The EU’s recent move to update and harmonize the bloc’s government information security standards is an appropriate response to protect the increasing amounts of information that the public sector attains and shares. Though it gets most things right, the EU should drop its protectionist provisions requiring certain data to be stored locally.
The EU’s threat landscape has become vast: Each of the Union’s institutions, bodies, agencies, and offices is spread across 27 countries and acts as a potential vector for a security breach. Several of the aims of the proposal to set up an EU-wide information security scheme are laudable attempts to reduce exposure and mitigate risks, including inter-institution cooperation and governance, a common approach to categorization, modernized standards for remote work, and greater compatibility between systems.
Unfortunately, a key provision—Article 17(1)(c)—misguidedly requires that sensitive non-classified (SNC) information, defined as data that must be protected due to legal obligations or harm that may be caused, should be “stored and processed in the EU.” SNC information is only shared on a “need-to-know” basis for the functioning of the institution or body, so it does not include publicly available information, or information that can be requested from an institution, but does include a significant portion of data exchanged in the EU because it plausibly concerns information about everything from hiring processes to grant allocations to project evaluations.
In effect, this provision is a move toward problematic data localization. It mirrors growing angst across the Union: authorities in Sweden announced last year that, due to the risk of U.S. espionage, they no longer want to work in Microsoft Teams; France’s Data Protection Agency similarly announced that education and research institutions should move away from using U.S. tools. This latest installment of data localization is ill-judged because it fails to better secure EU data and it threatens to leave the administration with a lower quality service.
First, the requirement to localize data assumes that the security of data depends on where it is stored. This is wrong: measures and controls to store data, such as encryption, are far more indicative of security than the country where data is stored. A secure server outside the EU’s borders will better protect EU data against cyber threats than a server within the EU’s borders with weak administrative controls. Worse, some best practices in cybersecurity, such as sharding, require data to be spread across multiple data centers. Forcing all data to be stored in an EU hub creates a single point of failure. Moreover, cutting off international data flows inhibits opportunities for the EU to work with allies, including the United States, on anti-espionage against genuine adversaries.
Second, while the proposal promises to have a “limited impact to [sic] the Member States and individuals” because it exclusively addresses EU institutions’ data (and not the rest of the digital economy), EU public cloud contracts are lucrative and foreign companies looking to compete in the future EU data market will face high barriers: setting up data storage in the EU, paying to demonstrate compliance, and designing systems that can treat government data different from non-government data. Localization will incentivize companies to hire EU-based cybersecurity experts and thus undermine the benefits of globalized workforces, where specialized workers can live and work from anywhere. Moreover, the impact will be far from “limited” if the Regulation starts a snowball of distrust: If the EU signals it does not trust foreign services to store your information, why should a European bank, insurance company, or health care provider? The cost to cross-border trade may be devastating. It is only a matter of time before foreign governments respond in kind.
Non-EU companies will have to accept higher costs or cease providing tools to EU institutions. How well will EU institutions and agencies function without the help of products such as Microsoft Teams or Slack? What costs might their exclusion incur to European taxpayers, especially if there are administrative problems resulting from a wholesale switch to alternatives? Change is not easy—recall, too, the EU’s failure to build an in-house cloud infrastructure.
The EU should remove the requirement to store all SNC information locally and instead focus on mitigating risks through appropriate administrative and technical controls. This approach would allow the EU to enable cybersecurity best practices, benefit from a global cybersecurity workforce, and continue cooperating with allies against cyber threats. Eliminating the data localization requirement will also spare the possibility of disrupting international medical research projects, which would suffer at the hands of data localization.
The EU’s proposal is an important recognition of its cybersecurity exposure and the risks that its government offices face. In order to protect its data, the EU should update and harmonize its rules. However, it need not achieve its aims by requiring data localization. That would be a costly mistake.
Image credit: Christian Lue