CYBERSEC 2021: Regulatory obstacles to data flow.
By Katie Aulenbacher, the CyberWire staff
Mar 23, 2021

"Together Against Adversarial Internet" addressed questions of policy, economics, security, and innovation through the lens of our shared digital future. CYBERSEC took up the issues of data flows, especially post-Schrems II.

CYBERSEC 2021: Regulatory obstacles to data flow.

In a segment titled “The sun after the rain? Free and safe data flows across the Atlantic and beyond,” European Commission Justice Commissioner Didier Reynders discussed the stickiness of data transfer agreements and associated trust and safety issues while affirming the importance of data flows to trade and cooperation. He expressed hope that shared priorities between the US and EU could bring the two together despite the complexity of security and privacy arrangements, especially as the US moves towards greater privacy regulation.  

After Schrems II: balancing the demands of industry, privacy, and security. 

A panel discussion called “From lakes to a data ocean? Debating the future of transatlantic data transfers” covered Schrems II, transatlantic agreements, data localization, the needs of industry, and the EU’s strategic ambitions. 

FTI Consulting Director Ana Jankov described data as the currency of the digital economy and data flows as crucial to economic partnerships. She asked the panelists how stakeholders from human rights activists to politicians should pilot the rapidly evolving political and regulatory environment.

DigitalEurope Director-General Cecilia Bonefeld-Dahl highlighted the economic consequences of the European high court’s Schrems II decision. She shared findings from a recent survey of hundreds of businesses that ninety-percent are moving data across EU borders, often to non-European countries, and fifty-percent are not up to speed on the legal ambiguities surrounding this action. The information communications technology and manufacturing sectors led the pack in data transfers, largely business-to-business transactions. 

Bonefeld-Dahl argued for clearer classification of sensitive and non-sensitive data, objecting to the severity of current rules that require across the board encryption. She described the regulatory struggle to align state standards as a “huge problem” with the potential to hinder private sector growth and damage the economy. 

The European legislative response to Schrems II.

European Commission Policy Officer Alisa Vekeman addressed how the European legislature is managing the fallout of Shrems II and approaching a new solution with the US. She said the Commission is balancing two priorities: protecting personal information as it traverses EU borders, and facilitating businesses’ critical operations. The Commission is making progress in exploratory talks with the US Commerce Department on the complex privacy and national security issues raised by Schrems II, and looking to the US for guidance on what’s feasible “legally and politically” across the pond. She emphasized that there will be no “quick fix,” but the EU stands ready to think outside the box.   

The Commission is also endeavoring to update standard contractual clauses (SCCs), the “most used tool” for EU data transfers, in response to regulatory and technological developments. The body is working to incorporate hundreds of comments received during a public consultation period.   

European Member of Parliament Patrick Breyer stressed that privacy rights and businesses’ desires need not be at loggerheads, but industry must understand that “non-sensitive data” doesn’t exist, since information can be compiled towards nefarious ends. He said individuals should be able to determine who has access to their private life, noting that non-existent data sets can’t be compromised. 

Breyer insisted data ought to be protected by EU or comparable laws, arguing that SCCs aren’t a suitable workaround since they don’t address the operations of intelligence agencies. He claimed mass surveillance has had a “chilling effect” on vulnerable societal linchpins like journalism, dissent, and whistleblowing, and surveillance in general has not made the public safer. Breyer said the EU should be firmer with Washington on this point than it has previously, reasoning that regulations need to cohere with fundamental rights. It would be injurious to reach another agreement only for it to flop in court, he added. 

Is the EU a nest of hypocrites when it comes to facilitating data transfers?

Apparently speaking only somewhat tongue-in-cheek, US Cyberspace Solarium Commission Executive Director Mark Montgomery identified the chief obstacle to bilateral progress on the issue as EU “hypocrisy.” He spoke hopefully about the Biden Administration’s commitment to privacy and partnership, but called attention to a “fundamental mismatch” both in “reality and perception” of the respective EU and US intelligence establishments. On his view the Court of Justice employed unequal standards for the two countries. Montgomery spotlighted the “robust” legal review process and independent press in the US as checks on the Intelligence Community’s power.  

Vekeman countered that Schrems II overturned member state laws as well, and fairly applies familiar principles of necessity and proportionality. She said the ruling raised a challenging foundational question, one regimes around the world are struggling to answer, about how best to safeguard data through transfers, including against harmful government activity. 

The importance of data flows to emerging technology.

European Telecommunications Network Operators' Association Director General Lise Fuhr described the importance of data flow to emerging technologies, from 5G to IoT devices and AI innovations. Data flow and solid transatlantic partnership, she said, are needed to facilitate the EU’s ambitions of digital and economic leadership.

The conversation turned to data flows internal to the EU, with a focus on data localization proposals. Bonefeld-Dahl described localization requirements as hugely disruptive to industry, noting that the majority of growth in the coming years will be driven by external relationships. She painted a bleak scenario where businesses flee the region if the EU returns to protectionist measures, and encouraged stakeholders to look to existing models like the agreements with Japan and Britain as a guide in pursuit of an open economy. 

Vekeman noted that the Commission respects the distinction between data protection and data protectionism and has been working on data flow agreements with Japan, South Korea, and a collection of other Asian and Latin American nations. Fuhr added that it’s vital to build EU values into all of the bloc’s data policies. 

Breyer responded in the affirmative to a question about whether a federal privacy law in the US could catalyze an EU agreement, with the qualification that the law would need to supply a sufficient degree of protection. Recent proposals, he said, are not yet up to snuff. The California Consumer Protection Act, for example, did not account for intelligence agencies’ activities. He expressed hope that the parties could find common ground, on the recognition that good data protection laws benefits the private sector.  

Montgomery confirmed that political will for a federal privacy law is growing, though incident reporting regulation is currently a higher priority. He called Breyer’s wish list unrealistic, and commented that he feels more secure in the States.