Published on March 8th, 2017 | by Nick Wallace0
European Commission Should Stand Firm on Free Data Flows
The European Commission is losing its nerve over the free flow of data. After initially saying it would announce a regulation to overturn national laws preventing data flows to other member states, it has kicked the issue into the long grass by relegating it to a public consultation. This is disappointing. Data flows are an essential part of trade in a great many services, and data localization is a trade barrier. To support the single market, the European Union should remove legal obstacles to data flows within the EU. It should also relax the rules in the General Data Protection Regulation (GDPR) governing transfers to non-EU countries. Doing so will bring down costs for European companies and consumers, strengthen competition in data-driven services, and bolster international trade.
The Commission originally planned to announce legislation on November 30, 2016, but less than a week before the due date, Vice President Andrus Ansip postponed it, saying, “It seems more complicated than I thought.” He said there would be a communication on the initiative in January, “then somewhere in June we will continue with the regulation… First communication, then concrete action.” Unfortunately, the communication that came—“Building the European data economy”— does not suggest that whatever is on the way is especially concrete. It makes little sense to launch a consultation that can only weaken what could otherwise have been a straightforward regulatory proposal. Bear in mind that any draft legislation would most likely be watered down as it goes through the Parliament and the Council anyway.
Vice President Andrus Ansip’s well-intended idea, repeated in the communication, that data flows should be a “fifth freedom” of the EU after people, capital, goods, and services ignores the crucial point that data is not separable from any of these four freedoms. For any of them to cross European borders without restraint, there needs to be a corresponding flow of data in the opposite direction—especially for services— because transactions are increasingly underpinned by larger and richer datasets.
But in talking about a “fifth freedom”, the Commission risks creating a rod for its own back by making it easier for opponents to misrepresent the free flow of data as new legal territory for the EU—a constitutional land-grab. The free flow of data is merely a simple and necessary regulatory measure to support the fundamental principles of the European single market.
The communication highlights the fact that data localization does nothing to guarantee privacy or security, but then contradicts itself by saying that the lack of cross-border security standards might justify data localization rules for data on critical energy infrastructure. This does not make sense: either data localization enhances the security of this data, or it does not. The correct answer is that it does not.
The communication also suggests that localization of some data might be justifiable in order to guarantee that law enforcement agencies can access it, thus simultaneously highlighting and ignoring the inadequacy of Mutual Legal Assistance (MLA) in the EU, which should ensure cross-border cooperation in criminal investigations, particularly evidence sharing. Data localization laws exacerbate this problem by weakening the impetus to tackle it at its source. Furthermore, all EU countries have laws requiring disclosure of certain types of data to the authorities, but few require data localization in order to guarantee it: if the UK’s Investigatory Powers Act 2016 can enforce such an extreme surveillance regime without data localization, then why should Germany’s telecoms surveillance law require it?
Furthermore, the Commission should not allow national governments to pass laws that supersede GDPR rules on data flows to non-EU countries. In May 2016, the French senate voted for an amendment to the Digital Republic bill that would outlaw all transfers of French citizens’ personal data to countries outside the EU, thereby throwing up a unilateral trade barrier and making a joke of the very notion of a having common European policy on this matter in the first place. A parliamentary joint committee ultimately threw out the amendment, but French procurement rules still make it illegal to store administrative data from local or national government bodies on a “non-sovereign” cloud server—that is, one not located in France.
The EU should also ease the GDPR’s restrictions on international data flows, which force spending on unnecessary data centers, driving up hosting costs and harming competition between European and non-European cloud services providers. Properly-encrypted data can be safely stored almost anywhere, even if the host country’s privacy practices resemble those of Airstrip One, and inadequately secured data is not safe anywhere, at home or abroad. This goes without even mentioning that the most likely primary destination of this data is the United States, where, irrespective of legal differences, de facto privacy protections “on the ground” are arguably stronger than in much of Europe. Storing data in the EU as a response to illegal snooping by the NSA does not protect privacy, but it does conveniently distract from the fact British, German, French, Belgian, and Swedish intelligence agencies do the same and worse.
The Commission should stop wavering and draft legislation that completely outlaws national prohibitions on data flows to other member states. Instead of a consultation on intra-EU data flows, the Commission should invite opinions on restrictions to data transfers outside of the EU and their impact on the European economy, as well as seek comments on the long-term viability of adequacy rules and agreements like Safe Harbor and Privacy Shield. When the GDPR comes into effect next year, the Commission should also file infringement proceedings, under Article 258 of the Lisbon Treaty, against member states with laws that obstruct the mechanisms for international data flows established in GDPR Chapter V. These three measures would help to bolster the development the digital single market and strengthen European competitiveness in the international data economy.
This article was updated on March 21 to correct a mistake. The original version did not account for the fact that the French senate’s decision on data localization was subsequently overturned.
This article originally appeared in EUreporter
Image credit: NATS