Data transfers under the threat of terrorist attacks
The recent terrorist attacks in Paris and elsewhere have created an atmosphere of insecurity and fear among the citizens of the main European capitals
In doing so, these incidents have also reawakened a long-simmering debate as to how best to reconcile these national security requirements both with individual privacy rights that we as Europeans hold dear, and with legitimate commercial use of personally identifiable data. The tensions among these three objectives are palpable, and have only intensified with the growing threat of terrorism and the growing value of personally identifiable data.
Data privacy implies restrictions on the free movement of data. Conversely, commercial efficiency in the digital world seems to require data flows that are restricted as little as possible. Intelligence services also have reason to want data to flow freely – in the absence of data flows, their surveillance would be undermined.
In particular, the recent decision of the European Court of Justice (ECJ) invalidating the Safe Harbour agreement between EU and US is legitimate in terms of protecting the privacy of Europeans, but at the same time raises the risk of “balkanisation” of data (notably between the US and the EU), with likely negative consequences on the digital economy.[1]
There is unlikely to be a simple, ideal solution at European level. What is likely needed are pragmatic compromises, solidly grounded in a clear understanding of the underlying tensions that we are trying to reconcile. To date, a clear understanding has not always been in evidence.
The economic value of data
Data is often referred to as the “oil of the 21st century”. Data has an economic value that affects online platforms and their clients, namely, companies and consumers. Online platforms act as intermediaries that collect data from consumers and sell advertising slots to companies. By analysing the data they receive by consumers, they can design effective and personalised advertising strategies for the companies’ products and services. In this way, companies are more successful in placing their products, and consumers receive better recommendations based on their individual interests – potentially a “win-win” situation, or Pareto improvement.
The benefits from the use of personally identifiable data to the sector are manifest. The funds generated by such advertisements are the main source of revenue for platforms such as Google and Facebook.[2]
The benefits to the individual, and through spill-overs into the broader economy, are more easily overlooked, as are the benefits in internal efficiency to multi-national organisations. For example, Netflix provides personalised recommendations for movies and shows based on users’ explicit taste preferences and ratings, viewing history, or friends’ recommendations. These personal data are gained through both Netflix’s own service and from data provided by social networks such as Facebook. The consumer arguably benefits.
At the same time, concerns over potential misuse of consumer data are not misplaced. Consumers are not always aware of how their data can be used by online platforms. As the New York Times have pointed out in their influential article “Facebook Is Using You”[3], past experience has shown that “… you might be refused health insurance based on a Google search you did about a medical condition. You might be shown a credit card with a lower credit limit, not because of your credit history, but because of your race, sex or ZIP code or the types of Web sites you visit.”
The Schrems case and Safe Harbour agreement between the EU and the US
The Safe Harbour agreement between European Union and the United States dates back to 26 July 2000 and facilitates the ability of businesses to move personal data collected in Europe to servers in US[4] (for instance, a social-media profile or payroll information) on the strength of guarantees provided by US authorities to provide an adequate level of data protection. To date, more than 4,000 companies have used Safe Harbour for data transfer[5].
On 26 June 2013, Austrian privacy activist and Facebook user Maximilian Schrems filed a complaint against Facebook, arguing that his personal data is not adequately protected when it is transferred to the US from Europe because Facebook makes the data available to the U.S. National Security Agency (NSA), for which the Safe Harbour protections are either unavailable or irrelevant.[6]
The European Court of Justice (ECJ) ruled on 6 October 2015 that the Safe Harbour agreement with the US is invalid because it does not ensure adequate data protection, a fundamental principle of EU data protection.
This decision put an end to a practice that had been used extensively for fifteen years, not only by US-based online platforms but also by multi-national corporations and by European online start-ups and service providers.
High-tech giants that need to transfer data have resorted to a range of work-arounds. For instance, Deutsche Telekom agreed to act as data trustee for Microsoft customer data collected in Germany and Europe,[7] while Microsoft itself will increase its operations using its Dublin data centre. Among the other cloud builders, Google[8] and Amazon already operate major data centres in Dublin, while Facebook[9] and Apple[10] had announced plans to build major server farms in Ireland even before the Schrems decision. In addition, several US-based firms have rushed to put in place model contract clauses that the European Commission advocates as a means of enabling them to transfer data to the US.[11]
How effective these measures will prove to be remains to be seen. Ensuring that European data remains in Europe might possibly enable US-based firms to offer cloud services to Europeans, assuming that the firms can offering convincing assurances that the data will not be subject to surveillance; however, it does not solve the data transfer issue for data that truly needs to be transferred.
The model clauses would appear to be at best a weak and temporary circumvention of the ECJ’s decision in the Schrems case, since US-based firms cannot and presumably will not avoid making the data available to US intelligence services, and will be prevented by US law from informing surveilled entities and individuals that they have done so. The decision in the Schrems case, after all, had nothing to do with commercial privacy practices – it was all about government surveillance for purposes of national security. This cannot be governed by private contract. Given that Safe Harbour has already been invalidated, it seems unlikely that the ECJ in a subsequent case would permit the model clauses to stand.
Even if the current work-arounds were to prove to be sustainable, they would effectively increase economic transaction costs (i.e. overhead costs of doing business) significantly for the firms that are forced to use them, thus effectively throwing sand in the economic gears of both the US and the EU.
Terrorist attacks lead to short term pressure for enhanced surveillance
In the past, terrorist attacks have often led to calls in the short term for authorities in the Member States to intensify surveillance, even at some sacrifice to the rights of the individual, and to collaborate closely with one another in exchanging data. In the longer term, there tends to be a return to normalcy as surveillance is relaxed in order to better comply with the fundamental rights of citizens.
For example, in light of the major attacks in the underground of Madrid in 2004 and the London bombings in 2005, the EU launched the Data Retention Directive in 2006 which required the providers of publicly available electronic communications services and networks to retain traffic and location data belonging to individuals or legal entities for up to two years. In April 2014, however, the ECJ concluded that the Directive interferes with fundamental rights of EU citizens and violates the right to protection of personal data.
A similar oscillation is visible in regard to airline Passenger Name Record (PNR) data, and to SWIFT[12] records of financial transfers. A balance is sought between national security and privacy concerns, but the pendulum swings over time as the perceived threat level waxes or wanes.
Conclusions and Suggestions
The use and transfer of personally identifiable data can have large benefits for society – not only for platforms that use and sell the data, but also for the individuals that provide it, and for the broader digital economy.
In the aftermath of the recent attacks and increased calls for surveillance, together with the Schrems decision that prevent transfers of personally identiable data when national security authorities might abuse it, the ability to transfer data is likely to be challenged severely.
The tension between privacy and national security surveillance is different in many important respects from the tension between privacy and commercial use of data. Notably, surveillance authorities do not expect the data that the collected, or the fact that they collected it, to become public; consequently, it will be exceedingly difficult to police or meaningfully enforce any agreement that is reached as an alternative to the invalidated Safe Harbour arrangements.
There are well documented cases where senior US officials were less than fully forthcoming in statements to the US Congress.[13] Can we reasonably expect the US to be more forthcoming with European officials than with their own Congress? Former US president Ronald Reagan often said that one should “trust, but verify”. How can any agreement about the use of national security data be meaningfully verified?
It is widely acknowledged that an alternative to Safe Harbour needs to be put in place at European level, and quickly, in order to retain as much as possible the benefits of the free transfer of data, while duly respecting the need for commercial privacy.
The question that European policymakers must now confront is how to craft practical arrangements in the face of genuine increased needs for surveillance for purposes of national security, challenges to reaching an agreement with major trading partners notably including the US, and the near-impossibility of enforcing an agreement if one can be reached.
It is by no means clear how such an arrangement could be reached, but it is clear that components must include (1) cooperation at European level and with the Member States, (2) extraordinary pragmatism and willingness to compromise so as to achieve as much as is reasonably achievable, (3) setting the expectations of Europeans to realistic levels, all coupled with (4) the ambition to achieve as much protection of the privacy rights of Europeans as possible, as part of a solution that balances this appropriately with national security needs, through international negotiations.
[1] Ilsa Godlovitch, J. Scott Marcus, Bas Kotterink and Pieter Nooren (2015, forthcoming), Over-the-Top (OTT) players: Market dynamics and policy challenges, study for the European Parliament.
[2] For example, according to Facebook annual report in 2014, advertisements corresponded to the 92% of the company’s revenue that year (http://investor.fb.com/annuals.cfm). Google’s revenues are also mainly (more than 90%) based on advertising (https://investor.google.com/financial/tables.html).
[3] http://www.nytimes.com/2012/02/05/opinion/sunday/facebook-is-using-you…
[4] Under the EU Directive on Data Protection, transfers of personal data to non-EU countries are permitted only to countries that provide an adequate level of privacy protection.
[5] http://www.ft.com/cms/s/2/7544e716-6b87-11e5-aca9-d87542bf8673.html#axz…
[6] This claim is based on the revelations of the former NSA contractor Edward Snowden about the NSA’s PRISM mass surveillance program.
[7] See “Deutsche Telekom to act as Data Trustee for Microsoft Cloud in Germany”, 11 November 2015, at https://www.telekom.com/media/company/293260.
[8] Google also operates data centres in Finland, Belgium and Amsterdam.
[9] Jason Verge, “Facebook To Submit Plans For $220M Data Center In Ireland”, in Data Center Knowledge, 15 June 2015, at http://www.datacenterknowledge.com/archives/2015/06/15/facebook-submit-plans-220m-data-center-ireland/.
[10] Davin O’Dwyer, “Ireland’s data centre boom set to continue”, 5 March 2015, http://www.irishtimes.com/business/technology/ireland-s-data-centre-boom-set-to-continue-1.2126081.
[11] See “Silicon Valley fights European Court of Justice ruling with small print”, The Register, 7 October 2015, at http://www.theregister.co.uk/2015/10/07/us_cloud_giants_privacy_brief_safe_harbour/.
[12] SWIFT is the Society for Worldwide Interbank Financial Telecommunication.
[13] New York Times, 11 June 2013: ‘At the March Senate hearing, Mr. Wyden asked Mr. Clapper, “Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?” “No, sir,” Mr. Clapper replied. “Not wittingly.” Mr. Wyden said on Tuesday that he had sent his question to Mr. Clapper’s office a day before the hearing, and had given his office a chance to correct the misstatement after the hearing, but to no avail. In an interview on Sunday with NBC News, Mr. Clapper acknowledged that his answer had been problematic, calling it “the least untruthful” answer he could give.’