Panel discussion I: Data flows, localisation and global value chains: offensive and defensive interests at stake.
Ignatio Irrurarezaga, Head of Unit on Services (EU negotiatior on TiSA), DG Trade:
It has been sad that data flows are the backbone of our economy. Indeed they represent a crucial factor in the new global economy. Data we refer to is a combination between personal and non-personal data. Sometimes they overlap. Do we have an offensive interest?
We think we do. On data flows we don’t have very good data. The EU is the largest exporter in the world, followed by the US. We have an economic stake here even if the data are not perfect.
Do we face problems in countries?
Yes we do. We face barriers especially Russia, China, Nigeria, Vietnam.
Typically the barriers we face are forced localization of computer services in those countries.
Is the localization of computer service a problem in itself?
No. The EU has obligations to store data locally in certain areas as heath care, gambling transactions. Restricted area that compromise important information. What we are trying to address in trade agreements are horizontal localization requirements that apply to all data without discriminating. These are more driven by digital protectionism more than a rational protection of data.
In our trade agreement we already had precedents on data flows. Those precedents take back at the creation of the WTO and the GATT agreements 1994. So far that precedent, limited until now to financial services, has not created any problems or limited our ability in any sense. In that document there is a document to ensure that financial services information can flow across boarders.
In that document there is an obligation for members, to ensure that financial service information can flow across boarders. We have similar provisions on data flows in other agreements.
What ever we do has to ensure our abilities not just in the present, but mostly in the future. We will have to ensure that the provisions we agree have safeguards inspired on not in those contained currently in the GATTS and the so called commitments on financial services. Currently to give u the state of play, there are proposals on the table (both on data flows and localization of the servers). In both negotiations the discussions are at an infant stage. The Union still has questions on the discipline, and it has questions on the safeguards proposed, to the extend we are still seeking qualifications on those proposals we have not yet proposed our own language to modify these provisions.
Giving a business prospective:
Chris Sherwood, Head of Public Policy, Allegro Group (on behalf of Industry Coalition for Data Protection):
From a business perspective, the importance of data flows help us to create something unified to compete with the global players.
The reality is that we need to move data cross boarder on a global base with the minimum of restriction. That’s the business reality that we face. Unfortunately the EU imposes severe restrictions on data flows disadvantaging business companies. The primary restriction is the EU DPD 1995 that will be replace by the new Data Protection Regulation, which in turn will be stricter than the already strictest directive on data protection in the world. Both the directive and the regulation in draft form, are structured as prohibitions of the export of data outside the EU. From the prospective of a company who works outside the EU in many of the countries where we operate these requirements are seen as data localization requirements. We need to be very clear on the way these rules are seen abroad and how they influence our businesses.
Defensive and Offensive issues:
One of the problems we are facing in Europe is the undelaying assumption that the IT sector and the Internet are American. It’s the politics of the spare that believe that Europe is not a leader.
We should rethink our schemes thinking as the EU as a leader in IT technologies, rather than being a consumer of foreign products. When we look at TTIP and
the Snowden revelations one may acknowledge that the revelations have changed the way the US government and industries approaches with data flows and trade agreements. It is quite considerable that European Snowden will occur and let us reconsider these things.
What is really important from our point of view is that European Data protection rules although they are a burden for companies, they are there for a good reason. But many companies in and outside Europe would prefer to not comply, and therefore the rules need to be enforceable. You cannot enforce this rules putting extra territorial provision in the legislation. Extra territorial provisions and legislations lied to unintended consequences. What’s much better would be to encourage foreign companies to comply using co-regulatory approaches.
The safe harbour can be a good example, because it enforced by an authority, which is taken extremely seriously in the USA.
A suspension of the Safe Harbour would damage EU companies, because they would not be prepared anymore to compete in the US. There is no evidence that suspension of safe harbour would enhance the safety of personal data. The fundamental problem here is the way the US government approaches data not the Safe Harbour itself.
Our appeal is to stop calling for the suspension of the safe harbour because it would damage European companies and ensure zero privacy benefit.
Finn Myrstad, Head of the Digital Services Section at the Norwegian Consumer Council (NCC= and EU Co-Chair, Information Society Policy Committee, Transatlantic Consumer Dialogue:
I have three main messages to the MEP today.
<!--[endif]-->Consumers on both sides of the Atlantic are concerned and want more privacy. It is not only EU consumers it is also US consumers.
<!--[endif]-->Unlike what was just mentioned about Safe Harbour. We believe Safe Harbour does not provide sufficient enforcement on the US side. Safe Harbour does not provide adequate protection for consumers along with European standard.
<!--[endif]-->We don’t believe that data flows should be tackled in trade agreements without proper safeguards for data protection privacy.
Talking about offensive interests. I believe that it is an offensive interest for EU consumers to have control over their personal data, to have transparency to understand the different purposes and benefits of data sharing and to have specific rights concerning the collection and sharing of their data. European consumers totally support to have more data protection in Europe.
You might think that American consumers do not care that much about their privacy. But it is not like this in reality. 90% of consumers believe they have lost control about their personal information. It is very clear that also US consumers are troubled about their data privacy. There is also a second point, consumers make their choices. Research clearly shows that this is not the case. The university of Pennsylvania pointed out that US consumers want more data protection and more clarity on their consensus to gather data and profiling activities. They don’t think it’s fair that on online store can collect profile and store data to improve their services. The system we have at the moment is an opt-out one. There is no trade of at the moment, there is just companies gathering data giving less back. So it’s the consumer who pays a higher price.
An example could be the CEO of Apple, Tim Cook Apple who said: “We believe that customer should be in control of their own information. You might like these so-called free services, but we don’t think they are worth having your email, your search history and now even your family photos data mined and sold off for god knows what advertising purpose. And we think some day, customers will see this for what it is. We believe that people have a fundamental right on privacy. The American people demands it, the constitution demands it, morality demands it.”
One of my messages to you is: raise the floor instead of lowering it. Keep working to fight for better standards in Europe.
We believe Safe Harbour does not work. It was mentioned that it is taken very seriously on the US side. I don’t believe it is a serious effort. These are principles; they don’t say they need to apply the European law.
Just to say the US system is based on privacy policies, but if a consumer wants to read them all, it would take him up to 25 days to read them all. This is not a clear framework.
Also a report to president Obama this year, noticed that the framework for notice and consent is becoming unworkable as useful foundation for policy. Only in a fantasy world consumers read the policies and understand the implications before clicking.
Conclusion: We have to have a better framework that assures a level playing field for businesses. Trade agreements are not the place to regulate data consumption and privacy.
Panel II: Data flows between the EU and partner countries
Paul Nemitz, Director for Fundamental Rights and Union Citizenship, DG Justice and Consumers:
The agreement on these rules in the Council reflects the view of the business representatives mentioned before. Stating that data protection is a burden is as saying that good quality is a burden. If you look at the European car industry they are saying it very clearly, a good data protection will be a positive point in the future, augmenting the quality of the product. On my opinion, the visions presented by Sherwood do not really reflect the ones of European businesses.
What does the regulation brings in terms of ensuring protection in global data flows. It provides a level playing field for businesses in and outside the EU. It strengthens the authority of the Data Protection Supervisor resulting in strengthening the function of the privacy framework. Trust is at the core of a good functioning financial market. That’s why it’s so important that the powers of our data protection authorities are strengthen.
Therefore I’m happy to see that the Council has agreed that the maximum fine will be of 2% of the world turnover. In this new digital world there is no reason to use a different type of methodology when we have to protect millions of consumers.
New provisions on international data flows have been proposed by the Commission and adopted by the Council. They will facilitate international flows of data while ensuring a higher level of protection.
Does it make sense to invest in the Safe Harbour?
The Commission has benefitted in the negotiations with the US from the clear position taken by the EP. We have been inspired to seek the highest level of commitment possible from the US on the 13 points the Commission put on the table in November 2013. It is true that US has made a great effort to reach a level of protection on 11 out of 13 recommendations. We in the Commission are very close to consider it as successful.
We need to remember the scope of Safe Harbour: It is to provide Europeans a higher level of protection when their data are exported for processing. Then it exists under existing law. We are seeking from the US commitments, which serve this purpose.
In the contexts of TTIP and TISA, we work very closely together with DG Justice and Commission. We have been working on it intensely for a long time. It is true that EU has a positive trade balance not only in industrial goods but also on services. Let’s not forget that Europe in contrast to the US is also a key exporter in industrial goods, machines cars and so on. For these machines to be develop further, to control the factories it is important that data can flow back to Europe to better control and plan the future investments and developments. We depend on free flow of data. But much of this data are not personal data, so it is important when we talk about digitally deliverable services from Europe we better acknowledge that most of them are not personal data. Let’s get the facts right when we are discussing this.
When we define our interest in global agreements we need to consider the nature of our exports, and the nature of the related data flows to these exports too. It is good to have general formulations on free data flows provided that when it comes to personal data we maintain the ability to act here according to our Charta of fundamental rights.
We need to continue to apply our system of adequacy also related to third countries.. When it comes to generalizing the rules on financial services, I want you to know that these rules goes back in time even before the Data protection directive 1995. When we look at the future texts we need to be sure that the relation between the texts we are comparing is real.
Giovannni Buttarelli, European Data Protection Supervisor:
My institution is not formally involved but we monitor development closely. That’s why I was pleased to accept the invitation to this important debate today. I would like to share a few main messages:
<!--[endif]-->International data flows are a reality:
A necessary motor for globalisation. The EU has been until now a strong advocate of rules-based free trade. The European Parliament has pivotal role in ensuring that it continues to do so. And the reform of this law can be seen as a once-in-a-generation opportunity to put international transfers on a clearer footing.
<!--[endif]-->Fundamental rights and freedoms are not negotiable.
Data protection is an important concern when it comes to negotiate commercial agreements such as TTIP. When we look at the TTIP, we can see that there are useful references to shared values in the relevant areas of negotiations, such as human rights and fundamental freedoms, as well as the right of the EU and the Member States to adopt and enforce measures necessary to pursue legitimate public policy objectives.
However we can also see that the text of the mandate is not fully clear.
There is at least some rule for negotiating in areas relevant to data protection. At the same time, there is no precise language in the mandate, which would clearly state that the agreement would be without any prejudice to EU data protection law.
In particular, the mandate specifically covers ‘Information and Communication Technologies’ and ‘financial services’, and aims to ‘ensure the removal of existing NTBs’ (non-tariff barriers), and prevent the adoption of new ones. (ART. 25).
Concerns have been raised with regard to the risk that this may result in watering down existing data protection rules, or in preventing the adoption of further data protection rules in the future.
Junker, has made it clear more than once that fundamental rights are not here to be sold.
The LIBE committee, on its opinion on the TTIP, already emphasised that there is a need for a comprehensive and unambiguous horizontal self-standing provision, based on Article XIV of the General Agreement on Trade in Services (GATS), that ‘fully exempts’ the existing and future EU legal framework for the protection of personal data from the scope of the agreement.
<!--[endif]-->The EU data protection framework facilitates data flows.
The current EU regulation deems to provide an adequate level of data protection concerning international transfers of personal data. For those cases where the third country does not ensure an adequate level of protection, or, in the case of business sectors which are outside of sectoral decisions, personal data may still be transferred lawfully if there are adequate safeguards.
Together with the Article 29 Working Party, as well as the EDPS, we have been very active on this field especially on the binding rules field. This is a demonstration of the commitment of European data protection in order to facilitate international data transfer and promote accountability.
<!--[endif]-->My fourth message, relates to the on-going reform on data protection reform and its approach of continuity and change.
Chapter 5 of the GDPR is related to international transfers. The consensus emerging is characterised by continuity and change.
‘Continuity’ because the main principles, such as the adequacy principle, have been maintained.
‘Change’ because many rules have to be reinforced, where necessary simplified enough not at the expense of fundamental rights: Binding Corporate Rules, for example, will soon become an explicit part of data protection law. Moreover ‘change’ also because the Reform will replace 29 different national legislations, with an EU Regulation setting down innovations like the one-stop-shop together with proximity.
In a nutshell the EU data protection law should be, and remain, the world standard concerning data protection and data flows worldwide.
Concerning the adequacy principle:
The adequacy system we are facing is in line with article 14 of the GATT.
The EDPS is committed to be, and remain active with you, recognizing the ethical imperative. As a rule of thumb, therefore, personal data rights should continue to be left out of any trade negotiations, and only be referred to, by way of exemption, as set out in Article XIV.
Anna Fielder, Chair of the Privacy International and Senior Policy Advisor of the Transatlantic Consumer Dialogue:
I agree with many of the points made. My point is that trade is absolutely not the place for the EU to negotiate the transfer of personal information. I emphasise personal.
First of all trade has been a very positive driver fin encouraging countries to adopt data protection laws. Over 100 countries on all continents have now adopted a general/holistic data protection legislation. Just the US, Pakistan, Panama and Turkey have no regulations yet concerning DPR.
In relation to the TTIP negotiations, of the 12 partners currently negotiating, only Brunei and the US do not have a general data protection law.
Speaking about the US, to be clear, except for a few specific sectors (children, financial, health records and video hire), the processing of personal information for commercial purposes remains largely unregulated on the federal level. The US representatives, including the US Congress, have stated clearly and publicly that their aim is to achieve uniform standards through similar language for personal information transfers in all trade agreements, and that data protection must not be a pretext for protectionism.
By contrast Canada does have strong regulations concerning privacy. Indeed the concluded agreement between the UE and Canada (CETA) contains a general provision in its e-commerce chapter, which calls for respect of privacy laws, both for the private and public sectors, as well as privacy as a fundamental right in its constitution.
The fundamental issue here is that one partner sees the data protection regulation as a barrier and therefore tries to circumvent the majority of other partners’ privacy laws through a binding trade agreement that trumps them all.
A second aspect is related to the report on mass surveillance, recommending the US to revise its legislation without delay to recognize privacy and other rights of EU citizens, and provide for them judicial redress. The US have failed so far to take legislative steps to address concerns about access to the data of EU citizens by the NSA (National Security Agency and others. The ‘Freedom Act’ is a step forward, but only addressed to US citizens. As a consequence foreigners are still discriminated in the US. Equally negotiations on Safe Harbour are still not concluded, neither is the so called “umbrella agreement” which have been going on for years. Under these circumstances there can be no relaxation of data protection safeguards with regards to trans-border data flows.
We need to realize that safeguarding fundamental rights is not a priority in commercial agreements, they are about economic priorities and lowering barriers to trade. In the US trade negotiations are not opened to public debate; they are captured by industry through a combination of complete secrecy with privileged access for just a small part of private industry supervisors.
Our main ask, already put on the table by MR. Myrstad in the previous panel, is to not include personal information transfers in TTIP. If you absolutely have to; than please follow the recommendations of the LIBE committee, and vote for the amendments that follow this recommendation in your resolution.
On TISA, a resolution from the Parliament is also needed. We look forward to a timetable for such a resolution in the near future and are ready to engage.
Finally, a robust new data protection Regulation is long overdue. We find it shameful that after so many years of deliberation, the version produced goes below standards. The Council has found out major loopholes via a system of “approved” codes of conduct and certification schemes without approved coordination and oversight (Articles 38, 39 and 42).
We urge you in the forthcoming months of the trialogue to stick to your guns and not let this important law go beyond the protection of fundamental rights.
We need holistic privacy laws; it’s the most effective way to ensure privacy and fundamental rights protection.