Research Programs
More
What are you looking for?
Showing 9 of 181 Publications in Data Security & Privacy
ICLE Issue Brief A new issue brief published jointly by ICLE and the Progressive Policy Institute looks at looming threats to transatlantic data flows between the U.S. and EU that power an estimated $333 billion in annual trade of digitally enabled services.
(This issue brief is a joint publication of the International Center for Law & Economics and the Progressive Policy Institute)
Data is, logically enough, one of the pillars supporting the modern digital economy. It is, however, not terribly useful on its own. Only once it has been collected, analyzed, combined, and deployed in novel ways does data obtain its highest utility. This is to say, a large part of the value of data is its ability to flow throughout the global connected economy in real time, permitting individuals and firms to develop novel insights that would not otherwise be possible, and to operate at a higher level of efficiency and safety.
Although the global transmission of data is critical to every industry and scientific endeavor, those data flows increasingly run into barriers of various sorts when they seek to cross national borders. Most typically, these barriers take the form of data-localization requirements.
Data localization is an umbrella term that refers to a variety of requirements that nations set to govern how data is created, stored, and transmitted within their jurisdiction. The aim of data-localization policies is to restrict the flow of data across a nation’s borders, often justified on grounds of protecting national security interests and/or sensitive information about citizens.
Data-localization requirements have in recent years been at the center of a series of legal disputes between the United States and the European Union (EU) that potentially threaten the future of transatlantic data flows. In October 2015, in a decision known as Schrems I, the Court of Justice of the European Union (CJEU) overturned the International Safe Harbor Privacy Principles, which had for the prior 15 years governed customer data transmitted between the United States and the EU. The principles were replaced in February 2016 by a new framework agreement known as the EU–US Privacy Shield, until the CJEU declared that, too, to be invalid in a July 2020 decision known as Schrems II. (Both complaints were brought by Austrian privacy advocate Max Schrems).
The current threatened disruption to transatlantic data flows highlights the size of the problem caused by data-localization policies. According to one estimate, transatlantic trade generates upward of $5.6 trillion in annual commercial sales, of which at least $333 billion is related to digitally enabled services.[3] Some estimates suggest that moderate increases in data-localization requirements would result in a €116 billion reduction in exports from the EU.
One difficulty in precisely quantifying the full impact of strict data-localization practices is that the list of industries engaged in digitally enabled trade extends well beyond those that explicitly trade in data. This is because “it is increasingly difficult to separate services and goods with the rise of the ‘Internet of Things’ and the greater bundling of goods and services. At the same time, goods are being substituted by services … further shifting the regulatory boundaries between what is treated as goods and services.” Thus, there is reason to believe that the true value of digitally enabled trade to the global economy is underestimated.
Moreover, as we discuss infra, there is reason to suspect that data flows and digitally enabled trade have contributed a good deal of unmeasured economic activity that partially offsets the lower-than-expected measured productivity growth seen in the both the European Union and the United States over the last decade and a half. In particular, heavy investment in research and development by firms globally has facilitated substituting the relatively more efficient work of employees at firms for unpaid labor by individuals. And global data flows have facilitated the creation of larger, more efficient worldwide networks that optimize time use by firms and individuals, and the development of resilient networks that can withstand shocks to the system like the COVID-19 pandemic.
In the Schrems II decision, the court found that provisions of U.S. national security law and the surveillance powers it grants to intelligence agencies do not protect the data of EU citizens sufficiently to justify deeming U.S. laws as providing adequate protection (known as an “adequacy” decision). In addition to a national “adequacy” decision, the EU General Data Protection Regulation (GDPR) also permits firms that wish to transfer data to the United States to rely on “standard contractual clauses” (SCC) that guarantee protection of citizen data. However, a prominent view in European policy circles—voiced, for example, by the European Parliament—is that, after Schrems II, no SCC can provide a lawful basis for data transfers to the United States.
Shortly after the Schrems II decision, the Irish Data Protection Commission (IDPC) issued a preliminary draft decision against Facebook that proposed to invalidate the company’s SCCs, largely on the same grounds that the CJEU used when invalidating the Privacy Shield. This matter is still pending, but a decision from the IDPC is expected imminently, with the worst-case result being an order that Facebook suspend all transatlantic data transfers that depend upon SCCs. Narrowly speaking, the IDPC decision only immediately affects Facebook. However, if the draft decision is finalized, the SCCs of every other firm that transfers data across the Atlantic may be subject to invalidation under the same legal reasoning.
Although this increasingly restrictive legal environment for data flows has been building for years, the recent problems are increasingly breaking into public view, as national DPAs grapple with the language of the GDPR and the Schrems decisions. The Hamburg DPA recently issued a public warning that the use of the popular video-conference application Zoom violates GDPR. The Portuguese DPA issued a resolution forbidding its National Institute of Statistics from transferring census data to the U.S.-based Cloudflare, because the SCCs in the contract between the two entities were deemed insufficient in light of Schrems II.
The European Data Protection Supervisor has initiated a program to “monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the ‘Schrems II’ Judgement.” As part of this program, it opened an investigation into Amazon and Microsoft in order to determine if Microsoft’s Office 365 and the cloud-hosting services offered by both Amazon and Microsoft are compatible with GDPR post-Schrems II. Max Schrems, who brought the original complaint against Facebook, has through his privacy-activist group submitted at least 100 complaints as of August 2020 alone, which will undoubtedly result in scores of cases across multiple industries.
The United States and European Union are currently negotiating a replacement for the Privacy Shield agreement that would allow data flows between the two economic regions to continue. But EU representatives have warned that, in order to comply with GDPR, there will likely be nontrivial legislative changes necessary in the United States, particularly in the sensitive area of national-security monitoring. In effect, the European Union and the Unites States are being forced to rethink the boundaries of national law in the context of a digital global economy.
This issue brief first reviews the relevant literature on the importance of digital trade, as well as the difficulties in adequately measuring it. One implication of these measurement difficulties is that the impact of disruptions to data flows and digital trade are likely to be far greater than even the large effects discovered through traditional measurement suggest.
We then discuss the importance of network resilience, and the productivity or quasi-productivity gains that digital networks and data flows provide. After a review of the current policy and legal challenges facing digital trade and data flows, we finally urge the U.S. and EU negotiating parties to consider longer-term trade and policy changes that take seriously the role of data flows in the world economy.
Read the full issue brief here.
Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz appeared in a segment on Nebraska-TV about the recent hack of the Colonial Pipeline and the . . .
ICLE Director of Law & Economics Programs Gus Hurwitz appeared in a segment on Nebraska-TV about the recent hack of the Colonial Pipeline and the state of cyber-security more generally. The full video is embedded below.
Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz joined Steptoe & Johnson’s The Cyberlaw Podcast to discuss content moderation and “coordinated inauthentic behavior.” The . . .
ICLE Director of Law & Economics Programs Gus Hurwitz joined Steptoe & Johnson’s The Cyberlaw Podcast to discuss content moderation and “coordinated inauthentic behavior.” The full episode is embedded below.
TOTM We can expect a decision very soon from the High Court of Ireland on last summer’s Irish Data Protection Commission (“IDPC”) decision that placed serious . . .
We can expect a decision very soon from the High Court of Ireland on last summer’s Irish Data Protection Commission (“IDPC”) decision that placed serious impediments in the way of using “standard contractual clauses” (SCC) to transfer data across the Atlantic. That decision, coupled with the July 2020 Court of Justice of the European Union (CJEU) decision to invalidate the Privacy Shield agreement between the European Union and the United States, has placed the future of transatlantic trade in jeopardy.
Read the full piece here.
TOTM Policy discussions about the use of personal data often have “less is more” as a background assumption; that data is overconsumed relative to some hypothetical . . .
Policy discussions about the use of personal data often have “less is more” as a background assumption; that data is overconsumed relative to some hypothetical optimal baseline. This overriding skepticism has been the backdrop for sweeping new privacy regulations, such as the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).
TL;DR The European Commission has released its draft Digital Services Act (“DSA”), which seeks to make the internet safer for European citizens. If passed into law, this regulation will shape digital markets in the European Union for years to come.
The European Commission has released its draft Digital Services Act (“DSA”), which seeks to make the internet safer for European citizens. If passed into law, this regulation will shape digital markets in the European Union for years to come.
While some provisions of the draft DSA could bring needed changes to the regulation of online markets, the law will on balance make it more costly for online firms to do business in Europe. This is particularly true for smaller platforms with less capacity to shoulder significant compliance costs. Like many other regulations, the DSA also might further entrench incumbents.
Read the full explainer here.
Scholarship In this chapter, we discuss the development of the duty to deal doctrine in antitrust law, its application to the digital economy, and proposals for specific duties to deal, such as data portability and interoperability.
In this chapter, we discuss the development of the duty to deal doctrine in antitrust law, its application to the digital economy, and proposals for specific duties to deal, such as data portability and interoperability.
Part I outlines the development of the duty to deal doctrine in antitrust law. The development of the doctrine in the United States will be compared to that in the European Union. Popular economic justifications for the doctrine and key cases will be explored. Part II then situates this doctrine within the digital economy, focusing on the importance of getting the contours of the doctrine right in that economy. As we shall see, the law and economics of the duty to deal caution against its application to dynamic, digital markets. This will be illustrated by looking at cases where it has been applied. Part III focuses on two specific categories of duties to deal: data portability and interoperability.
TL;DR Many competition agencies are considering data portability mandates to increase competition. These would require companies to make customers’ data available to move to other services, or to make their services interoperable with others so that users could share their data between different services on an ongoing basis.
Many competition agencies are considering data portability mandates to increase competition. These would require companies to make customers’ data available to move to other services, or to make their services interoperable with others so that users could share their data between different services on an ongoing basis.
Data portability mandates can be costly and cumbersome for service providers, and provide little benefit to users who do not end up using them. This can mean that innovative businesses end up being less able to control and improve their products. Thus data portability mandates may often end up being either too vague to be useful, or too costly relative to the marginal benefits they deliver.
ICLE Issue Brief While data portability may seem like an attractive option in certain markets, experience suggests it is not simple to impose even in cases where the trade-offs seem small.
Lawmakers and regulators are increasingly exploring the imposition of data portability requirements on technology companies, in particular large digital platforms. These would require them to allow users to download their data from those services and/or have it sent to another service on their behalf, either on a one-off or ongoing basis, depending on the proposal.
In this comment, we explore the calls for data portability that arise from distinct and often opposing parts of antitrust law and competition policy, privacy law, and data security. Specifically, we focus on claims that data portability mandates can be used to increase market competition, considering the potential costs and benefits of such requirements, and the relationship between data portability as a pro-competition tool and other moves towards stronger laws governing user privacy.
We begin by discussing the concepts involved in mainstream proposals for data portability. We then examine the various competition issues involved in calls for data portability and discuss the case for and against data portability in these cases. Finally, we discuss in detail the UK’s experience with its Open Banking mandate—the most comprehensive data sharing scheme imposed to effect a compe- tition objective—and assess its effects, both intended and unintended.
Read the full brief here.
