Blog Post

Data transfers under the threat of terrorist attacks

The recent terrorist attacks in Paris and elsewhere have created an atmosphere of insecurity and fear among the citizens of the main European capitals. They have also highlighted the necessity for more effective tools at European level in the fight against terrorism and the prevention of future attacks in the European soil.

By: , and Date: December 15, 2015 Topic: Digital economy and innovation

In doing so, these incidents have also reawakened a long-simmering debate as to how best to reconcile these national security requirements both with individual privacy rights that we as Europeans hold dear, and with legitimate commercial use of personally identifiable data. The tensions among these three objectives are palpable, and have only intensified with the growing threat of terrorism and the growing value of personally identifiable data.

Data privacy implies restrictions on the free movement of data. Conversely, commercial efficiency in the digital world seems to require data flows that are restricted as little as possible. Intelligence services also have reason to want data to flow freely – in the absence of data flows, their surveillance would be undermined.

In particular, the recent decision of the European Court of Justice (ECJ) invalidating the Safe Harbour agreement between EU and US is legitimate in terms of protecting the privacy of Europeans, but at the same time raises the risk of “balkanisation” of data (notably between the US and the EU), with likely negative consequences on the digital economy.[1]

There is unlikely to be a simple, ideal solution at European level. What is likely needed are pragmatic compromises, solidly grounded in a clear understanding of the underlying tensions that we are trying to reconcile. To date, a clear understanding has not always been in evidence.


The economic value of data

Data is often referred to as the “oil of the 21st century”. Data has an economic value that affects online platforms and their clients, namely, companies and consumers. Online platforms act as intermediaries that collect data from consumers and sell advertising slots to companies. By analysing the data they receive by consumers, they can design effective and personalised advertising strategies for the companies’ products and services. In this way, companies are more successful in placing their products, and consumers receive better recommendations based on their individual interests – potentially a “win-win” situation, or Pareto improvement.

The benefits from the use of personally identifiable data to the sector are manifest. The funds generated by such advertisements are the main source of revenue for platforms such as Google and Facebook.[2]

The benefits to the individual, and through spill-overs into the broader economy, are more easily overlooked, as are the benefits in internal efficiency to multi-national organisations. For example, Netflix provides personalised recommendations for movies and shows based on users’ explicit taste preferences and ratings, viewing history, or friends’ recommendations. These personal data are gained through both Netflix’s own service and from data provided by social networks such as Facebook. The consumer arguably benefits.

At the same time, concerns over potential misuse of consumer data are not misplaced. Consumers are not always aware of how their data can be used by online platforms. As the New York Times have pointed out in their influential article “Facebook Is Using You”[3], past experience has shown that “… you might be refused health insurance based on a Google search you did about a medical condition. You might be shown a credit card with a lower credit limit, not because of your credit history, but because of your race, sex or ZIP code or the types of Web sites you visit.”

The Schrems case and Safe Harbour agreement between the EU and the US

The Safe Harbour agreement between European Union and the United States dates back to 26 July 2000 and facilitates the ability of businesses to move personal data collected in Europe to servers in US[4] (for instance, a social-media profile or payroll information) on the strength of guarantees provided by US authorities to provide an adequate level of data protection. To date, more than 4,000 companies have used Safe Harbour for data transfer[5].

On 26 June 2013, Austrian privacy activist and Facebook user Maximilian Schrems filed a complaint against Facebook, arguing that his personal data is not adequately protected when it is transferred to the US from Europe because Facebook makes the data available to the U.S. National Security Agency (NSA), for which the Safe Harbour protections are either unavailable or irrelevant.[6]

The European Court of Justice (ECJ) ruled on 6 October 2015 that the Safe Harbour agreement with the US is invalid because it does not ensure adequate data protection, a fundamental principle of EU data protection.

This decision put an end to a practice that had been used extensively for fifteen years, not only by US-based online platforms but also by multi-national corporations and by European online start-ups and service providers.

High-tech giants that need to transfer data have resorted to a range of work-arounds. For instance, Deutsche Telekom agreed to act as data trustee for Microsoft customer data collected in Germany and Europe,[7] while Microsoft itself will increase its operations using its Dublin data centre. Among the other cloud builders, Google[8] and Amazon already operate major data centres in Dublin, while Facebook[9] and Apple[10] had announced plans to build major server farms in Ireland even before the Schrems decision. In addition, several US-based firms have rushed to put in place model contract clauses that the European Commission advocates as a means of enabling them to transfer data to the US.[11]

How effective these measures will prove to be remains to be seen. Ensuring that European data remains in Europe might possibly enable US-based firms to offer cloud services to Europeans, assuming that the firms can offering convincing assurances that the data will not be subject to surveillance; however, it does not solve the data transfer issue for data that truly needs to be transferred.

The model clauses would appear to be at best a weak and temporary circumvention of the ECJ’s decision in the Schrems case, since US-based firms cannot and presumably will not avoid making the data available to US intelligence services, and will be prevented by US law from informing surveilled entities and individuals that they have done so. The decision in the Schrems case, after all, had nothing to do with commercial privacy practices – it was all about government surveillance for purposes of national security. This cannot be governed by private contract. Given that Safe Harbour has already been invalidated, it seems unlikely that the ECJ in a subsequent case would permit the model clauses to stand.

Even if the current work-arounds were to prove to be sustainable, they would effectively increase economic transaction costs (i.e. overhead costs of doing business) significantly for the firms that are forced to use them, thus effectively throwing sand in the economic gears of both the US and the EU.

Terrorist attacks lead to short term pressure for enhanced surveillance

In the past, terrorist attacks have often led to calls in the short term for authorities in the Member States to intensify surveillance, even at some sacrifice to the rights of the individual, and to collaborate closely with one another in exchanging data. In the longer term, there tends to be a return to normalcy as surveillance is relaxed in order to better comply with the fundamental rights of citizens.

For example, in light of the major attacks in the underground of Madrid in 2004 and the London bombings in 2005, the EU launched the Data Retention Directive in 2006 which required the providers of publicly available electronic communications services and networks to retain traffic and location data belonging to individuals or legal entities for up to two years.  In April 2014, however, the ECJ concluded that the Directive interferes with fundamental rights of EU citizens and violates the right to protection of personal data.

A similar oscillation is visible in regard to airline Passenger Name Record (PNR) data, and to SWIFT[12] records of financial transfers. A balance is sought between national security and privacy concerns, but the pendulum swings over time as the perceived threat level waxes or wanes.

Conclusions and Suggestions

The use and transfer of personally identifiable data can have large benefits for society – not only for platforms that use and sell the data, but also for the individuals that provide it, and for the broader digital economy.

In the aftermath of the recent attacks and increased calls for surveillance, together with the Schrems decision that prevent transfers of personally identiable data when national security authorities might abuse it, the ability to transfer data is likely to be challenged severely.

The tension between privacy and national security surveillance is different in many important respects from the tension between privacy and commercial use of data. Notably, surveillance authorities do not expect the data that the collected, or the fact that they collected it, to become public; consequently, it will be exceedingly difficult to police or meaningfully enforce any agreement that is reached as an alternative to the invalidated Safe Harbour arrangements.

There are well documented cases where senior US officials were less than fully forthcoming in statements to the US Congress.[13] Can we reasonably expect the US to be more forthcoming with European officials than with their own Congress? Former US president Ronald Reagan often said that one should “trust, but verify”. How can any agreement about the use of national security data be meaningfully verified?

It is widely acknowledged that an alternative to Safe Harbour needs to be put in place at European level, and quickly, in order to retain as much as possible the benefits of the free transfer of data, while duly respecting the need for commercial privacy.

The question that European policymakers must now confront is how to craft practical arrangements in the face of genuine increased needs for surveillance for purposes of national security, challenges to reaching an agreement with major trading partners notably including the US, and the near-impossibility of enforcing an agreement if one can be reached.

It is by no means clear how such an arrangement could be reached, but it is clear that components must include (1) cooperation at European level and with the Member States, (2) extraordinary pragmatism and willingness to compromise so as to achieve as much as is reasonably achievable, (3) setting the expectations of Europeans to realistic levels, all coupled with (4) the ambition to achieve as much protection of the privacy rights of Europeans as possible, as part of a solution that balances this appropriately with national security needs, through international negotiations.


[1] Ilsa Godlovitch, J. Scott Marcus, Bas Kotterink and Pieter Nooren (2015, forthcoming), Over-the-Top (OTT) players: Market dynamics and policy challenges, study for the European Parliament.

[2] For example, according to Facebook annual report in 2014, advertisements corresponded to the 92% of the company’s revenue that year ( Google’s revenues are also mainly (more than 90%) based on advertising (


[4] Under the EU Directive on Data Protection, transfers of personal data to non-EU countries are permitted only to countries that provide an adequate level of privacy protection.


[6] This claim is based on the revelations of the former NSA contractor Edward Snowden about the NSA’s PRISM mass surveillance program.

[7] See “Deutsche Telekom to act as Data Trustee for Microsoft Cloud in Germany”, 11 November 2015, at

[8] Google also operates data centres in Finland, Belgium and Amsterdam.

[9] Jason Verge, “Facebook To Submit Plans For $220M Data Center In Ireland”, in Data Center Knowledge, 15 June 2015, at

[10] Davin O’Dwyer, “Ireland’s data centre boom set to continue”, 5 March 2015,

[11] See “Silicon Valley fights European Court of Justice ruling with small print”, The Register, 7 October 2015, at

[12] SWIFT is the Society for Worldwide Interbank Financial Telecommunication.

[13] New York Times, 11 June 2013: ‘At the March Senate hearing, Mr. Wyden asked Mr. Clapper, “Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?” “No, sir,” Mr. Clapper replied. “Not wittingly.” Mr. Wyden said on Tuesday that he had sent his question to Mr. Clapper’s office a day before the hearing, and had given his office a chance to correct the misstatement after the hearing, but to no avail. In an interview on Sunday with NBC News, Mr. Clapper acknowledged that his answer had been problematic, calling it “the least untruthful” answer he could give.’

Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

Read article More on this topic More by this author

Blog Post

European governance

Does the war in Ukraine call for a new Next Generation EU?

The European Union should take significant economic measures in response to the war in Ukraine, but a new Next Generation EU is not needed yet.

By: André Sapir Topic: European governance Date: May 17, 2022
Read article

Blog Post

The European Union should sanction Sberbank and other Russian banks

Sanctions on Sberbank and most other Russian banks should be imposed by the EU, without delay and at no major cost to either itself or like-minded countries, while it ponders an oil and gas ban.

By: Joshua Kirschenbaum and Nicolas Véron Topic: Banking and capital markets, Global economy and trade Date: April 15, 2022
Read article More on this topic

Blog Post

The decoupling of Russia: high-tech goods and components

Sanctions on high-tech goods supplies, combined with financial sanctions and other restrictions, will deprive Russia of a future as a modern economy.

By: Monika Grzegorczyk, J. Scott Marcus, Niclas Poitiers and Pauline Weil Topic: Global economy and trade Date: March 28, 2022
Read article

Blog Post

The decoupling of Russia: software, media and online services

Restrictions so far on software, media and online services in Russia have been imposed either voluntarily by firms, or else by Russia itself in order to restrict the flow of information.

By: J. Scott Marcus, Niclas Poitiers and Pauline Weil Topic: Digital economy and innovation, Global economy and trade Date: March 22, 2022
Read article More on this topic

Blog Post

The impact of the war in Ukraine on food security

Global food production will be sufficient to feed the global population this year. But export bans, high prices and increasing transport cost might prevent vulnerable countries from procuring sufficient food supplies. Measures to ensure global access to scarcer food supplies and to boost grain production are warranted.

By: Pauline Weil and Georg Zachmann Topic: Global economy and trade Date: March 21, 2022
Read article More on this topic

Blog Post

Can Europe manage if Russian oil and coal are cut off?

A stop to Russian oil and coal supplies would push Europe into a short and painful adjustment period. But if managed well, disruptions would remain temporary.

By: Ben McWilliams, Giovanni Sgaravatti, Simone Tagliapietra and Georg Zachmann Topic: Green economy Date: March 17, 2022
Read article


How to wean Europe off Russian gas as swiftly as possible

A trans-Atlantic pact between North America and Europe is essential if Europe is to free itself in the short term from its dependence on Russian energy.

By: Morgan Bazilian, Simone Tagliapietra and Georg Zachmann Topic: Global economy and trade, Green economy Date: March 14, 2022
Read article


How Europe can defeat Russia’s divide and rule strategy in the long term

The European Union will have to bolster members most vulnerable to Russian blackmail and rethink the structure of European energy markets in order to effectively counter Putin.

By: Simone Tagliapietra and Guntram B. Wolff Topic: Global economy and trade, Green economy Date: March 10, 2022
Read article More on this topic More by this author

Blog Post

Can China bail out Putin?

Even with help from China, Russia will be unable to mitigate the immediate impact of Western sanctions.

By: Alicia García-Herrero Topic: Global economy and trade Date: March 9, 2022
Read article More on this topic More by this author

Blog Post

The economic policy consequences of the war

The Ukraine war will have significant economic policy consequences for the European Union and its members, arising from the adverse supply shock triggered by the rise in oil and gas prices, energy independence measures, the inflow of refugees and boosted defence spending. Their direct budgetary implications could be 1.1/4% of GDP in 2022.

By: Jean Pisani-Ferry Topic: Global economy and trade Date: March 8, 2022
Read article More on this topic

Blog Post

War in Europe: the financial front

Russia is reeling from massive financial sanctions, while Ukraine’s financial system is battered but remains functional, and the EU and global financial systems have rather easily absorbed the initial shock.

By: Joshua Kirschenbaum and Nicolas Véron Topic: Global economy and trade Date: March 7, 2022
Read article


How Europe can sustain Russia sanctions

Russia's war in Ukraine has underscored the need for Europe finally to invest more in its own defence and security. Such an outrageous act of aggression calls for harsh sanctions, which will require new policy mechanisms to help EU countries maintain solidarity.

By: Ana Palacio, Silvia Merler, Francesco Nicoli and Simone Tagliapietra Topic: Global economy and trade, Green economy Date: March 1, 2022
Load more posts