the modern age.

By: The Sound of Economics Topic: Global Economics & Governance Date: November 8, 2018
Read about event

Past Event

Past Event

Global Think Tank Summit 2018

The public session of the Global Think Tank Summit will discuss trade and fair global competition

Speakers: Edward Kofi Anan Brown, Aart de Geus, Zhao Hai, Jacob Funk Kirkegaard, Cecilia Malmström, Catherine McBride, James McGann, Jan Mischke, Izumi Ohno and Guntram B. Wolff Topic: Energy & Climate, Global Economics & Governance Location: Bozar, Rue Ravenstein 23, 1000 Bruxelles Date: November 7, 2018
Read article More on this topic More by this author

Blog Post

Post-Brexit transfers of personal data: The clock is ticking

The UK government would like to keep EU-UK data transfers largely the same following the country's separation from the EU. But talks have yet to even commence on a future data-sharing relationship, and a landmark European Court of Human Rights ruling in September bodes poorly for the UK's future status under the EU’s General Data Protection Regulation.

By: J. Scott Marcus Topic: European Macroeconomics & Governance Date: November 7, 2018
Read about event More on this topic

Past Event

Past Event

EU-LAC Economic Forum 2018

The second edition of the EU-LAC Economic Forum, a high level gathering for in-depth research-based exchanges on economic issues between European, Latin American and Caribbean (LAC) policy makers and experts.

Speakers: Angel Badillo, Federico Bonaglia, Maria Demertzis, Sylvie Durán, Guillermo Fernández de Soto, Alicia García-Herrero, Elisa Grafulla, Gonzalo Gutiérrez, Bert Hoffmann, Juan Jung, Emilio Lamo de Espinosa, Carlos Malamud, J. Scott Marcus, Neven Mimica, Fabio Nasarre de Letosa, Detlef Nolte, Anne Sperschneider and Guntram B. Wolff Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: June 26, 2018
Read article Download PDF More on this topic

External Publication

Network Sharing and 5G in Europe: The Potential Benefits of Using SDN or NFV

What technological, economic, and regulatory policy implications might flow from the use of Software Defined Networks (SDN) and Network Function Virtualisation (NFV) technologies, and what are the interactions among these different dimensions? The authors explore the application of SDN/NFV technology to achieve greater flexibility as to how communication networks are used.

By: J. Scott Marcus and Gabor Molnar Topic: Innovation & Competition Policy Date: December 7, 2017
Read article More on this topic

Blog Post

Can roaming be saved after Brexit?

The referendum where UK voters chose to exit the European Union has many unanticipated consequences. One that is gaining visibility in the UK just now is the impact of Brexit on mobile roaming arrangements. How might the UK maintain roaming arrangements with the EU in the event of a hard Brexit?

By: J. Scott Marcus and Robert G. Clarke Topic: Innovation & Competition Policy Date: September 21, 2017
Read about event More on this topic

Past Event

Past Event

Protecting the privacy of electronic communications: getting the next steps right

Do the European Commission's recent initiatives put us on the right path?

Speakers: Nicholas Blades, Orla Lynskey, J. Scott Marcus, Alexander Whalen and Jeremy Rollison Topic: Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: April 25, 2017
Load more posts