Trading away privacy

The negotiations between the US and the EU on the “Transatlantic Trade and Investment Partnership” (TTIP) will address e-commerce and transatlantic data flows. There are more and more indications that European data protection standards could be undermined by the trade agreement. Civil society and consumer organisations, both in the EU and the United States, warn that draft provisions in the chapter on e-commerce and electronic data flows pose a threat to European privacy and data protection rights.1

NoTTIP Demonstration. Source: Open Rights Group

EU: “Keep data protection out of trade talks”

The trade negotiators of the EU Commission have insisted repeatedly and publicly (e.g. at a hearing of the Greens/EFA in the European Parliament on 5 March 20142) that they have no mandate to negotiate over data protection rules. This was also emphasised by EU justice commissioner Viviane Reding in a speech in Washington in October 2013, in which she warned against “bringing data protection to the trade talks” on the grounds that “it is a fundamental right and as such it is not negotiable”.3

The negotiation mandate for the EU Commission instead refers to Article XIV of the General Agreement on Trade in Services (GATS) of the World Trade Organization. Article XIV contains a general exception clause stipulating that “nothing in the agreement may be construed to prevent the adoption or enforcement by any member of measures […] necessary to secure compliance with laws or regulations […] relating to […] the protection of the privacy of individuals in relation to the processing and dissemination of personal data.” 4 The EU Commission’s negotiation mandate states in Article 18 that, “The Agreement will not preclude the enforcement of exceptions on the supply of services justifiable under the relevant WTO rules (Articles XIV and XIVbis GATS).”5 Article XIV of GATS was indeed copied verbatim into a draft text of the TTIP agreement proposed by the EU Commission negotiators in July 2013 and leaked in February 2014.6

So all is well, then? Certainly not. This is only the mandate for the EU negotiators. In any international agreement, it takes at least two to tango.

The “interoperability” manoeuvre

On the American side, there have been numerous attempts to undermine European data protection rules in the context of the trade talks. New lobby organisations have been set up in the last few years, for example the “Coalition for Privacy and Free Trade”, coordinated by US law firm Hogan Lovells and including a number of political heavyweights.7 A recurring theme in these lobbying efforts has been to push for “interoperability” between the European and American regulations on data protection. This basically means a mutual recognition of the respective regulations on both sides of the Atlantic.

The catch: in the United States, there are currently no comprehensive data protection laws. The Safe Harbor decision of 2000,8 under which US companies can voluntarily submit to European standards so as to be allowed to process personal data from Europe, is largely ineffective. The European Parliament has already criticized it when it was developed in 2000, and in the final report of the NSA special inquiry of 12 March 20149 even demanded its suspension. So there is nothing to be interoperable with from a European perspective, except for voluntary self-regulation measures and the usual non-enforceable commitments to transparency in order to allow “consumer choice”, which are buried under long and unreadable terms of service.10

The requirements in EU data protection law set a much higher threshold than just “interoperability” for data transfer outside the EU. The Data Protection Directive of 1995 in Article 25 requires that: “the transfer to a third country of personal data […] may take place only if […] the third country in question ensures an adequate level of protection.”11 In short, the European foundation for the transfer of personal data to third countries is the “adequacy” of their data protection situation. The US side is trying to replace this with mere “interoperability”. “Interoperability” is, in other words, an attempt to undermine European data protection standards.

Some European data protection experts are already part of this “interoperability” manoeuvre. At the end of April 2014, Massachusetts Institute of Technology and the University of Amsterdam launched a series of roundtables called “privacy bridges” “to develop a framework of practical interoperability options to bridge the gaps between the European and United States legal systems of data privacy.”12 Participants include some well-known data privacy defenders such as former German data protection commissioner Peter Schaar, but others have strong industry links, which are disguised behind a university affiliation.13 Anything developed in this context might end up in the TTIP context later.

The scope of the privacy bridges project excludes legal changes in US law. Ironically, even the White House “big data” report, which was published about the same time as the project was started, explicitly states a need for better legal protections for non-US-persons under American data protection law.14 The “privacy bridges” project is now discussing whether to drop the term “interoperability” after the first publication of the present article.15

Some heavyweight industry players go even further than “interoperability”. The Business Coalition for Transatlantic Trade, founded by the US Chamber of Commerce, calls for “a framework that allows for flexibility on privacy and continuing cooperative work on security matters”16 – as if the NSA leaks had never happened and Europe had no fundamental right to data protection.

A “virtual Schengen” as trade barrier?

Ever since the European responses to the Snowden surveillance affair, the US side has been playing a semantic trick. There have been suggestions from several sides to introduce changes to the routing of Internet data packets, so that they take a certain path and remain within the EU or even within Germany, in cases where the sender and receiver are both located there. Such suggestions have been made, with varying motives, by privacy experts such as Ian Brown of Oxford University,17 but also by Deutsche Telekom.18 What at first glance sounds like a sensible idea – why should an email from Brussels to Berlin be routed through New York or other shady jurisdictions? – is not only technically difficult but also dangerous in its potential second-order effects.

The Internet protocol with its IP addresses uses a logical address space that does not know from the underlying physical transport level where a given IP address is geographically located. While there are services to enable IP-level localisation, they only reach an approximation: my own IP address in the European Parliament in Brussels looks like I am located in Luxembourg, because of the three official seats of the Parliament in Brussels, Luxembourg and Strasbourg. Even if geo-routing was technically feasible, it cannot be our goal to re-shape the topology of the transnational and global Internet along national boundaries. This would quickly trigger undesirable consequences, such as calls for “immigration controls” for data packets, which would be equivalent to Internet censorship. 19

The Greens in the European Parliament tabled an amendment to the final report of the NSA special inquiry to instead encrypt all Internet traffic from end to end, which would mean it would no longer matter where the data passed through. This amendment was adopted as part of a compromise at the committee vote in February and confirmed by the Parliament’s plenary vote in March.20 The debate on national or European routing seemed dead by early 2014, yet Angela Merkel has since continued to push for some kind of European routing.21 The debate simmers on.

From the US side, the debate is now being used to attack European rules and limitations for the transfer of personal data to third countries. They throw terms like “Schengen network”, “cloud computing” and the third country rules of the EU Data Protection Directive into the same category, which they term “localization”. US Trade Representative Michael Froman did this on 4 April 2014 in the presentation22 of his report on US government’s trade agreements for the telecommunications market.23 He claimed that European “localization” rules that would require data transport or data processing within Europe constitute an illegal trade barrier. The “Business Coalition for Transatlantic Trade” argues along the same lines and calls for the TTIP agreement “to prohibit requirements that service suppliers use local servers or other infrastructure or establish a local presence.”24

It is however important to keep routing and data processing clearly distinct.25 While rules on data packet routing may be ill-advised, it is highly relevant where data is processed – especially if it is personal data. Because data protection in Europe is a binding fundamental right with constitutional status in the EU Charter of Fundamental Rights, personal data may in principle be processed only within Europe. Any rules for the transfer of such data to third countries constitute exceptions from this principle and must meet certain conditions – such as an adequate level of protection in the respective third country. This is the definition of localization in the proper sense. Even on the European side of this debate, many have not yet fully understood this.

In the post-Snowden era, there is a now wider debate in Europe over stricter limits to transfers of personal data to the US and other third countries. The European Parliament has introduced a new clause (article 43a) into its version of the upcoming General Data Protection Regulation,26 which would prevent third countries’ authorities from demanding a transfer from a European data controller without regard to a mutual legal assistance treaty. The European Court of Justice will now have to decide if data transfers to the US under the Safe Harbor decision are still legal, after a preliminary ruling from the Dublin High Court based on a challenge by Austrian activist Max Schrems and his group “Europe vs. Facebook”.27

The “Digital Trade Act” and TTIP

US Trade Representative Michael Froman is not alone. A draft “Digital Trade Act”, introduced in the US Senate in December 2013,28 would give the United States Trade Representative a binding mandate for international negotiations in the area of e-commerce. Regulations for “localization” would have to be banned, and “interoperability” of data processing rules would be enshrined as a fundamental principle. This Act would of course also apply to negotiations over the corresponding chapter in the TTIP agreement. The bill is currently being discussed in the Committee on Finance. Similar provisions can also be found in the draft for a bipartisan “Trade Priorities Act”, introduced in the US Senate in January 2014.29

Drafts from US negotiators for the e-commerce section of TTIP already include these two crucial points: the principle of “interoperability” of European and US data protection rules, and a ban on “localization”.30 It is clear that there is a strong push from US negotiators, backed by US industry, to keep this in the final agreement text. In October 2014, the US negotiators have put a concrete text proposal on “data flows” on the table. Nobody outside the European Commission can assess its merits, however. The secrecy of the TTIP negotiations even prevents the responsible rapporteur of the Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament31 from seeing the text.

The EU Commission is obliged to not meet the US side’s demands in any way. But trade negotiations always lead to compromise. It is therefore to be feared that TTIP will, at least in attenuated form, include regulations that undermine our European data protection standards, for example by limiting the space of interpretation of the GATS exception clause to extraordinary circumstances.

TiSA: TTIP on steroids

Running parallel to TTIP since January 2013, though largely beyond the public eye, have been the negotiations for a plurilateral agreement on trade in services.32 The so-called Trade in Services Agreement (TiSA) would succeed GATS for the countries involved – so far the US, the EU, and 21 others, all from the industrialised world.33 US industry has woken up to the recent rise of public debate and criticism around TiSA and, as with TTIP, has started a PR campaign in favour of loosening trade restrictions through TiSA. The “TiSA Business Coalition”, also called “Team TiSA”, was launched on 18 June 2014 in Washington in the presence of the US Trade Representative and the Japanese ambassador.34

An explicit goal of the TiSA negotiations is to overcome the exceptions in GATS that protect certain non-tariff trade barriers, including data protection.35 A first leak of a TiSA document illustrates this: the draft Financial Services Annex of TiSA, published by Wikileaks on 19 June 2014, would allow financial institutions, such as banks, the free transfer of data, including personal data, from one country to another.36 This would constitute a radical carve-out from European data protection rules. The transfer and analysis of financial data from EU to US authorities for the US “Terrorist Finance Tracking Programme” (TFTP) has shaken EU-US relations in the past and led the European Parliament to veto the first TFTP agreement in 2010. With the draft text of the TiSA leak, all floodgates would be opened.

The weakening of EU data protection rules through TiSA goes further than “just” the financial sector. According to sources close to the negotiations, a draft of the TiSA “Electronic Commerce and Telecommunications Services Annex” contains provisions that would ban any restrictions on cross-border information flows and localisation requirements for ICT service providers. A provision proposed by US negotiators would rule out any conditions currently in place in EU data protection law for the transfer of personal data to third countries. Another provision, again put on the table by US negotiators, would ban requirements to use computing facilities in the respective country.

Personal data localization as a fundamental right

Since the Snowden revelations, it has become clear that Europe urgently needs to invest in re-building an independent IT industry – from the hardware level to the applications and services – if it wishes to protect itself from mass surveillance by the NSA. European organizations in both public and private sectors are increasingly insisting on localisation provisions when buying computing services, in order to ensure that their personal data or their sensitive business information does not end up in shady jurisdictions. In its landmark ruling that repealed the data retention directive in April 2014, the European Court of Justice openly criticised the lack of localisation obligations:

[The data retention] directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8 (3) of the Charter, by an independent authority of compliance with the requirements of protection and security […] is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.37

In plain English: any trade agreement must not prohibit preferential treatment of European ICT companies. Or in even simpler English: “Eat this, US Trade Representative.” It remains to be seen whether Europe can maintain and even improve its data protection rules in the face of massive pressure to reach agreement on TTIP and TiSA.