I have an even more radical view. ‘My’ data should be under my control. I should be able to choose who gets access to it and where it’s stored…:
Russia. China. Now Europe?
In a trend that has spooked Silicon Valley, senior EU officials are flirting with the idea of forcing companies to store and retain at least some of their data in Europe.
The push for so-called data localization has its biggest backer in Thierry Breton, a French former tech CEO who now oversees a swath of EU digital policymaking and told lawmakers last month that data produced in Europe “should be processed in Europe.” In 2018, while a tech executive, he went further, telling a French newspaper that EU privacy regulation should require data to be physically stored in Europe.
Breton, an ally of French President Emmanuel Macron, has won high-profile support for the idea from top data-protection, cybersecurity and diplomatic officials across Europe, including German Economy Minister Peter Altmaier, who is looking to launch a home-grown cloud storage service called Gaia-X to wean Europe off foreign suppliers.
Announcing the project late last year, Altmaier said that Europe needs “a data infrastructure that ensures data sovereignty,” adding that it is important that cloud solutions are not just created in the United States.
“There’s a correlation between governments that want to implement data-localization measures, and high levels of corruption and weak institutions” — Matthias Bauer, analyst
For now there is no suggestion that the bloc’s digital initiatives, set to be unveiled Wednesday, will include hard rules on data storage.
However, leaked documents outlining Europe’s grand digital strategy include talk about fostering an environment that will “lead to more data being stored and processed in the EU,” as well as an “open, but assertive approach to international data flows.”
The mere prospect of a European data grab has already alarmed firms from Silicon Valley to China’s Shenzhen and Hangzhou regions, which have substantial operations in Europe and send large amounts of data overseas for processing.
For those players — which have a business incentive to keep data flowing freely across borders — a move toward localization in Europe would set a dangerous precedent.
Not only would it undermine the EU’s own insistence on free data flows in negotiations with trade partners, they argue. It would also put the bloc in a league with authoritarian regimes in Russia and China, which use localization rules to clamp down on the circulation of information — splintering the notional world wide web into country-sized shards.
“It’s not in line with EU positioning,” Thomas Boué of the Microsoft-backed trade group the Software Alliance (BSA), said of potential moves to keep data stored in Europe.
Alex Roure, of the Computer & Communications Industry Association (CCIA) lobby group, said he has not seen a “single case” where data localization benefits privacy, security or the economy. “If it’s to protect local incumbents, that would be problematic.”
But the fact that top EU officials, including the bloc’s data-protection supervisor, have voiced support for limits of some form on international data flows — as well as Europe-based cloud storage solutions — underscores the widening division and rivalry between Europe and the United States on tech.
One major signal that could determine the EU’s stance on data is a landmark ruling at the Court of Justice of the European Union, expected later this year, that will determine whether EU citizens’ data can safely be transferred around the world under the so-called Privacy Shield transatlantic data flows agreement.
If Privacy Shield is struck down, all overseas data flows would become subject to legal uncertainty — an implicit argument for keeping more of it on the Continent.
For critics of data localization, there is little doubt that such rules are a prelude to democratic backsliding. Among other examples they point to China, where a 2017 cybersecurity law forces operators of critical infrastructure to store all personal and “important” data they hold within China.
Exports of data are only allowed if a regulator agrees that they are genuinely necessary for business reasons. Even operators of non-critical infrastructure — so-called network operators, which can include anyone with a website — must submit security-assessment reports demonstrating a clear need for data to be transferred abroad.
Another standard-bearer for the approach is Russia, which has rules requiring a copy of data on Russian citizens to be stored in the country. It banned LinkedIn for flouting the rules, and recently fined Facebook and Twitter $63,000 each for failing to comply with a national data law.
India, under the leadership of Prime Minister Narendra Modi, is also leaning toward data-localization requirements, while countries close to China, like Vietnam and Malaysia, have similar rules.
“There’s a correlation between governments that want to implement data-localization measures, and high levels of corruption and weak institutions,” said Matthias Bauer of Brussels-based think tank ECIPE, who authored an influential study on data-localization rules.
European policymakers have repeatedly insisted on the need to guarantee high levels of privacy protections for EU citizens’ data.
Proponents of the policy insist it can ensure that valuable information and know-how isn’t lost. But the evidence is scant that data localization boosts local industry in the way its proponents say it does. ECIPE’s 2014 study into data localization estimated that such requirements could shave up to 1.7 percent off gross domestic product, a common measure of economic health.
Data localization is also widely believed to be used by autocratic regimes to gain a backdoor into information systems, and spy on their citizens.
But those who advocate for localization in Europe insist their version would be different.
There is little suggestion, for example, that policymakers are looking to improve their ability to snoop on citizens. European policymakers have repeatedly insisted on the need to guarantee high levels of privacy protections for EU citizens’ data, particularly in sensitive categories such as health or financial information.
Europe’s strict framework, the General Data Protection Regulation, is the strictest privacy regulation in the world on paper. But as privacy activists point out, the law gives regulators little oversight once data leaves the region.
In a nod to those concerns, the EU’s newly appointed privacy chief, Wojciech Wiewiórowski, told POLITICO he has “some preference” for data processing to stay in Europe, while last year Germany’s federal privacy head Ulrich Kelber warned German police against using Amazon’s cloud hosting services to avoid U.S. authorities gaining undue access to the data stored there.
Even so, privacy concerns are far from being the only reason for Europe’s push on data.
Instead, leaders like Breton and Altmaier are focused on delivering a digital strategy that will help the bloc catch up with China and the United States in terms of technology — a strategy that rests heavily on the hope of leveraging pools of industrial data into new AI applications. Closely aligned with that vision is the need to keep such highly valuable data, which may be produced by German carmakers or French banks, secure from industrial espionage by storing it on the Continent.
In an interview with POLITICO recently, France’s chief cybersecurity official Guillaume Poupard also underscored fears of foreign snooping while saying that “data should probably remain in Europe just because we want only European laws and rules to apply to it.”
The groundswell of support is increasingly putting the tech community on edge, including a newly formed lobby named the Global Data Alliance devoted to protecting free data flows.
According to Boué of BSA, which founded the lobby, comments by EU officials on data localization illustrate why the group is needed. Breton’s comments “were not a deciding factor, but they show the alliance is important,” he said.
An official representing powerful U.S. interests was more forthright about the threat of data localization. The organization stands ready to “weigh in and act” if high-level comments by top EU officials hardens into policy, the official said.
Equally perplexing for some is the perceived lack of demand for data localization within Europe. “The knee-jerk reaction is that we are moving in a data-localization direction, but we need more meat and a detailed explanation. Where is the demand for this?” said CCIA’s Roure.
Cloud providers that tout their local credentials already exist, ECIPE’s Bauer noted, but the market for them is small. “If localization is a key concern, more people would be buying these services,” he said.