Europe should take aim at its true data threat: Russia

In the weeks since Russia invaded Ukraine, the European Union (EU) has been forced to confront its strategic dependencies on other countries. In the Versailles Declaration issued by the heads of government of EU nations on March 11, the bloc acknowledged that in addition to raw materials, semiconductors, and agricultural products, it depends on non-European companies in the areas of artificial intelligence, cloud services, and 5G deployment (though France is vigorously leading an effort to build what it has characterized as digital sovereignty).

How the EU translates its words into action will depend on what it identifies as its principal digital threat. Since Edward Snowden’s revelations nearly a decade ago about the scale and nature of the National Security Agency’s (NSA’s) intelligence gathering in Europe, the bloc’s data overseers have focused almost monomaniacally on the United States. Meanwhile, studies commissioned by its own agencies have suggested that Russia’s data protection law and practices do not meet the EU’s standard—yet the group of twenty-seven European nations has taken no real steps to solve this.  

Now, in the wake of the Kremlin’s brutal invasion, the EU needs to reassess who its true adversaries are.   

The Versailles document focuses on striking partnerships with leading foreign technology companies, swiftly adopting legislative measures regulating the data economy, and influencing multilateral standard-setting organizations as strategies toward digital sovereignty. The EU’s priority remains the completion of its ambitious legislative agenda, most notably the Digital Markets Act (DMA) and the Digital Services Act (DSA), which tackle issues of platform dominance and online content, respectively. EU legislators reached agreement on the DMA on March 25 and are close to sealing the deal on the DSA. 

To be sure, the bloc hasn’t ignored the threat posed by information flows between Russia and the West. Following the invasion, it banned access to Russian state-sponsored broadcasters RT and Sputnik. Meanwhile, the private sector has taken note: Major social media companies have restricted Russian state media on their platforms, while Facebook and Instagram in turn have been banned in Russia.

But while tamping down dissemination of Russian propaganda, the bloc has done little to regulate commercial data flows between Europe and Russia (though the volume has reduced as Western companies have pulled out of the country after the invasion). The EU favors the free flow of data across borders, a position reflected by its General Data Protection Regulation (GDPR) and its recent trade agreements. Companies such as cloud service providers and their customers set the terms for cross-border data transfers themselves. They must, however, ensure that jurisdictions receiving EU-origin personal data maintain privacy protections which are essentially equivalent to those prescribed by the GDPR. 

So far, the United States has been the most prominent target of the EU’s rules: The Court of Justice of the European Union (CJEU) has twice struck down European Commission findings that American privacy protections met the EU standard.  

Only recently have the EU’s data protection authorities begun to explore whether access to personal data by governments other than the United States might be problematic as well. Late last year, the European Data Protection Board (EDPB) quietly released an outside study that examined the legislation and practices of three countries with extensive foreign surveillance capabilities: Russia, China, and India. 

‘A complex matter’

Today, the findings about Russia make for interesting reading. The authors politely suggest that Russian data protection law is “a complex matter” to judge, and while it is formally a comprehensive law modeled on the GDPR, enforcement and application have “serious drawbacks.” They add that Russia has a “striking record” of violating the European Convention on Human Rights (ECHR). (In the wake of the Ukraine invasion, Russia has in any case withdrawn from the Council of Europe, the guardian of the ECHR, under threat of being expelled from the organization.) 

The study continues: The right to privacy in Russia is “limited” in relation to national-security interests, due to its government “putting protection of the State ahead of the interests and rights” of individuals. Even worse, “authorities tend to use data protection laws as a means of enforcing political aspirations, maintaining control of the internet, and protecting the interests of the government.” 

With EU-Russia economic relations progressively being scaled back, now is the moment for Europe’s data-protection authorities to act on their own findings and guide companies on how to proceed over data transfers with Russia.

There is, after all, some precedent. In November 2020, the EDPB issued elaborate guidance for companies on the additional safeguards they ought to incorporate into contractual transfers of data to third countries. Data-protection authorities across Europe are applying these recommendations strictly to commercial transfers to the United States. Several of them, including the French, have recently ruled that local websites shouldn’t use Google Analytics for market analysis, since doing so entails transferring European-origin personal data to the United States, where the NSA could—in theory—access it. Ireland’s Data Protection Commissioner will shortly conclude a proceeding that could bar Facebook data transfers across the Atlantic.

The Ukraine crisis should prompt European governments to ask themselves whether the extensive foreign surveillance apparatus of the United States is really the most potent threat to privacy on the continent. At a time when Facebook is banned in Russia, does it make sense for European authorities to be cutting off its availability within the EU as well? When it first emerged that the NSA was tapping former German Chancellor Angela Merkel’s cellphone and EU headquarters, many Europeans might have seen US surveillance as a unique danger. But today, that same intelligence apparatus might well have redeemed its reputation by generating prescient and timely warnings of Russian aggression and providing analysis informing crucial decisions on how to help Ukraine defend itself.

Indeed, the US government has pointed out to its European interlocutors the linkage between data policy and solidarity with Ukraine—and Brussels appears to have heard the message. 

On March 25, European Commission President Ursula von der Leyen and US President Joe Biden announced “agreement in principle” on a revised framework for transatlantic data flows. Negotiators who have labored painstakingly over the past eighteen months now must fill in the final details, especially on a mechanism for Europeans to obtain redress by US authorities for improper surveillance. The US-EU Trade and Technology Council meeting is scheduled for May. Concluding the agreement by then would reinforce the message that the West is united against Russia in the data economy too.

But this would be only a first step toward rectifying the imbalance in the EU’s approach to international data flows. At a time when daily headlines make the difference between democratic and authoritarian governments ever clearer, the EU should look east instead of west.

Kenneth Propp is a nonresident senior fellow at the Atlantic Council’s Europe Center.

Further reading

Image: French President Emmanuel Macron sits by President of the European Council Charles Michel and High Representative of the European Union for Foreign Affairs and Security Policy Josep Borrell,at an informal meeting at the Chateau de Versailles, in Versailles France, on March 11 2022. Photo by Ian Langsdon/Pool via REUTERS