The next big privacy battles: cross-border data flows and data localization

Posted on Nov 4, 2020 by Glyn Moody

A couple of weeks ago, this blog looked at a rather unexpected consequence of the decision by the EU’s top court, the Court of Justice of the European Union (CJEU), to strike down the Privacy Shield framework that legalizes most flows of personal information from the EU to the US. In the wake of that decision, France’s national data protection authority, CNIL, not only said that key US companies like Microsoft should not be allowed to transfer personal data of EU citizens, but that an EU company ought to handle the data, not one based in the US. That’s an extreme data protection position that has rarely been raised before by a government agency. It may be an outlier, but there are increasing signs that the EU authorities are moving in a similar direction in their thinking.

For example, the European Data Protection Supervisor (EDPS), which monitors and helps protect personal data and privacy when EU institutions and bodies process the personal information of individuals, has issued a strategy document to help EU institutions comply with the CJEU ruling mentioned above. In the short term, it advises as follows:

With regard to the use of any new service providers and new processing operations carried out with appropriate safeguards and appropriate supplementary measures, the EDPS has
requested [European Union Institutions] to take a strong precautionary approach. The EDPS strongly encourages [European Union Institutions] to ensure that any new processing operations or new contracts with any service providers does not involve transfers of personal data to the United States.

The EDPS is rightly being cautious here, since it is still not clear how personal data can be transferred legally to the US. But there are signs that the European Commission itself – effectively the EU government – is also looking to take a fairly extreme position on data transfers. A hint of what was to come was evident back in September, when Internal Market Commissioner Thierry Breton, a former tech CEO in France, told Politico: “European data should be stored and processed in Europe because they belong in Europe. There is nothing protectionist about this”.

That might have be dismissed as an off-the-cuff remark, but a leak of a new EU Data Governance Act, obtained by Politico and Euractiv, shows that it is part of a more significant shift. The EU wants to create what it calls “data intermediaries” to act as a go-between between data producers and users of that data. The idea is that this will allow the EU to derive maximum benefit from the data produced within its borders, and will provide a way to counter the growing power of US tech giants like Facebook and Google. Crucially, these new data-sharing companies must be EU-based to ensure compliance with EU laws: “the Commission wants there to be rules in place to ensure that ‘requests from third countries’ for access to non-personal data in the new sharing ecosystem, are refused.”

It is noteworthy that the European Commission not only wants EU companies to refuse to comply with “requests from third countries” – essentially, the US – but that this applies to non-personal data, as well as personal data, which the GDPR already requires in most situations. This move to require data localization even for non-personal data is a huge shift in policy, and one that will not go down well with the US. As a report from the Congressional Research Service on “Data Flows, Online Privacy, and Trade Policy” notes, the trade negotiating objectives in the 2015 US Trade Promotion Activity included the requirement that governments should agree to “refrain from implementing trade-related measures that impede digital trade in goods and services, restrict cross-border data flows, or require local storage or processing of data.” However, the US situation is not quite so clear-cut these days. In August of this year, the US President issued an executive order against the Chinese app TikTok, for the following reasons:

TikTok, a video-sharing mobile application owned by the Chinese company ByteDance Ltd., has reportedly been downloaded over 175 million times in the United States and over one billion times globally. TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information – potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.

In other words, even in the US, there are increasing concerns about the risks of free data flow of personal data, which can be used to create “dossiers” of sensitive information. One suggested solution is to create a US-based version of TikTok, with no data flowing abroad. Talks for Oracle and Walmart to form a US company to do this have been taking place, but it’s still not clear whether they will come to fruition, and whether China will agree to such a radical approach.

Calls for data localization are not new. Many countries around the world have been introducing laws requiring it, for some time. A 2018 article on the University of Washington site noted that Australia, British Columbia, China, Germany, India, Nigeria and Russia all had requirements of varying stringency, with those of China the most demanding. Now that both the EU and US are looking at various kinds of data localization, it seems likely that this will become an important new feature of the privacy landscape. Exactly what form it will take is still unclear, and there will doubtless be fierce debates in the months and years to come about what is the best approach.

Featured image by Mmelouk