91ɫƬ

EU plan to erase digital borders will further isolate Brexit UK

Estonia wants the European Union to adopt free movement of data as a fundamental principle, letting half a billion people's personal info cross borders freely
digital users
Exploring the digital future
Annika Haas (EU2017EE)

BREXIT is having many unexpected consequences. One of them could be the start of a digital super-state. With the UK no longer in a position to take on its scheduled presidency of the European Union this year, Estonia, one of the most digitally advanced countries in the world, has stepped up for the first time, and plans to remake the EU in its own image.

Estonia’s government bureaucracy is paperless, its public services are online, and data is , making life easier for citizens and businesses. This week, the nation will host a meeting of EU heads of state to discuss the technological future of the union.

The key to it all is data. Estonia wants the EU to adopt data as a “fifth freedom” – alongside goods, services, capital and people – promoting its free movement across EU borders. But is pooling half a billion people into a single digital nation a good idea? Can you apply a system that works for a small country of 1.3 million across the 27 member states remaining once the UK has left, each with different infrastructure, security policies and public attitudes to data?

This digital version of the “ever closer union” is the kind of EU initiative that Leave voters want to get away from, but what Estonia’s plans mean for a post-Brexit UK is not yet clear. They are unlikely to take effect before the UK leaves the EU. But what role the UK will play once outside the club remains to be seen (see “Data haven“).

For the remaining EU members, there are clear benefits to sharing data. At the moment, a lot of data lives in silos. Most nations require that servers holding certain information must be physically located within their borders. This makes sense for data pertaining to national security, for example. But in many cases, such restrictions are out of date.

Take laws that require a company to keep its financial records in the country in which it is based. This made sense in an age of paper records, when a company could file records overseas to dodge tax audits. But with digital records, it doesn’t matter where they are stored, as long as they are accessible.

“Estonia, one of the most digital countries in the world, plans to remake the EU in its own image”

When Estonia published a paper explaining its digital vision in July, it gave the example of an Estonian start-up selling software to universities. The system is used by 150 institutions across Europe, but the company is struggling, as many states require student data to be kept in the same country as their university, forcing the company to navigate local laws.

This regulatory overhead is bad for business. If the existing four freedoms that underpin the EU’s single market are to continue, the data attached to them will need to flow as freely, argues Estonia.

“Free movement of data is the digital equivalent of the highways and roads that make the freedom of goods work,” says Luukas Ilves, part of Estonia’s diplomatic mission to the EU.

Reduced bureaucracy

According to consulting firm McKinsey, global cross-border data flow, mostly from the likes of internet giants such as Amazon or Ebay, generated $2.8 trillion in GDP in 2014 – more than the value of global trade in goods. Estonia wants the EU to grab a larger share of that pie.

Sharing data between countries is good for citizens too, says at Cardiff University, UK. As an EU citizen who has worked overseas, he has experienced the downsides of data duplication. “I’ve had to go to government agencies in different countries giving them the same information over and over again,” he says. It would be much easier to submit that information once and simply authorise each agency to access it when they need to, he says.

He’s not the only one experiencing this hassle. There are 8 million journeys between Estonia and Finland every year, says Ilves. To get health insurance, some people end up printing out a form, carrying it across on the ferry and handing it over on the other side – where it gets digitised again. “It’s a waste of people’s time,” says Ilves, which is why the two countries are planning a pilot to share medical information across borders.

Other countries could set up similar agreements, but, with hundreds of thousands of people moving around the EU each year, it would be better to set up common standards, says Ilves. The digital infrastructure needed to implement this EU-wide “once only” principle is being explored in a involving joining up government IT systems across 21 countries. The know-how is nearly there, says Ilves.

But there are major hurdles. For a start, sharing data between 27 countries is a security nightmare. It’s easy to legislate that every member state should have adequate security for data stored within its borders, but achieving that will be hard.

The Estonians talk up their secure domestic networks, pointing out that they have never been hacked. But this digitally advanced country was still heavily hit in a large-scale cyberattack that took out its internet in 2007, known as Web War 1. And data breaches, such as the recent theft of 143 million customer records from US firm Equifax, are a regular occurrence around the world. “It’s a fundamental truth of computer security that nothing is completely secure,” says Theodorakopoulos.

The problems with Estonia’s vision are similar to those with care.data, the UK government’s now defunct proposal for digitising NHS England patient data, he says. “Making personal data easily accessible, transferable and shareable is a disaster waiting to happen.”

There are ways to reduce the risk. Kaspar Kala, one of the authors of Estonia’s vision paper, admits that storing data in multiple places increases the risk of attack. That’s why Estonia doesn’t duplicate data across different computers. Instead, each government department holds only part of the data and requests the rest from other agencies.

“If one registry gets attacked, the amount of data you can get from that registry is limited,” says Kala. “There isn’t a single database that is a single point of failure.”

Still, hackers are just one concern. Should we also worry about legitimate data-hoarders? Kala and his colleagues say that free movement of data will give machine-learning algorithms more to feed on – and more data should mean smarter artificial intelligence. But in a cross-border free-for-all, how much data should we allow governments and companies to hold on us – and for how long? And should we expect AI trained on public data to also be publicly held, rather than locked up by private firms?

“It’s a fundamental truth of computer security that nothing is completely secure”

Such questions are at the heart of the EU’s General Data Protection Regulation, which comes into force next year and offers far-reaching protections to EU citizens, like the right to ask social media companies to delete their data. It also lets people opt in to data-sharing arrangements, rather than having to navigate opaque terms to opt out.

These strict privacy policies are at odds with Estonia’s plan, says Theodorakopoulos. How do you square the right to control your own data with its free flow across borders? Asking each person to give permission every time an organisation wants to access their data is impractical, he says. Kala agrees – too much admin and legalese will mean people just click to consent without reading what they sign up to.

Ultimately, the vision of data as a “fifth freedom” stands or falls on trust. Many people don’t trust their own government with their data. Estonia is asking EU citizens to trust governments of other countries. The fact that Germany and France, for example, have a more cynical outlook on data sharing and privacy than Estonia makes this an uphill struggle.

Rather than dropping restrictions in one go, Theodorakopoulos thinks the best way to get data flowing is to open doors one by one. “Let’s start with specific scenarios where we see a clear benefit and where the risk of sharing is low,” he says.

After all, the last thing the EU needs right now is another backlash against its growing power, and the risk of more exits.

Data haven

When the UK leaves the European Union, it could find itself sandwiched between two very different data regimes. Last year, the EU adopted the General Data Protection Regulation, which restricts the sharing of data with non-EU countries. The UK is drawing up its own set of regulations, although these are expected to be less stringent than the EU counterpart.

Some speculate that this could turn the UK into a “data haven” – a halfway house between relatively lax US laws and those of the EU. Data-hungry internet companies might find this an attractive place to do business.

On the flip-side, if the EU relaxes restrictions on sharing data between member states (see main story), then UK firms could find themselves on the wrong side of a digital wall.

But that may not be bad news to everyone. Inge Graef at Tilburg University in the Netherlands points out that many organisations might not like operating in a more open culture. “Sharing data in the short term could lead to more innovations,” she says. “But in the long run we could see less innovation if companies are less willing to invest in things they will have to share.”

Companies might even set up in the UK specifically to avoid sharing data. As with nearly everything related to Brexit, the future is uncertain.

This article appeared in print under the headline “Share and share alike?”

Topics: Brexit / Europe / security