Showing 9 of 176 Publications in Data Security & Privacy

Will the EU Lose Access to U.S. Data Flows and Software?

Popular Media Some EU decision-makers have adopted a radical and unreasonable interpretation of EU data protection law that lacks a limiting principle. The ultimate result may be . . .

Some EU decision-makers have adopted a radical and unreasonable interpretation of EU data protection law that lacks a limiting principle. The ultimate result may be that EU customers lose access not only to cloud services offered by U.S. providers but also to almost any software from the United States. One can only hope that the EU Court of Justice rejects this interpretation and adopts the more pragmatic view shared by the European Commission and many EU governments.

Read the full piece here.

Continue reading
Data Security & Privacy

Comments on the Advanced Notice Of Proposed Rulemaking, Re: Executive Order 13984, ‘Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities’

Regulatory Comments Intro and summary As one of his final acts in office, former President Donald Trump signed Executive Order 13984 (the EO), “Taking Additional Steps To . . .

Intro and summary

As one of his final acts in office, former President Donald Trump signed Executive Order 13984 (the EO), “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber- Enabled Activities.” The EO directed the Secretary of Commerce to “propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account.”

In its related advanced notice of proposed rulemaking (ANPRM), the U.S. Commerce Department notes that:

…foreign persons obtain or offer for resale IaaS accounts (Accounts) with U.S. IaaS providers, and then use these Accounts to conduct malicious cyber-enabled activities against U.S. interests. Malicious actors then destroy evidence of their prior activities and transition to other services.

This pattern makes it extremely difficult to track and obtain information on foreign malicious cyber actors and their activities in a timely manner, especially if U.S. IaaS providers do not maintain updated information and records of their customers or the lessees and sub-lessees of those customers.

The rule of law is frustrated when courts and law enforcement are unable to locate those who commit illegal acts. Other legal frictions may arise when the law fails to deter illegal behavior or to offer incentives for firms to adopt socially optimal business practices. These concerns are particularly acute online, because the Internet hosts a large volume of activity from anonymous or otherwise difficult-to-locate users.

The Internet’s ability to facilitate anonymous or pseudonymous communications, of course, also continues a long tradition of anonymous speech being protected under U.S. constitutional law. The ANPRM acknowledged this tension when it asks “[c]an the Department implement the requirement to verify a foreign person’s identity… while minimizing the impact on U.S. persons’ opening or using such Accounts, or will the application of the requirements to foreign persons in practice necessitate the application of that requirement across all customers?” But anonymity is just one value among many that must be weighed when crafting regulatory policy—particularly with respect to enforcing criminal law and upholding national security. Thus, even if the EO has some effect on U.S. business customers, that alone ought not foreclose implementation of effective identity-verification requirements.

Further, it is important to consider how the incentives service providers face align with optimal social policy. In particular, Information as a Service (IaaS) providers may not adequately internalize the social costs that stem from their making anonymous or pseudonymous accounts available to the public. Public policy may be necessary to correct such misalignment. While the EO focuses narrowly on the use of IaaS by foreign actors, there are broader problems associated with the anonymous use of Internet-connected services. As such, the Administration, the U.S. Commerce Department, and Congress should consider broader “know your business customer” (KYBC) requirements.

But while IaaS providers’ potential misalignment of incentives is a proper subject for regulatory and legislative action, policy should be carefully calibrated to encourage compliance with broader criminal and national-security goals, while still permitting the vibrant IaaS industry to continue to thrive. The law must shape incentives such that responsibility to deal with illicit activity is placed where it is appropriate. Overly broad regulatory requirements can become burdensome, accrue more costs than benefits, and ultimately chill entry of new firms.

Thus, as described in more detail below, the EO is correct to require basic identity verification by IaaS providers, subject to some caveats. The goal of these regulations should be to collect the optimal amount of information about bad actors with the least interference in the operations of firms subject to the requirements. Thus, the Department must weigh how much benefit it realistically expects to obtain from any given level of compliance. Notably, the overwhelming number of IaaS accounts will be law-abiding users. The process is thus largely about identifying outliers, and regulatory intervention must be tempered in recognition that IaaS firms are constrained in the degree to which they can assist in furthering legitimate law-enforcement ends.

The requirements ought to be designed to obtain the optimal level of information that law enforcement and courts would need in most, but not all, cases. A minimal set of initial verification requirements, paired with an ongoing obligation to re-verify user identities, ought to resolve most problems associated with anonymous users.

Moreover, it would be highly inadvisable to prescribe specific technological measures that providers must use. Providers should be free to implement what they consider to be appropriate identity-verification systems, so long as those systems elicit the needed information. Relatedly, IaaS providers are bound by the requirements of laws like the EU’s General Data Protection Regulation (GDPR) and therefore need the flexibility to design their systems to comply both with the Department’s final rules as well as various privacy regimes to which they are subject.

Read the full comments here.

Continue reading
Data Security & Privacy

Kristian Stout on GDPR

Presentations & Interviews ICLE Director of Innovation Policy Kristian Stout took part in a virtual panel hosted by the Center for Data Innovation about whether the “automated decision . . .

ICLE Director of Innovation Policy Kristian Stout took part in a virtual panel hosted by the Center for Data Innovation about whether the “automated decision opt-out” features of the EU’s General Data Protection Regulation (GDPR) could be improved without harming users. The full clip is embedded below. 

Continue reading
Data Security & Privacy

Broad-Based FTC Data-Privacy and Security Rulemaking Would Flunk a Cost-Benefit Test

TOTM A debate has broken out among the four sitting members of the Federal Trade Commission (FTC) in connection with the recently submitted FTC Report to Congress . . .

A debate has broken out among the four sitting members of the Federal Trade Commission (FTC) in connection with the recently submitted FTC Report to Congress on Privacy and SecurityChair Lina Khan argues that the commission “must explore using its rulemaking tools to codify baseline protections,” while Commissioner Rebecca Kelly Slaughter has urged the FTC to initiate a broad-based rulemaking proceeding on data privacy and security. By contrast, Commissioners Noah Joshua Phillips and Christine Wilson counsel against a broad-based regulatory initiative on privacy.

Read the full piece here.

Continue reading
Data Security & Privacy

Issue Brief: The Great Transatlantic Data Disruption

ICLE Issue Brief A new issue brief published jointly by ICLE and the Progressive Policy Institute looks at looming threats to transatlantic data flows between the U.S. and EU that power an estimated $333 billion in annual trade of digitally enabled services.

(This issue brief is a joint publication of the International Center for Law & Economics and the Progressive Policy Institute)

Executive Summary

Data is, logically enough, one of the pillars supporting the modern digital economy. It is, however, not terribly useful on its own. Only once it has been collected, analyzed, combined, and deployed in novel ways does data obtain its highest utility. This is to say, a large part of the value of data is its ability to flow throughout the global connected economy in real time, permitting individuals and firms to develop novel insights that would not otherwise be possible, and to operate at a higher level of efficiency and safety.

Although the global transmission of data is critical to every industry and scientific endeavor, those data flows increasingly run into barriers of various sorts when they seek to cross national borders. Most typically, these barriers take the form of data-localization requirements.

Data localization is an umbrella term that refers to a variety of requirements that nations set to govern how data is created, stored, and transmitted within their jurisdiction. The aim of data-localization policies is to restrict the flow of data across a nation’s borders, often justified on grounds of protecting national security interests and/or sensitive information about citizens.

Data-localization requirements have in recent years been at the center of a series of legal disputes between the United States and the European Union (EU) that potentially threaten the future of transatlantic data flows. In October 2015, in a decision known as Schrems I, the Court of Justice of the European Union (CJEU) overturned the International Safe Harbor Privacy Principles, which had for the prior 15 years governed customer data transmitted between the United States and the EU. The principles were replaced in February 2016 by a new framework agreement known as the EU–US Privacy Shield, until the CJEU declared that, too, to be invalid in a July 2020 decision known as Schrems II. (Both complaints were brought by Austrian privacy advocate Max Schrems).

The current threatened disruption to transatlantic data flows highlights the size of the problem caused by data-localization policies. According to one estimate, transatlantic trade generates upward of $5.6 trillion in annual commercial sales, of which at least $333 billion is related to digitally enabled services.[3] Some estimates suggest that moderate increases in data-localization requirements would result in a €116 billion reduction in exports from the EU.

One difficulty in precisely quantifying the full impact of strict data-localization practices is that the list of industries engaged in digitally enabled trade extends well beyond those that explicitly trade in data. This is because “it is increasingly difficult to separate services and goods with the rise of the ‘Internet of Things’ and the greater bundling of goods and services. At the same time, goods are being substituted by services … further shifting the regulatory boundaries between what is treated as goods and services.” Thus, there is reason to believe that the true value of digitally enabled trade to the global economy is underestimated.

Moreover, as we discuss infra, there is reason to suspect that data flows and digitally enabled trade have contributed a good deal of unmeasured economic activity that partially offsets the lower-than-expected measured productivity growth seen in the both the European Union and the United States over the last decade and a half. In particular, heavy investment in research and development by firms globally has facilitated substituting the relatively more efficient work of employees at firms for unpaid labor by individuals. And global data flows have facilitated the creation of larger, more efficient worldwide networks that optimize time use by firms and individuals, and the development of resilient networks that can withstand shocks to the system like the COVID-19 pandemic.

In the Schrems II decision, the court found that provisions of U.S. national security law and the surveillance powers it grants to intelligence agencies do not protect the data of EU citizens sufficiently to justify deeming U.S. laws as providing adequate protection (known as an “adequacy” decision). In addition to a national “adequacy” decision, the EU General Data Protection Regulation (GDPR) also permits firms that wish to transfer data to the United States to rely on “standard contractual clauses” (SCC) that guarantee protection of citizen data. However, a prominent view in European policy circles—voiced, for example, by the European Parliament—is that, after Schrems II, no SCC can provide a lawful basis for data transfers to the United States.

Shortly after the Schrems II decision, the Irish Data Protection Commission (IDPC) issued a preliminary draft decision against Facebook that proposed to invalidate the company’s SCCs, largely on the same grounds that the CJEU used when invalidating the Privacy Shield. This matter is still pending, but a decision from the IDPC is expected imminently, with the worst-case result being an order that Facebook suspend all transatlantic data transfers that depend upon SCCs. Narrowly speaking, the IDPC decision only immediately affects Facebook. However, if the draft decision is finalized, the SCCs of every other firm that transfers data across the Atlantic may be subject to invalidation under the same legal reasoning.

Although this increasingly restrictive legal environment for data flows has been building for years, the recent problems are increasingly breaking into public view, as national DPAs grapple with the language of the GDPR and the Schrems decisions. The Hamburg DPA recently issued a public warning that the use of the popular video-conference application Zoom violates GDPR. The Portuguese DPA issued a resolution forbidding its National Institute of Statistics from transferring census data to the U.S.-based Cloudflare, because the SCCs in the contract between the two entities were deemed insufficient in light of Schrems II.

The European Data Protection Supervisor has initiated a program to “monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the ‘Schrems II’ Judgement.” As part of this program, it opened an investigation into Amazon and Microsoft in order to determine if Microsoft’s Office 365 and the cloud-hosting services offered by both Amazon and Microsoft are compatible with GDPR post-Schrems II. Max Schrems, who brought the original complaint against Facebook, has through his privacy-activist group submitted at least 100 complaints as of August 2020 alone, which will undoubtedly result in scores of cases across multiple industries.

The United States and European Union are currently negotiating a replacement for the Privacy Shield agreement that would allow data flows between the two economic regions to continue. But EU representatives have warned that, in order to comply with GDPR, there will likely be nontrivial legislative changes necessary in the United States, particularly in the sensitive area of national-security monitoring. In effect, the European Union and the Unites States are being forced to rethink the boundaries of national law in the context of a digital global economy.

This issue brief first reviews the relevant literature on the importance of digital trade, as well as the difficulties in adequately measuring it. One implication of these measurement difficulties is that the impact of disruptions to data flows and digital trade are likely to be far greater than even the large effects discovered through traditional measurement suggest.

We then discuss the importance of network resilience, and the productivity or quasi-productivity gains that digital networks and data flows provide. After a review of the current policy and legal challenges facing digital trade and data flows, we finally urge the U.S. and EU negotiating parties to consider longer-term trade and policy changes that take seriously the role of data flows in the world economy.

Read the full issue brief here.

Continue reading
Innovation & the New Economy

Gus Hurwitz on the Colonial Pipeline hack

Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz appeared in a segment on Nebraska-TV about the recent hack of the Colonial Pipeline and the . . .

ICLE Director of Law & Economics Programs Gus Hurwitz appeared in a segment on Nebraska-TV about the recent hack of the Colonial Pipeline and the state of cyber-security more generally. The full video is embedded below.

Continue reading
Data Security & Privacy

Gus Hurwitz on coordinated inauthentic behavior

Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz joined Steptoe & Johnson’s The Cyberlaw Podcast to discuss content moderation and “coordinated inauthentic behavior.” The . . .

ICLE Director of Law & Economics Programs Gus Hurwitz joined Steptoe & Johnson’s The Cyberlaw Podcast to discuss content moderation and “coordinated inauthentic behavior.” The full episode is embedded below.

Continue reading
Data Security & Privacy

Irish Decision Will Raise Stakes to Resolve Transatlantic Data Trade

TOTM We can expect a decision very soon from the High Court of Ireland on last summer’s Irish Data Protection Commission (“IDPC”) decision that placed serious . . .

We can expect a decision very soon from the High Court of Ireland on last summer’s Irish Data Protection Commission (“IDPC”) decision that placed serious impediments in the way of using “standard contractual clauses” (SCC) to transfer data across the Atlantic. That decision, coupled with the July 2020 Court of Justice of the European Union (CJEU) decision to invalidate the Privacy Shield agreement between the European Union and the United States, has placed the future of transatlantic trade in jeopardy.

Read the full piece here.

Continue reading
Data Security & Privacy

The Problem of Data Property Rights

TOTM Policy discussions about the use of personal data often have “less is more” as a background assumption; that data is overconsumed relative to some hypothetical . . .

Policy discussions about the use of personal data often have “less is more” as a background assumption; that data is overconsumed relative to some hypothetical optimal baseline. This overriding skepticism has been the backdrop for sweeping new privacy regulations, such as the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).

Read the full piece here

 

Continue reading
Data Security & Privacy