Tools used to shuttle digital information out of Europe are stuck in legal limbo. Now companies are considering the once-unthinkable: limiting the flow of data out of the bloc.
After the EU’s top court last month struck down a second transatlantic data protection agreement, called Privacy Shield, in five years, businesses on both sides of the pond have been quick to call for a swift replacement, rallying around the concept of frictionless data that has undergirded the internet since its inception.
But the annulment of Privacy Shield suggests the tide may be turning on the idea of a truly borderless internet.
European regulators are increasingly speaking out in favor of keeping data stored inside the bloc. And while the Continent’s landmark General Data Protection Regulation (GDPR) has provided a template for privacy rules in other parts of the world, so too have Chinese-like restrictions on data flows — in India and Brazil, both GDPR-like laws and local data storage requirements are in the pipeline.
While it remains to be seen exactly how EU watchdogs will interpret the Privacy Shield ruling, a growing number of companies are not waiting to find out — and proactively taking the decision to keep their data in the bloc.
In 2018 cybersecurity firm Kaspersky began storing data from Europe and North America in Switzerland to ward off privacy concerns. Digital wallet provider Dashlane has stored user data in Europe since its launch in 2012 because founders believed that high data protection standards would appeal to its customers.
Peter Yared, whose firm InCountry helps companies comply with local data regulations, told POLITICO that data localization requirements are increasingly factored in by clients, especially those with a global footprint. “From our customer conversations, we think … companies with a global mindset … are setting themselves up for a future of tighter digital data regulations,” he said.
Those companies may well become the precursors to a stampede. A lawyer who represents large tech companies — and who asked to speak on condition of anonymity to discuss confidential matters — said they now advise some clients to consider compartmentalizing data in different regions.
“We used to tell our clients not to worry about where to store their data because data export mechanisms allow for a lot of flexibility, but we’ve done a complete 180 and tell clients to consider storing data locally first. It’s not because of the Schrems II ruling per se, but it seems that increasing restrictions on data flows is the way the world is going and this will help clients future proof their compliance program,” the lawyer said, referring to the annulment of Privacy Shield earlier this month.
Germany leads charge
While the EU’s top court struck down the Privacy Shield over fears of U.S. snooping, it upheld the legality of instruments used to export personal data all over the world called Standard Contractual Clauses (SCCs).
But an apparent endorsement of SCCs came with hidden barbs: The court stressed that it was up to companies and data protection regulators to check if transfers done using those instruments adhered to Europe’s high data protection standards.
In a sign of the legal headaches to come, Europe’s grouping of data protection authorities said an assessment of whether data exports using SCCs were legal would have to be done on a “case-by-case basis”, raising the prospect of companies having to do a painstaking analysis of foreign surveillance regimes whenever they want to send data abroad.
Regulators in Germany went further, with Berlin’s data protection regulator calling for data stored in the U.S. to be relocated to Europe and the watchdog in the state of Baden-Württemberg telling POLITICO that SCCs as they stand are now largely unsuitable for exporting data out of Europe. A joint statement by all of the country’s privacy regulators later said that SCCs for U.S. data transfers without additional safeguards were “generally not sufficient.”
Calls for data localization — especially from privacy-conscious Germany — are not new, but this time could be different. Digital sovereignty has emerged as a top priority for Europe’s top policymakers, who have thrown their weight behind projects like Gaia-X, an initiative aimed at boosting the bloc’s ability to store data on the continent.
Local data storage requirements are also in vogue. China and Russia are high-profile adherents to the policy, but restrictions on data are popping up all over. India and Brazil, under strongmen leaders Narendra Modi and Jair Bolsonaro, are also leaning toward data localization requirements, while countries like Vietnam and Malaysia have similar rules. Western allies like Australia and some Canadian provinces have restrictions too.
For companies like Google and Facebook, whose global empires rest on their ability to extract value from personal data, a shift toward data localization spells bad news. Many of these companies ship big quantities of data back to the United States for processing, analysis, research and other purposes. Having to regionalize those functions would mean reorganizing corporate structures and becoming subject to greater regulatory scrutiny in other countries.
“When you think about operations of these big companies, relocating your data is not as simple as it may sound unless you’ve designed it like that from the start,” said Emmanuel Schalit, the co-founder and CEO of digital identity company Dashlane, which has stored data in Europe from its inception. “Who knows what complex web of agreements between suppliers and customers they have?”
While lawyers scramble to find ways of keeping data flowing overseas — and tech lobbies shout for another Privacy Shield to replace the dead one — some analysts warn that the time for legal tinkering may be over.
“Absent another Privacy Shield-like scheme, and assuming it’s done right on the technical and organizational level, localizing data sounds like the simplest approach,” independent cybersecurity researcher and consultant Lukasz Olejnik told POLITICO via email. “I doubt that a pure legalistic response is sufficient … I am convinced that compliance will need actual technological … changes. In some cases this means rearchitecting systems,” he said.
Echoing this line, Baden-Württemberg’s privacy regulator Stefan Brink told POLITICO that legal changes alone would not be enough to keep data flowing.
Companies could store their data in Europe, or they could reach for a wildcard: encrypting everything that crosses the Atlantic.
“I generally agree that data exports to third countries may no longer be based on Standard Contractual Clauses. However, the ECJ shows the possibility of continuing such exports with additional guarantees. This could include an effective encryption of data stored in the U.S., which the U.S. service provider cannot break,” Brink said.