Week 3: EU data protection laws, TTIP and industry responses

The topic for this week was inspired by a short article in the FT about Amazon’s decision to site a data centre in Germany to create more confidence in Amazon’s ability to protect the data of Europeans and comply with data protection laws (although this might be largely irrelevant given the view of US courts on foreign data centres, as Karan points out in his tweet).  Quite independent of German or European concerns, there are many worries about data centres as a weak spot in protecting individual privacy or as Technology Review cleverly puts it, they are the “soft and chewy centers that put your data at risk“.

Last year, when I chose a topic related to privacy concerns (the twitter hashtag is eudatap), I got the most retweets (from non-Cambridge folk) and the farthest reach of any discussion topic, so I am acutely aware that this is a very sensitive and emotive subject.  There are some important national differences in terms of public opinion.  The brand new Eurobarometer on Public Perceptions of Science, Research and Innovation finds that whereas the majority in a number of member states believe that science and technological innovation will have a positive impact on protection of personal data (led by Ireland, and the Baltics and Nordics), less than 30% of French, Greeks, Italians, Austrians and especially Germans agree.  There are also significant differences by age, education and internet usage: younger people are more likely to have a positive view of the impact of S&T on data privacy than older people, as do those with higher levels of education and those who use the internet more frequently. According to the Pew Global Attitudes Project, the revelations over US monitoring had a particularly negative impact on the German view of the US (Obama’s approval rating in Germany declined by 17 points in the past year in part as a result of US spying on Chancellor Merkel).

So in case it wasn’t obvious, for good historical reasons, Germany has some of the strictest data privacy laws and they are a major driver both of European laws in this area and of the resulting corporate responses.  Earlier in the year, the German appeals courts reaffirmed that Facebook must comply with German privacy laws and just in the past few days, German regulators have ordered Google to change its privacy terms, and in addition to Amazon’s new German data center, Cisco has begun to work with a new subsidiary of Deutsche Telekom on cloud services that are compliant with German and EU rules. The biggest single decision in this sphere is the European Court of Justice asserting a new “Right to be Forgotten“, with its multi-million euro impact on Google and concerns over its implementation, but the origins of EU data protection laws date back to the major directive of 1995 and the creation of ‘safe harbor’ rules for transferring data outside of Europe allowing for American companies to be granted a streamlined or expedited treatment under EU data protection directive.  The new EU Justice Commissioner-designate has recently restated a willingness of the EU to suspend the US-EU safe harbour rules over data sharing.  The potential for the safe harbour provisions to be abrogated or revised concerns many leading American technology firms, which benefit from the current arrangements.

That seems like plenty to chew on, but why else does this matter?  The biggest item on the US-EU agenda is the proposed trade and investment deal TTIP, which has generated vocal and alarmed (or alarmist) criticism from various pundits and NGOs,  For a basic intro to the TTIP, see the excellent report from the House of Commons Library.  At the same time as US-EU relations have improved from their nadir in the mid-2000’s, the issue of data privacy is, arguably, the largest single source of contention in bilateral relations. Although these are nominally separate spheres of negotiations, and European negotiators are generally positive on TTIP, it is hard to imagine completely disentangling the two issues that will determine the future of US-EU relations.

Feel free to weigh in any of these issues, for example:

  1. How important are national sentiments over data privacy (such as found in German public opinion) on future EU regulations or the positions that German or EU representatives take in their negotiations with their American counterparts? (hint: it may depend on your model of the policy process!)
  2. How serious are threats to review safe harbor provisions and change the way in which American technology firms do business in Europe?
  3. Past and future decisions over Right to be Forgotten, Safe Harbors, etc are crucial to the way technology firms operate but, to date, firm actions seem to be largely reactive.  What more can firms do to take a more proactive stand or will firms inevitably have to react to decisions made in the policy arena?
  4. Do you feel there is a potential link between TTIP and the data protection debate or am I overstating the case?
  5. How do these issues look from beyond the EU-US echo chamber?  What are the implications of the US-EU debate for other countries? for firms from other countries?