Blog Post

Data transfers under the threat of terrorist attacks

The recent terrorist attacks in Paris and elsewhere have created an atmosphere of insecurity and fear among the citizens of the main European capitals. They have also highlighted the necessity for more effective tools at European level in the fight against terrorism and the prevention of future attacks in the European soil.

By: , and Date: December 15, 2015 Topic: Digital economy and innovation

In doing so, these incidents have also reawakened a long-simmering debate as to how best to reconcile these national security requirements both with individual privacy rights that we as Europeans hold dear, and with legitimate commercial use of personally identifiable data. The tensions among these three objectives are palpable, and have only intensified with the growing threat of terrorism and the growing value of personally identifiable data.

Data privacy implies restrictions on the free movement of data. Conversely, commercial efficiency in the digital world seems to require data flows that are restricted as little as possible. Intelligence services also have reason to want data to flow freely – in the absence of data flows, their surveillance would be undermined.

In particular, the recent decision of the European Court of Justice (ECJ) invalidating the Safe Harbour agreement between EU and US is legitimate in terms of protecting the privacy of Europeans, but at the same time raises the risk of “balkanisation” of data (notably between the US and the EU), with likely negative consequences on the digital economy.[1]

There is unlikely to be a simple, ideal solution at European level. What is likely needed are pragmatic compromises, solidly grounded in a clear understanding of the underlying tensions that we are trying to reconcile. To date, a clear understanding has not always been in evidence.


The economic value of data

Data is often referred to as the “oil of the 21st century”. Data has an economic value that affects online platforms and their clients, namely, companies and consumers. Online platforms act as intermediaries that collect data from consumers and sell advertising slots to companies. By analysing the data they receive by consumers, they can design effective and personalised advertising strategies for the companies’ products and services. In this way, companies are more successful in placing their products, and consumers receive better recommendations based on their individual interests – potentially a “win-win” situation, or Pareto improvement.

The benefits from the use of personally identifiable data to the sector are manifest. The funds generated by such advertisements are the main source of revenue for platforms such as Google and Facebook.[2]

The benefits to the individual, and through spill-overs into the broader economy, are more easily overlooked, as are the benefits in internal efficiency to multi-national organisations. For example, Netflix provides personalised recommendations for movies and shows based on users’ explicit taste preferences and ratings, viewing history, or friends’ recommendations. These personal data are gained through both Netflix’s own service and from data provided by social networks such as Facebook. The consumer arguably benefits.

At the same time, concerns over potential misuse of consumer data are not misplaced. Consumers are not always aware of how their data can be used by online platforms. As the New York Times have pointed out in their influential article “Facebook Is Using You”[3], past experience has shown that “… you might be refused health insurance based on a Google search you did about a medical condition. You might be shown a credit card with a lower credit limit, not because of your credit history, but because of your race, sex or ZIP code or the types of Web sites you visit.”

The Schrems case and Safe Harbour agreement between the EU and the US

The Safe Harbour agreement between European Union and the United States dates back to 26 July 2000 and facilitates the ability of businesses to move personal data collected in Europe to servers in US[4] (for instance, a social-media profile or payroll information) on the strength of guarantees provided by US authorities to provide an adequate level of data protection. To date, more than 4,000 companies have used Safe Harbour for data transfer[5].

On 26 June 2013, Austrian privacy activist and Facebook user Maximilian Schrems filed a complaint against Facebook, arguing that his personal data is not adequately protected when it is transferred to the US from Europe because Facebook makes the data available to the U.S. National Security Agency (NSA), for which the Safe Harbour protections are either unavailable or irrelevant.[6]

The European Court of Justice (ECJ) ruled on 6 October 2015 that the Safe Harbour agreement with the US is invalid because it does not ensure adequate data protection, a fundamental principle of EU data protection.

This decision put an end to a practice that had been used extensively for fifteen years, not only by US-based online platforms but also by multi-national corporations and by European online start-ups and service providers.

High-tech giants that need to transfer data have resorted to a range of work-arounds. For instance, Deutsche Telekom agreed to act as data trustee for Microsoft customer data collected in Germany and Europe,[7] while Microsoft itself will increase its operations using its Dublin data centre. Among the other cloud builders, Google[8] and Amazon already operate major data centres in Dublin, while Facebook[9] and Apple[10] had announced plans to build major server farms in Ireland even before the Schrems decision. In addition, several US-based firms have rushed to put in place model contract clauses that the European Commission advocates as a means of enabling them to transfer data to the US.[11]

How effective these measures will prove to be remains to be seen. Ensuring that European data remains in Europe might possibly enable US-based firms to offer cloud services to Europeans, assuming that the firms can offering convincing assurances that the data will not be subject to surveillance; however, it does not solve the data transfer issue for data that truly needs to be transferred.

The model clauses would appear to be at best a weak and temporary circumvention of the ECJ’s decision in the Schrems case, since US-based firms cannot and presumably will not avoid making the data available to US intelligence services, and will be prevented by US law from informing surveilled entities and individuals that they have done so. The decision in the Schrems case, after all, had nothing to do with commercial privacy practices – it was all about government surveillance for purposes of national security. This cannot be governed by private contract. Given that Safe Harbour has already been invalidated, it seems unlikely that the ECJ in a subsequent case would permit the model clauses to stand.

Even if the current work-arounds were to prove to be sustainable, they would effectively increase economic transaction costs (i.e. overhead costs of doing business) significantly for the firms that are forced to use them, thus effectively throwing sand in the economic gears of both the US and the EU.

Terrorist attacks lead to short term pressure for enhanced surveillance

In the past, terrorist attacks have often led to calls in the short term for authorities in the Member States to intensify surveillance, even at some sacrifice to the rights of the individual, and to collaborate closely with one another in exchanging data. In the longer term, there tends to be a return to normalcy as surveillance is relaxed in order to better comply with the fundamental rights of citizens.

For example, in light of the major attacks in the underground of Madrid in 2004 and the London bombings in 2005, the EU launched the Data Retention Directive in 2006 which required the providers of publicly available electronic communications services and networks to retain traffic and location data belonging to individuals or legal entities for up to two years.  In April 2014, however, the ECJ concluded that the Directive interferes with fundamental rights of EU citizens and violates the right to protection of personal data.

A similar oscillation is visible in regard to airline Passenger Name Record (PNR) data, and to SWIFT[12] records of financial transfers. A balance is sought between national security and privacy concerns, but the pendulum swings over time as the perceived threat level waxes or wanes.

Conclusions and Suggestions

The use and transfer of personally identifiable data can have large benefits for society – not only for platforms that use and sell the data, but also for the individuals that provide it, and for the broader digital economy.

In the aftermath of the recent attacks and increased calls for surveillance, together with the Schrems decision that prevent transfers of personally identiable data when national security authorities might abuse it, the ability to transfer data is likely to be challenged severely.

The tension between privacy and national security surveillance is different in many important respects from the tension between privacy and commercial use of data. Notably, surveillance authorities do not expect the data that the collected, or the fact that they collected it, to become public; consequently, it will be exceedingly difficult to police or meaningfully enforce any agreement that is reached as an alternative to the invalidated Safe Harbour arrangements.

There are well documented cases where senior US officials were less than fully forthcoming in statements to the US Congress.[13] Can we reasonably expect the US to be more forthcoming with European officials than with their own Congress? Former US president Ronald Reagan often said that one should “trust, but verify”. How can any agreement about the use of national security data be meaningfully verified?

It is widely acknowledged that an alternative to Safe Harbour needs to be put in place at European level, and quickly, in order to retain as much as possible the benefits of the free transfer of data, while duly respecting the need for commercial privacy.

The question that European policymakers must now confront is how to craft practical arrangements in the face of genuine increased needs for surveillance for purposes of national security, challenges to reaching an agreement with major trading partners notably including the US, and the near-impossibility of enforcing an agreement if one can be reached.

It is by no means clear how such an arrangement could be reached, but it is clear that components must include (1) cooperation at European level and with the Member States, (2) extraordinary pragmatism and willingness to compromise so as to achieve as much as is reasonably achievable, (3) setting the expectations of Europeans to realistic levels, all coupled with (4) the ambition to achieve as much protection of the privacy rights of Europeans as possible, as part of a solution that balances this appropriately with national security needs, through international negotiations.


[1] Ilsa Godlovitch, J. Scott Marcus, Bas Kotterink and Pieter Nooren (2015, forthcoming), Over-the-Top (OTT) players: Market dynamics and policy challenges, study for the European Parliament.

[2] For example, according to Facebook annual report in 2014, advertisements corresponded to the 92% of the company’s revenue that year ( Google’s revenues are also mainly (more than 90%) based on advertising (


[4] Under the EU Directive on Data Protection, transfers of personal data to non-EU countries are permitted only to countries that provide an adequate level of privacy protection.


[6] This claim is based on the revelations of the former NSA contractor Edward Snowden about the NSA’s PRISM mass surveillance program.

[7] See “Deutsche Telekom to act as Data Trustee for Microsoft Cloud in Germany”, 11 November 2015, at

[8] Google also operates data centres in Finland, Belgium and Amsterdam.

[9] Jason Verge, “Facebook To Submit Plans For $220M Data Center In Ireland”, in Data Center Knowledge, 15 June 2015, at

[10] Davin O’Dwyer, “Ireland’s data centre boom set to continue”, 5 March 2015,

[11] See “Silicon Valley fights European Court of Justice ruling with small print”, The Register, 7 October 2015, at

[12] SWIFT is the Society for Worldwide Interbank Financial Telecommunication.

[13] New York Times, 11 June 2013: ‘At the March Senate hearing, Mr. Wyden asked Mr. Clapper, “Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?” “No, sir,” Mr. Clapper replied. “Not wittingly.” Mr. Wyden said on Tuesday that he had sent his question to Mr. Clapper’s office a day before the hearing, and had given his office a chance to correct the misstatement after the hearing, but to no avail. In an interview on Sunday with NBC News, Mr. Clapper acknowledged that his answer had been problematic, calling it “the least untruthful” answer he could give.’

Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

Read article More on this topic More by this author


A timid start for European Union data governance

Europe needs all pieces of its data strategy puzzle to be in place to enhance its competitive position: there is still a long way to go.

By: Mario Mariniello Topic: Digital economy and innovation Date: November 26, 2020
Read about event More on this topic

Past Event

Past Event

Free movement of data: how to maintain necessary sharing among the EU, UK, and USA?

In the current legal climate, how can the EU, the US and the UK continue to share data?

Speakers: Christian Borggreen, Joe Jones, Christian Kastrop, J. Scott Marcus and Reinhilde Veugelers Topic: Digital economy and innovation Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: November 25, 2020
Read about event More on this topic

Past Event

Past Event

Future of data economy: a conversation with Thierry Breton and Maximilian Schrems

How will the data travel between the EU and the US in the aftermath of the Schrems II ruling?

Speakers: Thierry Breton, J. Scott Marcus and Maximilian Schrems Topic: Digital economy and innovation Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: November 24, 2020
Read article More on this topic

Blog Post

New challenges to transfers of personal data from the EU to the United States

The judgment not only immediately invalidates Privacy Shield, but may also have the effect, once the dust has settled, of effectively blocking transfers of personal data to the USA using the popular mechanism of Standard Contractual Clauses (SCCs).

By: J. Scott Marcus and Bruegel Topic: Global economy and trade Date: July 20, 2020
Read about event More on this topic

Past Event

Past Event

Technology, data, privacy, and the fight against disease

Reconciling health and privacy needs.

Speakers: Anna Buchta, Bennett Cyphers, Simon Hania, Caroline Louveaux, J. Scott Marcus and Mikko Niva Topic: Digital economy and innovation Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: April 22, 2020
Read article More on this topic More by this author

Blog Post

Artificial intelligence in the fight against COVID-19

Artificial intelligence can help fight the coronavirus through applications including population screening, notifications of when to seek medical help and tracking how infection spreads. The COVID-19 outbreak has triggered intense work on such applications, but it will take time before results become visible.

By: Georgios Petropoulos Topic: Digital economy and innovation Date: March 23, 2020
Read article More on this topic More by this author

Blog Post

Big data versus COVID-19: opportunities and privacy challenges

All available resources need to be brought to bear on the novel coronavirus COVID-19. To what extent can digital technology help? What risks are there in using big data to combat COVID-19, and what policies can mitigate any limitations that these risks impose?

By: J. Scott Marcus Topic: Digital economy and innovation Date: March 23, 2020
Read about event More on this topic

Past Event

Past Event

The Sound of Economics Live - The Brussels effect: How the European Union rules the world

This was a live recording of an episode of the Sound of Economics, Bruegel's podcast series. The discussion centered around the book of Anu Bradford, The Brussels Effect.

Speakers: Anu Bradford, Ashoka Mody, Giuseppe Porcaro and Guntram B. Wolff Topic: Macroeconomic policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: March 3, 2020
Read about event More on this topic

Past Event

Past Event

Hybrid threats in the financial system

This one-day workshop focused on hybrid threats in the context of the financial system by examining vulnerabilities and raising awareness, looking for solutions in the form of effective protection measures and improved resilience.

Speakers: Atso Andersén, Heiko Borchert, Dirk Clausmeier, Maria Demertzis, Päivi Heikkinen, Nina Lange, César Pérez-Chirinos, Jukka Savolainen, Teija Tiilikainen, Nicolas Véron, Jaakko Weuro and Guntram B. Wolff Topic: Banking and capital markets Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: February 12, 2020
Read article Download PDF

Policy Contribution

European Parliament

Hybrid and cybersecurity threats and the European Union’s financial system

The authors document the rise in hybrid threats and cyber attacks in the European Union. Exploring preparations to increase the resilience of the financial system they find that at the individual institutional level, significant measures have been taken, but the EU finance ministers should advance a broader political discussion on the integration of the EU security architecture applicable to the financial system.

By: Maria Demertzis and Guntram B. Wolff Topic: Banking and capital markets, European Parliament, Macroeconomic policy, Testimonies Date: September 12, 2019
Read article More on this topic

Blog Post

Breaking up big companies and market power concentration

Senator Elizabeth Warren proposes the break-up of big tech companies. A report for the UK government presents another approach for regulating the digital economy. And IMF research serves as a reminder that concentration of market power extends beyond digital. This blog reviews the debate.

By: Konstantinos Efstathiou and Bruegel Topic: Digital economy and innovation Date: April 29, 2019
Read article More on this topic More by this author



Director’s Cut: How to make Industry 4.0 work for Europe

Bruegel director Guntram Wolff talks to Padmashree Gehl Sampath, a Berkman Klein fellow at Harvard University, on the consequences of ‘new manufacturing’ for European industrial policymaking.

By: The Sound of Economics Topic: Digital economy and innovation Date: April 2, 2019
Load more posts