Trying to reconcile the European Union’s data-protection rules with helping European companies take advantage of global data-processing opportunities is a constant challenge.
When Viviane Reding, the European commissioner for justice, fundamental rights and citizenship, unveiled proposals in January 2012 for a regulation to replace the current directive, the priority was to end the fragmentation of data-protection rules among the then 27 member states. This would boost efforts to create a single EU market for online services.
The plans sought to make it simpler to transfer data in and out of the EU. Companies would only have to comply with one set of rules before receiving authorisation to send data outside the EU for processing.
The proposal did not seek to lower the level of data protection by EU governments compared to other jurisdictions such as the US. In 2000, the differences between the regimes in the EU and US led to the ‘safe-harbour’ agreement, which laid down a set of principles and rules that companies had to follow if they wanted to transfer data outside the EU for processing.
The importance of this agreement has been highlighted recently in response to threats to suspend it because of the revelations about spying by the US National Security Agency on transatlantic data transfers.
In October, Claude Moraes, a centre-left MEP from the UK and a spokesman for the Socialists and Democrats group in the European Parliament, said that the safe-harbour agreement should be suspended because it had never offered “sufficient protection” to EU citizens’ data. He cited a growing number of false claims by organisations about the protections offered by the agreement. But, in the absence of international harmonisation of data-protection rules, the agreement is still seen by business as a valuable way of bridging the gap between the approaches of the EU and the US.
Christopher Padilla, vice-president for government programmes at IBM, said: “A suspension [of the safe-harbour agreement] would be catastrophic for transatlantic trade and investment. The knock-on effects would be incalculable. We would be paralysed in our ability to move employee information or financial information.” Talk of suspending the agreement, he said, was “very dangerous”.
The revelations about US surveillance are more likely to trigger a tightening of EU data-protection rules. International companies will have no choice but to continue to comply with EU regulations given the bloc’s economic importance. These rules will also be backed up with significant fines for data breaches, possibly amounting to as much as 5% of a company’s turnover.
But there is concern that the EU’s tough approach could put its companies at a global disadvantage in the growing businesses of cloud-computing and data-processing. Neelie Kroes, the European commissioner for the digital agenda, said in a speech at an ICT conference in Vilnius on 7 November that if the EU failed to develop its own capability to process ‘big data’ (see page 12) it risked missing out on business opportunities in a sector that was growing by 40% a year. She noted that of the world’s top 20 big data companies, 17 were from the US and only two from the EU.
Kroes said that, while protecting privacy was an important topic, the EU should be careful not to use it as an excuse to miss the opportunities presented by global data-processing.
Cloud computing is an area where EU companies are lagging behind their US counterparts. One response by politicians to the US spying revelations has been to call for a ‘European cloud’, where users could have greater confidence that EU data-protection standards were being respected.
Kroes has drawn attention to the risk that a loss of confidence in US data companies could lead to “multi-billion euro consequences”. At the same time, she has warned that cloud-computing providers need to operate on a big enough scale to be attractive. Pushing for a European cloud would not necessarily drive business the way of European companies. “If individual countries work disjointedly on separate national clouds, then the [business] potential is lost,” she said.
At an event on digital privacy and data protection organised by European Voice on 22 October, speakers agreed that the differences between data-protection regimes would persist. Isabelle Falque-Pierrotin, head of the French data-protection authority, CNIL, said that while there was “convergence” between some regimes, there would be competition between the legal frameworks.
The EU and the US have avoided including data-protection rules in the negotiations on a Transatlantic Trade and Investment Partnership (TTIP) despite strong lobbying from US technology companies. The EU had been aiming to agree new rules by spring 2014, before the European Parliament starts campaigning for elections for the next legislature – and well before the TTIP negotiations are concluded, probably some time in 2015.
But on 24-25 October, EU member states pushed back the target date for agreeing new data rules to 2015. The decision to extend the deadline was driven by the UK and other member states seeking to minimise the impact on the final agreement of the furore over the revelations of clandestine US surveillance.
MEPs have been especially vocal in seeking to link the trade talks and the data-protection rules. On 23 October, they voted to urge the EU’s national governments to suspend TTIP negotiations because of concerns about US spying. National governments have decided to ignore the Parliament’s request for now – the second round of TTIP negotiations went ahead as planned on 11 November.
Of all the revelations made by Edward Snowden, few had as much resonance with MEPs as a report that the US’s National Security Agency was spying on SWIFT, which provides inter-bank messaging for international payments. The European Parliament, making a display of the powers it had gained when the Lisbon treaty took effect in 2009, forced a re-negotiation of an agreement between the EU and the US giving the latter access to SWIFT data under certain conditions and with tight safeguards. It now emerges that the new agreement, concluded in 2010, and the safeguards that the Parliament had demanded, may have been meaningless as the NSA found a backdoor into the system. The revelation last month prompted the Parliament to call on the European Commission to initiate a suspension of the agreement, in a vote that was close – 280 to 254, with 30 abstentions – and non-binding.
The MEPs’ threat is serious. Should they be unhappy with the Commission’s response, they could block future international agreements. While the free-trade deal that the EU is currently negotiating with the US is an unlikely target, given the economic benefits it would generate, the US is certain to find far less willingness on the EU side to conclude any further intelligence-sharing agreements.