The Digital Economy
EU-US Safe Harbour and forced data localisation: lessons from Russia
Matthias Bauer / Oct 2015
Vĕra Jourová, Member of the EC in charge of Justice, Consumers and Gender Equality and Julie Brill, Commissioner of the US Federal Trade Commission. Photo: European Union
Small ideas sometimes change the world. Russia’s forced data localisation is a small idea. Now, with the fall of Safe Harbour, data protection experts argue that the European Court of Justice (ECJ) ruling is de facto about localisation of personal data within the borders of the EU. A German data protection agency already calls for data localisation within Europe. Data localisation, however, is a bad idea – a concept to be quashed in any serious political debate on how to resolve Safe Harbour, and trust in transatlantic relations.
Let’s look at Russia. At a recent conference on forced data localisation hosted in Moscow, I snapped an insightful piece of dialogue between a Russian business representative and a speaker in charge of balancing the interests of the Russian government and those stakeholders that are affected by Russia’s new data localisation law. The contentious law requires all legal entities to store and process personal data of Russian citizens on servers located within Russian territory. It should be noted that at this conference not a single person among the 50 people audience was in favour of these rules, causing a business representative to ask whether the government adviser ever met ‘any people who are in favour of forced data localisation in Russia.’ The reply: ‘Yes, I met them once at the very beginning of the legislative process, but I don’t remember them.’ What followed was head-shaking amazement.
Russia’s data localisation law is an impressive case of how governments justify legal means by the political ends without considering broader implications for the society as a whole. Officially, Russia wants to safeguard its citizens’ privacy rights, as a response to Edward Snowden’s revelations of NSA mass surveillance activities. Accordingly, and very much similar to the ECJ, the Russian government officially claims that the security of Russian citizens’ personal data is one of the fundamental rights that should be protected, legally and otherwise.
According to Russia’s forced data localisation law, which became effective on 1 September 2015, every legal entity must ensure that recording, systematization, accumulation, storage and modification of Russian citizens’ personal data is facilitated using databases located within the territory of Russia. The provisions do not only affect those companies that are based in Russia, but also all businesses that export to or import from Russia. Every piece of personal information concerning suppliers, business partners and customers (irrespective of whether B2B or B2C) has to be stored and processed on databases within Russia. Ironically and contrary to the initial objectives of the government, Russia’s data localisation law does not foresee an export ban for personal data. Personal data can be transferred abroad as long as the primary’ database used for collection, storage and processing remains or will be transferred to Russia.
Data localisation is not only a matter concerning Facebook, Twitter and Google. Data localisation rules affect every single business from agriculture to manufacturing and services. In fact, the outcry among companies operating on Russian territory is now particularly strong among non-digital businesses. Foreign retail chains, construction materials and automotive suppliers as well as logistics services providers are more than overstrained with the re-organisation of databases and global business processes in order to comply ‘somehow’ with vague and poorly written rules, leaving firms with the substantial risk of being sanctioned due to non-compliance.
Personal data is literally everywhere. It turns out that the administrative cost burden has been badly underestimated in foreign headquarters, causing smaller companies to reconsider their engagement on fragmented national markets, as in the case of Russia. It is often impossible to separate or disentangle personal data from other business-related data. This is not only true for enterprise resource planning (ERP) and customer relationship management (CRM) systems. It is also true for Internet traffic that is regarded unsuspicious. Given that any transaction on the Internet made while logged in to an online account is effectively personal data, even the most harmless pieces of data will contain personal information about employees, business partners and customers.
Forced data localisation effectively benefits big business. It is a striking feature of the Russian data localisation law that it increases complexity and uncertainty. It does not establish a transparent, reliable and predictable data privacy framework. Complexity is always a subsidy to big businesses to the detriment of micro-, small- and medium-sized enterprises. For firms doing business in Russia, the complexities and legal risks in terms of prohibitive sanctions are out of any reasonable proportion. The wording of the provisions is imprecise and the requirements remain vague. For example, the rules do not clarify how to separate personal data from other business-related data. It is left unclear how to identify citizenship of ‘data subjects’ based on digital protocols. There is no definition of what ‘data collection’ involves and how to deal with email traffic. The lawmakers did not specify the scope of ‘data processing’. Nor did they clarify how firms have to deal with data collected before the law was set into force. As a consequence, the scope of interpretation by the law’s enforcement bodies is substantial, leaving considerable room for political manoeuvres and discrimination.
What applies to Russia applies to the EU, too. A series of economic impact assessments conducted by ECIPE arrives at significant economic costs as a consequence of forced data localisation. For the EU28, the short-term impact that is triggered by productivity losses and a less European investment is estimated to be 0.7 per cent of EU-GDP (110bn USD). European countries are going to expect a shift in production structures towards less innovative and more volatile sectors such as light manufacturing and agriculture. The numerical results of this analysis do not capture longer-term adverse effects of data localisation rules on technological progress, competitive behaviour and the EU’s capability to adopt innovative technologies and 21st century business models. These factors are the main drivers of long-run economic output growth. Thus the estimates are likely to significantly underestimate the economic losses.
Now that the ECJ struck down Safe Harbour, lawyers, lawmakers and corporations find themselves on unchartered territory. Safe harbour is not the only legal instrument that was effectively set on hold by the ECJ. The transfer of personal data based on model contract clauses and binding corporate rules also violates EU fundamental rights since these measures do not prevent US intelligence services from accessing data without respecting data subjects’ privacy rights and available redress procedures. The ruling is about fundamental rights rather than just a specific treaty. Therefore, the only legally certain options available to corporations would be to localise data within European borders, or to shut all Europeans off from a bulk of digital services.
Forced data localisation cannot be the answer. Forced localisation of personal data in the EU would not prevent data privacy breaches by any hackers or any (EU) governments’ security services. Equally important, forced data localisation would substantially disrupt reliable value chains, business models and threaten EU economies’ international competitiveness. The case of Russia is striking.
Is the ECJ’s decision a true ‘bombshell’ ruling? The precise implications of the ruling are still unclear. Yet, the overall economic impact for the EU can become disruptive, if EU lawmakers start walking down the road of forced data localisation. The math is simple: no transfer – no trade. It is often impossible to separate personal from other business-related data. Building an artificial wall dividing the US from the EU would not only cause considerable financial burden for businesses of all sizes. It would in fact break up reliable value chains and prevent the rapid diffusion innovative technologies and business models. The recent outcry of both Russian and foreign enterprises operating in Russia impressively illustrates how hard it is for businesses to operate on forced data localisation.
It would be foolish to question the ECJ’s serious concerns about the US government’s mass and indiscriminate surveillance practices, and the ECJ’s indirect call on the US to overhaul its public surveillance legislation. However, there is no reference being made to the safety of personal data that is stored within the EU. And we should keep in mind the 28 non-harmonised data privacy laws in 28 sovereign Member States that are all running their own intelligence units. The ECJ does not address European citizens’ concerns about surveillance by their own governments. Does the ECJ also understand that GCHQ, the UK’s Intelligence body, is just as bad as the NSA?
This leaves the EU with two important priorities: 1) to speed-up harmonisation of its own privacy rules (GDPR), without the imposition of barriers to the free flow of data, dubious definitions and discriminatory liability provisions. 2) To conclude a multilateral legal assistance treaty (MLAT), which sets high data protection standards as well as binding and predictable rules for transatlantic law enforcement cooperation. The latter must contain the same judicial redress rights for European citizens as US citizens in case of privacy breaches.
On October 20, the US House of Representatives swiftly passed the Judicial Redress Act. The law would allow non-US citizens to bring civil actions against US agencies in certain circumstances. Yet, given the limited scope of rights and personal information that falls within the Act, it remains questionable whether the bill provides effective redress for EU citizens in case of data breaches, and whether the Act will be endorsed by the EU’s national data protection agencies.
Spying is an expression of lack of trust. Governments spy because they do not think allies will supply them with the information they need. If EU and US policymakers want to restore trust, it starts with providing governments legal assistance to each other. It is high time to speed up legislative proceedings. Any delay would increase the scope of interpretation by national privacy law enforcement bodies, leaving considerable room for political manoeuvres and discrimination of foreign businesses – potentially costing another great deal of trust and confidence.