After a year of turmoil following the abolition of Safe Harbor, and the controversial birthing of its replacement, Privacy Shield, the European Commission now looks more determined than ever to keep EU-U.S. data flows going at any cost.
Commission Vice President Andrus Ansip is due to present a draft law banning “forced data localization” before the end of the year.
Approximately 21 EU countries currently have laws requiring companies to store certain types of, primarily personal, data locally, and last month a new coalition of cloud companies published a voluntary code of conduct aimed at keeping European data inside Europe.
If individuals had more control and portability of their own data, they could choose between rival service providers who want to use it. This is not a complicated business model for a new market. But it does depend on data being transferable between locations. — EU Commission Vice President Andrus Ansip
But as the clock is ticking on the controversial Trade in Services Agreement (TiSA), Ansip said that he wants to eliminate legal barriers to online cross-border trade — including forced data localization rules.
Speaking at the Consumer Summit in Brussels last week, he said: “Whatever it is used for, data is the basis for progress and opportunity. Data is a commodity. The right to use that data can be transferred. So can its physical location. It can be marketed, reused, aggregated, transformed, bought and sold. Although we possess this digital information, we do not yet fully control it.”
Despite saying that “trust is everything” and that “the starting point for anything to do with data is privacy,” Ansip made a strong case for business interests, while couching it in terms designed to appeal to consumers.
“We simply need more freedom for people to access data and decide how it is used. But this can be difficult for them — so perhaps we need new intermediaries like data brokers to gain the full value of our data. Why not? It is another good reason not to be afraid of data.
“If individuals had more control and portability of their own data, they could choose between rival service providers who want to use it. This is not a complicated business model for a new market. But it does depend on data being transferable between locations,” said Ansip.
“Data has to be able to move freely, across national borders and in a single data space. If it does not, the growth potential of our digital economy will be limited,” said the Commissioner. According to the Commission, the value of personal data in Europe could grow to nearly €1 trillion annually by 2020.
Yet many businesses see an economic case for keeping data local. Cloud Infrastructure Services Providers in Europe (CISPE) is a newly-formed coalition of more than 20 cloud infrastructure providers and has created a “trust mark” that identifies signatories who will “provide to the customer information about the region and country where their data is stored and processed” by the company or sub-contractors. According to CISPE, this will, at least, allow the customer to identify which EU member state has jurisdiction over their data.
Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield [over allegations of spying], on what basis could it think that trade agreements would achieve a better result? — Maryant Fernández Pérez of EDRi.
The elephant in the room is concern over alleged surveillance and bulk data collection by national intelligence agencies. While companies and consumers alike may baulk at the idea of forced localization, activists and businesses also fear that putting rules into trade agreements to force the opposite will leave consumers open to risks.
Certain TiSA negotiators, including the U.S., support text that says “no Party may prevent a service supplier of another Party from transferring, [accessing, processing or storing] information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.” Although the current TiSA text requires that privacy laws have to be applied in the receiving country, it is still not clear how this will be guaranteed, particularly as most trade agreements include national security exceptions.
“Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield [over allegations of spying], on what basis could it think that trade agreements would achieve a better result?” asked Maryant Fernández Pérez, advocacy manager at European digital rights group, EDRi, pointing out that the General Data Protection Regulation provides more alternatives to transfer data of EU citizens abroad, such as self-certification.
“Having lobbied unsuccessfully against the General Data Protection Regulation, having successfully lobbied for a flawed, inevitably temporary “Privacy Shield," having incomprehensibly asked the Commission to repeal the e-Privacy Directive, it is understandable that industry lobbyists, backed by the U.S. government want to make sure whatever protections on privacy and personal data are contingent on a nebulous and unpredictable understanding of “necessity” and “proportionality” in trade agreements, whereby fundamental rights will always be de-prioritised compared with trade concerns,” said EDRi.
TiSA is currently being negotiated as a replacement to the mostly defunct WTO General Agreement on Trade in Services from 1995, and a final agreement could be reached in the coming months.
photo credit: Wouter de Bruijn Morning dew via photopin