The most globally significant bilateral trade and investment relationship is between the United States and the European Union. According to a Brookings Institution report, the data flows between these partners are the highest in the world—50 percent higher than data flows between the United States and Asia and almost double the flows between the United States and Latin America. According to the same report, the value of digital services is staggering: “For instance, in 2012, 72 percent of US services exports to the EU worth $140.6 billion were of digitally deliverable services. Taking a global perspective, US exports of digitally deliverable services in 2012 were $383.7 billion, comprising 61 percent of total US services exports. And for the EU exports of digitally deliverable services in 2012 were $465 billion.”
Apart from the size of the international digital economy itself, another important issue surrounding this immense digital data flow has been privacy. Large companies in the data business have been using personal and individual data in their business models with little oversight, in order to create a massive capital asset. Both the United States and the European Union have enacted legislation recently that could transform how companies produce and use these datasets.
The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018 (and is why you have probably received a lot of terms of service updates in your inbox) is an EU legal framework that sets guidelines for the collection and processing of personal data of individuals within the European Union, regardless where the data are stored. GDPR sets rules on individual data management, and also imposes heavy revenue-based fines for non-compliant organizations. GDPR sets the rules of data management to “privacy by default.” The main advantages of the GDPR for internet users can be summarized in several fundamental principles:
- Companies are required to translate terms and conditions in concise, understandable language;
- Companies are required to receive explicit consent from users for data collection, and provide transparency about usage, storage, transfers, and breaches of data;
- Individuals have the right to access, move, or delete personal data; and
- Companies may be fined for not conforming to these principles.
The other recent legislation affecting internet users and international data flows is the Clarifying Lawful Overseas Use of Data Act (CLOUD), a United States federal law enacted in late March 2018. It aims to modernize data protection and government surveillance practices to include cloud providers. The CLOUD Act is a result of several data protection laws, but it is also a result of the United States vs. Microsoft case from 2014. In that case, US law enforcement agencies issued a warrant to Microsoft to deliver information stored on their servers in Ireland; the company refused to comply with the warrant because the relevant laws at that time didn’t provide for delivery of extraterritorial data.
The CLOUD Act enables the Justice Department to request information regardless of where it is stored, on the basis of bilateral agreements between the United States and the country in question. After the adoption of the CLOUD Act, the Department of Justice issued a new warrant and Microsoft promptly delivered all requested information.
The Act was endorsed by cloud and data service providers such as Google, Facebook, and Verizon’s Oath. Although most of the commentary surrounding these tepid endorsements refers to privacy, several sources shed a light on the companies’ motivations. One of them is the Microsoft partner network magazine, Redmond Channel Partner: “Right now, US-based technology companies dominate the global cloud computing infrastructure market. But there is no iron law that this state of affairs must continue. The Edward Snowden revelations of 2013 marked a huge challenge to international businesses’ and governments’ trust in US-based companies’ ability and willingness to protect their data from the US government. Microsoft, Google, and Amazon have been looking over their shoulders for potential new international competitors and contemplating a potentially fragmented global market where US-based cloud providers could be shut out of some countries over data sovereignty and citizen privacy concerns.” The CLOUD Act may alleviate some of these concerns by clarifying when and how the US government can access cloud-based data.
Amazon has published clear information about its compliance with the GDPR, but the company hasn’t issued a specific endorsement of the CLOUD Act. As the biggest player in the cloud services market, they may have a different perspective than other providers—and be wary of any government intrusion into their data.
One day before the European GDPR entered into force, the Associate Deputy Attorney General Sujit Raman made a presentation at the Center for Strategic and International Studies on how the US Department of Justice is approaching implementation of the CLOUD Act and the bilateral agreements the Act requires.
Although Mr. Raman aimed to promote the Act as a piece of legislation that has the protection of privacy and human rights as its priority, the Act has already received criticism for potentially undermining US privacy laws, as well as the laws of national governments within the European Union. The criticism addresses potentially harmful bilateral agreements with countries that do not meet high human rights standards; what if, for example, the Egyptian government requested information stored on US servers in order to suppress dissidents? Another significant criticism of the CLOUD Act is that it was passed as part of a $1.3 trillion omnibus bill, and was never put for consideration before Congress as a separate piece of legislation. No hearings or deliberations were conducted before the passage of the Act.
Mr. Raman criticized the GDPR for presenting a potential obstacle to law enforcement, especially in cases where information is requested regarding serious crimes and terrorism. But in fact, the GDPR has provisions in place that enable law enforcement agencies to access such information. Those provisions in the data transmission regulation have been in place since 1995, and remain unchanged by the law. Also, the United States and other countries have Mutual Legal Assistance Treaty agreements at their disposal that provide for legal cases like this with other countries.
The GDPR principles are not contrary to efforts to improve national security, but are part of an public discourse over the relative merits of national security versus individual privacy that has been going on for decades. Maybe it is time to revisit this issue, and ask the public what they think? What values would the public choose if given the opportunity?
Because it appears to favor the individual privacy side of the equation, it seems that the new EU regulation is going to be used as a strawman by governments that want to reduce privacy protections in favor of increased spending on surveillance, backed up by big data and tech companies that are in the business of collecting and using individuals’ data. Another argument that is also often used against the GDPR is that the increased data protection would stifle innovation. However, experts throughout Europe and elsewhere—including the esteemed business consultancy company Gartner—point out that the law presents enormous business opportunities as well.
Instead of finding ways to reduce privacy protections, with potentially harmful outcomes, maybe we should be asking different questions:
- Is the internet already a public good? Should it be treated as one?
- What does that mean for human rights, democracy, and freedom of speech?
- Should citizens themselves should be involved in defining what kind of internet we want?
- What should be the role of regulators?
As for the markets that depend on the ever-increasing cross-border data flows not just between the United States and Europe but between the US and the rest of the world: I am sure they will adapt.
Panoreja Buklevska is a Humphrey Fellow at the Maxwell School of Citizenship and Public Affairs at Syracuse University. She is a scholar-in-residence at CSPO from May to June 2018.