The Great Data Race: Lessons from EU Cyber Law



Courtesy Kathryn Witchger.

Since the European Union Commission recognized the “global data race” in 2014, the Union has only gained momentum in creating the conditions necessary to win the race. The U.S. has much to learn from the EU policy and legislation that has rapidly propelled Europe forward. In 2014, the President of the Commission, Jean-Claude Junker, promised to take “ambitious legislative steps towards a connected digital single market.” This set into motion the Digital Single Market Strategy, a public-private partnership with business, and the General Data Privacy Regulation (GDPR). In 2014, the European Court of Justice (CJEU) found the Right to be Forgotten in the Data Privacy Directive, tightened data retention policies, and in 2015 invalidated the U.S.-EU Safe Harbor Agreement. These expansive changes shifted the EU’s global position in three different areas: commerce, national security and human rights. All three areas have experienced significant changes in cyber law and policy since 2014 and all three work together to create an EU Digital Single Market strategy that is economically dominant, locally secure, and morally defensible.

A key component of the Digital Single Market Strategy is to “maximis[e] the growth potential of our European Digital Economy.” To further this goal, the EU has created an ecosystem of law and policy to develop and protect its commercial base. First, the Commission has worked to create uniformity in data regulations between States to make it easier for companies to comply across all of Europe. This ecosystem began with the 1995 Data Privacy Directive, which still allowed States to implement the law in different manners, and culminated in the less flexible 2016 GDPR. In 2014, the Commission took another giant leap forward by developing a $2.5 million public-private partnership with the private sector in order to leverage big data and create a “true opportunity [for Europe] to be a leader in this space.” Most recently, the EU has begun to protect its investments by regulating foreign communications industries. In late 2016, the Commission announced it would be overhauling the E-Privacy Directive, which had covered only traditional forms of communication to also include “Over-The-Top” (OTT) services, such as Facebook and Whatsapp. This will ensure compliance across the board and create a more even playing field for European telecommunication companies.

EU laws and regulations also foster cyber services by creating “secure and trustworthy infrastructures and content services.” One major component of secure infrastructure is ensuring that law enforcement can legally access data within a reasonable timespan. Certain processes, such as the mutual legal assistance treaty system, take months to legally obtain data essential to national security. There have been at least two EU approaches to fixing this problem: data localization (i.e. bringing European data onto European servers) and data transfer (creating transfer agreements with other countries). Several legal constructs encourage data localization; the most prominent is the U.S.-EU Privacy Shield’s stringent requirements, which include data retention limits, increased consent, and limited transfer. U.S. citizen’s data does not have the same access requirements, therefore, to maintain data flexibility it can be easier for larger companies to separate and localize different citizen’s data. The EU has also worked to increase transatlantic data connections to keep its economy and citizenry safe. The EU recently signed the U.S.-EU Umbrella Agreement to ensure that information regarding national security can be shared between the States. The Privacy Shield is contentious to the European Court of Justice and the U.S. because it places higher burdens on American companies, but possibly not at the level required under EU law. Fortunately, the Privacy Shield and the Umbrella Agreement are different treaties that can be contested separately in court. It is important to maintain a balance between data localization and transfer, because too much data localization can stymie innovation and facilitate human rights abuses.

The EU strategy is also morally defensible. Europe has a robust history of data regulation that finds its roots in human rights law; the European Convention on Human Rights guarantees each person’s “right to respect for his private and family life, his home and his correspondence.” The stringent conditions of the U.S.-EU Privacy Shield in large part exist because of this robust data privacy regime. Among the requirements is the Right to Be Forgotten, which gives European citizens the right to request that data processors, such as search engines, delete or rectify their information. These burdens largely fall on foreign search engines that process massive amounts of information. This gives the EU a modicum of control over the aggregated data of its citizens that primarily benefits US tech giants. The emergence of clear European standards through agreements and adequacy requirements follows the trend in consumers’ cyber privacy demands and justifies the EU’s protectionist stance.

What can the U.S. learn from EU cyber law and regulation? First, that information technology is a national resource that needs to be cultivated and protected. The EU Commission has unified the regulations across Europe to make it easier for companies to comply across Member States, and invested in the development of public-private partnerships to spur innovation. Currently, US laws, such as those regarding data breach disclosure, vary across the 50 states, and there is tension between tech companies and the U.S. government. Unifying regulations can make it easier for companies to comply, and creating partnerships with the private sector can spur innovation. Second, as the U.S. has already seen in the Microsoft Ireland case, finding a balance between data localization and transfer is vital to the legal process. Microsoft Ireland limited U.S. law enforcement’s ability to obtain information on foreign servers through a legal search warrant. This arguably encourages greater data localization. Initiatives such as the proposed legislation to legally access this data and agreements such as the U.S.-EU Umbrella Agreement can both facilitate transfer and ensure that data localization does not choke innovation or encourage human rights abuses. Finally, consumers are increasingly demanding higher privacy standards and the EU is regulating, protecting and complying. Encouraging higher standards in data privacy is not just important to individuals, but to maintaining the legitimacy of cyber law and regulation. The U.S. has no federal “Right to be Forgotten” and at times a sporadic, divided cyber law. Giving users more control over their data places limits on U.S. and foreign companies to ensure that citizens are achieving the best possible protection no matter where data is stored. The EU has developed and implemented cyber law and policy in commerce, national security and human rights that has shifted and strengthened its global position. The U.S. can learn much from these policies to support its industries and protect its citizens.

Kathryn Witchger is a student at Columbia Law School and a research assistant at the Center for Advanced Studies on Terrorism. She previously worked as an International Affairs Specialist on the Cyber Team at the Department of Justice’s Office of International Affairs. Kathryn holds a BS in Foreign Service from Georgetown University and a Diplôme d’Etablissement from the Sciences Po Lyon.