EU-US Safe Harbour and forced data localisation: lessons from Russia

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV.com PLC.

Cybersecurity could be improved with better ICT training. [Dennis Skley/Flickr]

Forced data localisation would undermine European fundamental rights as well as damaging the EU’s competitiveness, argues Matthias Bauer.

Matthias Bauer is a senior economist at the European Centre for International Political Economy (ECIPE).

Small ideas sometimes change the world. Russia’s forced data localisation is a small idea. Now, with the fall of Safe Harbour, a German data protection agency calls for data localisation. Others will follow. But data localisation is a bad idea – a concept to be quashed in any serious political debate on how to resolve Safe Harbour, and trust in Trans-Atlantic relations. 

Let’s look at Russia. At a recent conference on forced data localisation hosted in Moscow, I snapped an insightful piece of dialogue. Russia’s contentious law requires all legal entities to store and process the personal data of Russian citizens on servers located within Russian territory. It should be noted that at this conference not a single person among the audience of 50 was in favour of these rules, causing a business representative to ask a government adviser whether he had ever met “any people who were in favour of forced data localisation in Russia”. The reply: “Yes, I met them once at the very beginning of the legislative process, but I don’t remember them.” What followed was head-shaking amazement.

Russia’s data localisation law is an impressive case of how governments justify legal means by political ends without considering the broader implications for the society as a whole. Officially, Russia wants to safeguard its citizens’ privacy rights, as a response to Edward Snowden’s revelations of NSA mass surveillance activities. Accordingly, and very much similar to the ECJ, the Russian government officially claims that the security of Russian citizens’ personal data is one of the fundamental rights that should be protected, legally and otherwise.

According to Russia’s forced data localisation law, which became effective on 1 September 2015, not only companies based in Russia are affected, but also all businesses that export to or import from Russia. Every piece of personal information concerning suppliers, business partners and customers (irrespective of whether B2B or B2C) has to be stored and processed on databases within Russia. Ironically and contrary to the initial objectives of the government, Russia’s data localisation law does not foresee an export ban for personal data. Personal data can be transferred abroad as long as the primary database used for collection, storage and processing remains in or will be transferred to Russia.

Data localisation is not only a matter concerning Facebook, Twitter and Google. Data localisation rules affect every single business from agriculture to manufacturing and services. In fact, the outcry among companies operating on Russian territory is now particularly strong among retail chains, construction materials and automotive suppliers as well as logistics service providers that are more than overstrained with the re-organisation of databases and global business processes in order to comply with vague and poorly written rules, leaving firms with the substantial risk of being sanctioned for non-compliance.

Personal data is absolutely everywhere. It is often impossible to separate or disentangle personal data from other business-related data. This is not only true for enterprise resource planning (ERP) and customer relationship management (CRM) systems. It is also true for Internet traffic that is regarded as unsuspicious. Given that any transaction on the Internet made while logged in to an online account is effectively personal data, even the most harmless pieces of data will contain personal information about employees, business partners and customers.

Forced data localisation effectively benefits big business. It is a striking feature of the Russian data localisation law that it increases complexity and uncertainty. Complexity is always a subsidy to big businesses to the detriment of micro-, small- and medium-sized enterprises. The wording of the provisions is imprecise and the requirements remain vague. The rules do not clarify how to separate personal data from other business-related data. It is left unclear how to identify the citizenship of ‘data subjects’ based on digital protocols, leaving considerable room for political manoeuvres and discrimination.

But what about the EU? A series of economic impact assessments conducted by ECIPE points to significant economic costs as a consequence of forced data localisation. For the EU 28, the short-term impact triggered by productivity losses and a less European investment is estimated to be 0.7% of EU GDP (€96bn). European countries should expect a shift in production structures towards less innovative and more volatile sectors such as light manufacturing and agriculture. The numerical results of this analysis do not capture the longer-term adverse effects on technological progress, competitive behaviour and the EU’s ability to adopt innovative technologies and 21st century business models. These factors are the main drivers of long term economic output growth. Thus the estimates of economic losses are likely to be are likely to be very conservative.

It is becoming increasingly clear that Safe Harbour is not the only legal instrument that was effectively set on hold by the ECJ. The transfer of personal data based on model contract clauses (MCC) and binding corporate rules also violates EU fundamental rights since these measures do not prevent US intelligence services from accessing data without respecting data subjects’ privacy rights and available redress procedures. A German data protection agency just erased explicit consent from the list of options for customers to send data to the US. The ruling is about fundamental rights rather than just a specific treaty. Therefore, the only legally certain options available to corporations would be to localise data within European borders – or to shut all Europeans off from the bulk of digital services.

It would be foolish to question the ECJ’s serious concerns about the US government’s mass and indiscriminate surveillance practices. However, we should keep in mind the 28 lax and non-harmonised data privacy laws in 28 sovereign member states that are all running their own intelligence units. Does the ECJ also understand that GCHQ, the UK’s Intelligence body, is just as bad as the NSA?

For the Safe Harbour, it is hard to see how the European Commission could negotiate a new agreement that would satisfy all the criteria of the ruling, or how the new mechanisms would be beyond the reach of newly instated powers under the ECJ ruling. Yet, it is high time to speed up talks in order to deliver legal clarification. Any delay would increase the scope of interpretation by national privacy law enforcement bodies, leaving considerable room for political manoeuvres, discrimination of domestic and foreign businesses – potentially costing another great deal of trust and confidence in Trans-Atlantic relations.