Tech’s Trilemma: Data, Sovereignty and Big Business

By Paddy Stephens

Have you ever wanted to sue the US government? Soon, should you manage to escape across the Channel from this troubled island, you might well be able to. If all goes to plan, EU users in a few months will be able to challenge US security agencies for misuse of their personal data, a right granted by an executive order signed by President Biden earlier this month allowing legal challenges to American government surveillance practices against them.

Let’s back up a bit. The EU is the world leader in privacy protection legislation, and the US is the home of countless global tech companies and national security agencies keen to collect data and surveil people. There is an obvious tension there, even between two friendly jurisdictions which agree on many shared legal and political principles. Since its first data privacy rules in the late 90s, Brussels has said that information about people in Europe could only be sent to countries where it would be properly protected. After the 2013 Snowdon allegations showed that the security agencies in the Land of the Free were actually pretty keen on surveillance, it became clear that the US did not really fit the EU’s high standards, since data hosted by US companies could be accessed by the NSA.

Enter Privacy Shield. In 2016, the EU and US signed an agreement to try to fix the issue, giving it the name of a rejected Marvel superpower. It turned out that, as shields go, it was about as bulletproof as a balloon, and the ECJ struck it down in 2020 because US agencies could still access plenty of EU users’ personal data willy-nilly. Biden’s Executive Order is an attempt to give those users a right to redress by creating a new court which can force intelligence agencies to delete data if they are caught breaking the rules in how they collect and use it. It also sets out clearly what those rules are. The administration and European Commission are both hoping that the courts will give this one a thumbs-up.

So why does this all matter? Aside from the obvious benefit of limiting unnecessary surveillance by US agencies, it will calm the tech industry somewhat. The situation has been uncertain for over two years. The underlying question, they claimed, of whether companies could store data of Europeans on US soil was existential for their business in Europe. Some tech companies claimed they would have to pull out of the continent entirely; assuming the Executive Order
satisfies the courts, that prospect now seems to have been ruled out.

I am sceptical that among some of the large players this was ever a serious possibility. Take Meta: in July, the Irish Data Protection Commission said it would block the company from sending data from the EU to the US via one of the few legal avenues for doing so since the end of Privacy Shield. The company threw a hissy-fit, and said it might need to shut down Instagram and Facebook in the EU because its business relies on cross-border data flows. But why? It would create a bit of a headache, but presumably a company with pockets as deep as Meta’s would invest in data storage in the EU over pulling out of a market of 500 million.

That is not to say that, assuming the Executive Order satisfies the courts, it’s all sunshine and rainbows for international companies reliant on data flows. Google Analytics has so far been banned in Italy, France and Austria on the grounds that cross-border data transfers via cookies are illegal (you know, the cookies you unthinkingly accept every time you go on a website that allow you to be tracked). Further afield, many countries are concerned not so much for consumers’ privacy rights, but something far more radical. For the Indian government, it is a matter of national security; data is seen as a ‘national asset’ not simply to be shipped overseas. That is particularly important in a country where access to many public services now relies on a government database of citizens’ biometric information.

A frantic hodgepodge of rules is cropping up across the world to govern data transfers. Ultimately, they boil down to an inherent tension born of IT and globalisation. On one side are states waving the flag of data sovereignty: the idea that data should be subject to the laws where they are collected. Facing them is the world’s Big Tech companies whose business models rely on intangible data crossing the world, and who are perplexed by the idea of imposing the borders of the physical world onto the virtual realm.

Image: European Parliament

2 thoughts on “Tech’s Trilemma: Data, Sovereignty and Big Business

  • Yes, of course, you have touched on a very important topic from a security point of view, but in fact, large technology companies continue to monitor the data. Now there are quite a few free cloud services thanks to which anyone can use free tools to work in PDF format, and one of these convenient services is pandadok here https://www.pdfplatform.com/ . The functionality of this platform is really very convenient, so I recommend it to everyone.

    Reply
  • Of course, we are not talking about personal data of people. But tracking the activity of employees is a really good thing. I use apps for automatic time tracking at work, and it really helps to improve the efficiency of the workflow. Btw, if you spend a lot of time compiling various payrolls, then such trackers are useful because they automatically enter data on the number of hours worked.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.