Ahead of the presentation of an EU-U.S. Privacy Shield later this month, I spoke with Hosuk Lee-Makiyama (Director of the European Centre for International Political Economy) about data flows, trade, economic impact, and Europe’s road ahead.
Q: How did the Court of Justice of the European Union’s (CJEU) recent “Schrems ruling’ impact data flows?
HLM: The Court’s invalidation of the Safe Harbor instantly impacted thousands of firms, who are unable to transition to alternative transfer mechanisms without undertaking costly, constraining and multi-year projects that in the end may be invalided by the court.
Q: What would be the consequence of a halt of data transfers from Europe?
HLM: The Schrems ruling was effectively the introduction of a data localisation requirement in its most extreme form, a ban on flows, which goes beyond the mere storage and processing requirements we have seen in Russia, Vietnam or Indonesia. However, it only applies to one specific destination: The United States.
Q: But isn’t this linked to personal data only?
HLM: It is often argued that the Schrems ruling and EU privacy rules only affects personal data. However, given the extremely broad definition of personal data under the EU’s new data protection regulation, nearly 100% of the data transmitted fall under the definition. Even the industrial and enterprise data can be traced back to employees and customers. In practice, almost all information is generated while you’re logged in.
Q: What are the risk to Europe’s economy?
HLM: If we also assume that alternative transfer mechanisms be challenged, as in the new Schrems case, the risk is that all data flows between the EU and the U.S. become effectively blocked. In trade terms, this constitute an embargo against non-EU based data processors. In my forthcoming paper, we estimate that the effect on the EU’s economy from a halt to transatlantic data transfers is at least -0.4% of GDP, while the effect on the U.S. economy is nil (±0%). A full halt to data flows to the rest of the world would be hit Europe’s three harder (-1.1%).
Q: But surely the new EU-U.S. Privacy Shield, the successor to Safe Harbour, will allow for transatlantic data flows?
HLM: At onset, the Schrems ruling requires the U.S. to have legal safeguards that are “essentially equivalent” to those under EU law, which is interpreted “strictly” in the light of fundamental rights involved and the scale of misappropriation. A European DPA could extrapolate that a country of different legal or constitutional structure could never be “adequate”; nor could countries where there are anecdotal evidence of electronic mass surveillance.
Q: What are the trade implications of the Schrems ruling?
HLM: All internal judicial remedies have been exhausted through the Schrems ruling. The only supranational tribunal with enforceability is the WTO whose rules on services trade contains limitations for national privacy rules. However, in order for the caveat to apply, EU must always take a proportionate, the least trade-restrictive measure available for the policy objectives it seeks. Something that may be difficult to prove, given that the CJEU revoked the entire framework of 4,400 companies certified under Safe Harbour while less than ten companies may have participated in PRISM.
Q: Could surveillance laws in EU Member States impact intra-EU data flows?
HLM: Electronic surveillance is by default indiscriminate. Mere possessing the capability of real-time interception and processing are sufficient to fail the criteria that the EU institutions have set up, while the surveillance methods in some EU member states are by and large equivalent or more invasive than the U.S.’s ‘Upstream’ program. The EU member states grant each other a national security exception for their domestic practices, but not to third countries. It seems like the EU respects the security interests of Europeans but not its allies.
Q: So what should the EU do?
HLM: While it is portrayed as a transatlantic problem between the EU and the U.S., the heart of the matter is poor internal EU governance and distrust internally within the EU – between the executive powers of the Commission and the national governments’ right to safeguard fundamental rights and national security. The EU cannot legislate its way out, only negotiate internally and externally to make an imperfect legal framework function in practise.
If the EU continues to apply its privacy laws extraterritorially, the EU will repeatedly be faced with troublesome court rulings given the obvious conflicts of laws. For example, the ongoing case in which a U.S. prosecutor demands access to user data stored by Microsoft in Ireland. The U.S. claims jurisdiction over the data processor – in this case, a U.S. firm – while the EU could claim jurisdiction over the data subject, if the account holder is an European entity). Europe’s Privacy Shield is merely a framework for commercial data flows and cannot solve such issues. Only a properly functional and operational mutual legal assistance treaties (MLATs) would allow both the EU and the U.S. to exercise their jurisdictions without resorting to ban of data flows or extraterritorial seizure of data – an inevitability which has been obvious for many years.
Q: What is your key message to EU legislators?
HLM: The outdated idea of extraterritoriality and self-reliance in our Internet age comes at a considerable cost – both in economic and ideological terms. The EU should seek to bridge its legal system with its trading partners rather than resorting to protectionism which would undermine European productivity and influence. Posterity will not be kind to those who failed to properly grasp the challenges of digitalization and prescribed the wrong medicine for Europe.