The privacy battle over cross-border data flows just went up a notch

Until the election of Donald Trump last year, multilateral trade deals were a key element of global politics, and affected many aspects of the digital world. Indeed, as the Internet moves ever-closer to the heart of commercial activity, so the importance of digital business has increased, and trade deals have become an important forum for governments to lay down global rules in the online world.

One example is the Trans-Pacific Partnership (TPP), which aimed to bring together 12 countries around the Pacific in a wide-ranging agreement about how trade would be conducted. It included a number of measures affecting digital trade, among them “enabling cross-border data flows”. Although technically such flows are straightforward – it’s what the Internet does – problems can arise because of privacy considerations. Jurisdictions with high levels of privacy protection are often unwilling for personal data to flow to other countries where protections may be lower.

The US withdrew from TPP as part of a general re-evaluation of trade deals by the new administration. The status of two other major trade negotiations involving the US, both which include data flows, is currently unclear. One is the Transatlantic Trade and Investment Partnership. The most recent report from the US Trade Representative, published in January this year, notes: “We still have significant work to do to resolve our differences in several important areas of the negotiations”. One of those is “how to structure commitments on data flows that will reinforce the essential electronic commerce and digital infrastructure of our economic relationship while respecting legitimate concerns about protecting privacy”.

The other major deal is the Trade In Services Agreement (TISA). This, too, is currently in limbo, waiting for a decision from the US administration about whether it will continue to participate or withdraw, as it has done with TPP. An article about TISA written just before the US election by the Electronic Frontier Foundation (EFF) pointed out that the main stumbling block to completing the deal was cross-border data flows. Major differences existed between the US and EU positions:

“The fear on Europe’s side is that “free flow of data” is code for “avoiding Europe’s strong data protection regulations by treating them as trade barrier.” Two weeks ago, former Vice President of the European Commission Viviane Reding succinctly expressed this in a tweet, “Nothing in trade agreements should prevent the EU from maintaining, applying and reinforcing its data protection regulation.” European civil society groups have expressed themselves even more strongly in a joint letter that has been released today, with EFF’s support”

The letter from the civil society groups was unequivocal in its demands:

”Fundamental rights must be respected and not negotiated upon. Therefore, data flows – which refer to transfers of individuals’ personal data – must not be part of trade agreements. Trade negotiations are not suitable for shaping rules affecting fundamental rights and the rule of law in a democratic society.“

Since then, the TISA negotiations have ground to a halt, but the debate about whether cross-border data flows should form part of international trade deals has continued, particularly in the EU. In May, a letter signed by 15 of the European Union’s Member States wrote to the European Commission urging it to include data flows in its trade deals:

“Data is becoming the fuel of the global economy. 15 years ago, data flows barely existed. Now data is everywhere: from the equipment in a modern factory to the fridge and lightning in ordinary housing and from cars on the highway to the apps on a mobile phone. Data flows have increased by 45 times since the beginning of this century creating EUR 4.5 billion extra economic growth for our citizens and entrepreneurs. It now generates more economic growth than trade in goods. Therefore, we urge the Commission to rapidly present an ambitious formal text proposal for commitments on data flows in trade agreements to help our entrepreneurs to benefit from the opportunities of the Internet.”

However, it is significant that the two largest EU Member States – Germany and France – did not sign the letter. Their absence reflects concerns by many citizens in those countries about transferring data out of the EU. Edward Snowden’s revelations of massive surveillance by the NSA – and the UK’s GCHQ – as data crosses the Atlantic have heightened fears that once personal data is transferred abroad, there are few constraints on what might be done with it. Although spying also takes place within the EU, there seems to be a view that the closer to home that personal data remains, the greater the control people retain over it.

Germany and France are not the only powerful actors in Europe that are wary about allowing unrestricted cross-border data flows because of worries about privacy. Another is an obscure but extremely influential EU official called Martin Selmayr. As Wikipedia describes him, he is:

“a German lawyer and a European civil servant, who serves as head of cabinet to the President of the European Commission Jean-Claude Juncker. Selmayr is a close confidant of Juncker and was Juncker’s campaign director and head of the transition team before Juncker took office as president. Selmayr has been widely described as the most influential civil servant of the European Commission.”

Selmayr has just used that influence in the debate about data flows, as reported here by Politico.eu:

“The powerful chief of staff to President Jean-Claude Juncker this month blocked a plan supported by advocates of digital trade in Brussels and EU capitals to include data in future trade agreements.

“For the EU, privacy is not a commodity to be traded. Data protection is a fundamental right in the EU,” Commission spokesperson Mina Andreeva said, responding to questions on Selmayr’s views on data in trade.”

That’s not likely to be the end of the matter. Major US companies have too much at stake here to allow Selmayr’s veto to remain unchallenged. The issue is not about whether they will be forced to set up large-scale data centers in the EU to handle the personal data of EU citizens – that wouldn’t be such a big problem in practice. But they know that what happens in the EU will have a big impact elsewhere. Their fear is that other countries will follow the EU in introducing strong privacy protections and limiting cross-border flows of personal data. Both would adversely affect their business models, which are based on the unrestricted aggregation and analysis of huge quantities of personal data, and using that information to sell highly-targeted ads.

Featured image by Tony Webster.