It’s a cliché that “data is the new oil”—a metaphor that dates back to at least 2006. Like oil, data is beginning to drive conflict, as different political blocs fight for control of how this valuable resource flows around the world. That tussle is at a critical juncture because of the confluence of three major factors: the Snowden revelations about massive online surveillance; key judgments by Europe’s top court; and attempts by the US to use major trade deals to lock in unrestricted data flows globally.
The growing awareness of the importance of data flows to both technology and the world’s economy is reflected in the number of reports on the topic that have been issued recently. For example, in April 2014, McKinsey published “Global flows in a digital age,” which noted:
A month later, the European Centre for International Political Economy (ECIPE) issued a report that aimed to “quantify the losses that result from data localisation requirements and related data privacy and security laws that discriminate against foreign suppliers of data, and downstream goods and services providers.” Data localisation in this context means keeping data within the same country—or legal bloc, in some cases—where it originated.
According to ECIPE’s econometric modelling, if the European Union were to introduce economy-wide data localisation requirements that applied across all sectors of the economy, its GDP would suffer a loss of 1.1 percent as non-EU companies run fleeing to the hills. ECIPE said domestic investments would fall by 3.9 percent, and the economic losses suffered by EU citizens would total £156 billion (€182 billion, $193 billion).
One reason why many countries were and still are considering data localisation requirements that would force companies to keep data within national or legal boundaries, is the Snowden leaks. These showed the NSA and GCHQ carrying out surveillance on a hitherto unsuspected scale. In particular, Edward Snowden revealed that both agencies spied on data as it flowed across US and UK borders to and from other countries.
An obvious way to avoid this problem is to keep data in the country where it is generated, to minimise opportunities for foreign interception. That too has issues—for example, it’s easier for national governments to spy on and demand information—but it does place obstacles in the way of external intelligence agencies like the NSA and GCHQ.
One country that has already adopted this approach is Russia, which passed a data localisation law in 2014. LinkedIn’s failure to comply means that the soon-to-be Microsoft subsidiary faces the prospect of Russian ISPs blocking access to its site. As Ars has reported, China too is bringing in data localisation requirements.
Perhaps even more important than Snowden’s impact on governments’ future data localisation policies have been the knock-on consequences of his revelations for the “Safe Harbour” framework that has governed data flows from the EU to the US since 2000. In 1998, the EU’s directive on data protection went into effect, which prohibited the transfer of personal data to non-European Union countries that do not meet the 28-member-state bloc’s “adequacy” standard for privacy protection—in other words, that offered sufficient safeguards for personal data.
The Safe Harbour website explains: “In order to bridge these differences in approach and provide a streamlined means for US organisations to comply with the Directive, the US Department of Commerce in consultation with the European Commission developed a ‘Safe Harbour’ framework and this website to provide the information an organisation would need to evaluate—and then join—the US-EU Safe Harbour programme.