Schengen for Data: What is necessary, what is feasible?

29 August 2014

“Schengen for Data”: This phrase is a semantic borrowing from the Schengen agreement signed in the small village of the same name in Luxemburg in 1985 and 1990, with the aim to introduce free movement of travelers and to abolish border controls within the single European area.

Pros and cons of schengen routing

We owe this beautiful wordplay to René Obermann, the former CEO at Deutsche Telekom, who resigned at the end of 2013. In plain language, his proposal is based on the idea that data traffic within Europe should not leave European traffic paths by means of making appropriate routing adjustments. According to Obermann, this “is by the way a practice which will not even be debated in the US, but applied.” Obermann’s recommendations provoked a tremendous response from the media and politicians in Germany, at the level of the European Union and on the other side of Atlantic Ocean as well.

Schengen routing would be entirely manageable given today’s technical possibilities for the interlinking of networks and with modified routing protocols.

But the question remains: How do we better secure our external frontiers with a Schengen data model in analogy to the Schengen area? We can hardly put the entire Schengen area under wraps and in doing so set aside the boundlessness of the Internet as its biggest asset. Sooner or later, data protectionism would lead to limited market competition, which European providers would have to pay for with lower levels of competitiveness and new innovation barriers.

Nothing new in the west – Big Brother in politics and industry

More than a year after the alarming disclosures made by Edward Snowden on illegal data surveillance, especially of information of non-American origin by the US security services, and despite international pressure on the US, nothing has changed with regard to the overall surveillance of Internet traffic and the overarching analysis of information.

In recent weeks, I came across some interesting blogs by the renowned US security expert Bruce Schneier, who presently works as a director of the “Electronic Frontier Foundation”. Mr. Schneier affirms the worst European fears about unlawful data theft by the US.

The NSA not only monitors and filters information in an unlimited manner using the technology available in the country. It also strategically weakens internet technologies such as products, protocols and standards by imposing pressure on the national IT industry and spending a lot of money on backdoor infiltration programs. However, the surveillance activities of the security services are also used to strengthen the IT industry as well. Industrial espionage causes annual damage estimated at 50 billion euros in Germany alone.

Surveillance is a business model

The NSA can hide its activities behind four different empowerment laws. IT giants can likewise assert their ignorance of secret governmental programs aimed at fishing out customer data. And finally – in their own economic interest – they have no incentive to hamstring the recording of customer communications through product design. Those data are their capital and a central reason for allowing the cooperation with security facilities to flourish.

The extent to which Americans want to enforce their legal convictions on a global scale can be seen from a recent appellate court decision in New York, whereby the restitution of data stored in Ireland was claimed by Microsoft for investigations against drug dealers. “It is about who controls the information, not about where it is,” is how the judge justified her verdict. The USA thus asserts its entitlement to global hegemony over all accessible data, including outside their sovereign territory, and does so without the need to depend on any law enforcement treaty with other countries. “All your data belong to us” could still collapse, because Microsoft will fight against the as yet not legally binding court decision – not least at the insistence of the Europeans – by all legal means at its disposal.

Europe’s answer – security is a process

IT security in a networked world cannot be implemented either by Schengen routing or by mathematical models of applied high-end encryption alone. Modern IT systems are based on so many components and complex intercorrelations that no technology and no algorithms can cater for absolutely one hundred per cent security. We have to think about security as a process. To secure our network and knowledge society effectively, we have to combine the available technologies for the detection of threats and inherent reaction mechanisms in the field of IT security with legal systems for improved data protection and for personal self-determination in the digital world. IT security is consequently a multidimensional arrangement of tasks, which we now have to face in a process-oriented manner.

At the beginning of this, I would place the political superstructure:

  • We must create a vibrant digital single market in Europe.
  • We must establish basic legal conditions that enable a balance to be found between governmental security interests and the right to privacy.
  • We must understand cross-sectional and common purpose technology as “Critical Infrastructure”.

Europe as a free virtual marketplace

Europe will be forced to bundle all efforts on the Digital Agenda if the exchange of digital content over the net is to work as unhampered as the free flow of goods and services in the real economy by 2020. Legal provisions that support the composition of modern copyright law and the Europe-wide licensing of intellectual property must therefore be put in place. At the same time, the guidelines for electronic commerce must be adapted to the digital economy of the future. The speedy mandatory transition to the common Single European Payment Area (SEPA) should also not fall short of the push effect on the digital single market. In addition, there is a need for regulations on e-identity and for the e-signature to allow flawless authorization and authentication at digital marketplaces and for the secure clearing of legal transactions on a European scale.

Data protection is at the heart of IT Security

One of the most important undertakings in this context is the legal enactment of the new general data protection regulation.

The main steps towards a contemporary form of data protection concern the implementation of the following standards:

  • The “right to be forgotten”.
  • The right to data portability.
  • Explicit agreement between data owners on data processing.
  • The notification of data protection.
  • The “marketplace principle”, whereby enterprises that are not resident in Europe, but offer IT services or monitor the online behavior of customers here, have to adhere to the standards of data protection law.
  • Establishment of a consistent and technology-neutral rule based on the protection of data across Europe.

The application of a consistent law in the form of harmonized data protection provisions everywhere in Europe could save 2.3 billion euros in administrative costs.

Alongside the rapid enactment of European data protection legislation, relations with the United States of America regarding transatlantic data exchange must be regulated on a new and fair basis. Europeans should make a strong package deal on the “data protection umbrella agreement” for intercontinental data protection and the free trade convention TTIP (Transatlantic Trade and Investment Partnership), thereby sending a clear warning to the USA in economic and legal terms.

Improved European data protection is the pivotal point for a general strengthening of the European IT industry and the restoration of customer confidence in trendsetting IT models such as cloud computing and social networks. With this heavyweight legal proposition, the European Union could lift the real potential of the Cloud and stimulate the IT security and app industry to undertake new developments. The central currency for the cloud is called trust, and trustfulness needs security on all levels of the system. We must make security a commodity in European IT.

IT is the lifeblood of our society. IT security affects all of us and knows no boundaries. IT security also has to be thought about everywhere nowadays. With new network technologies, the requirements for security are also changing. Those with a lead in net innovations are also on the leading edge of IT security. In view of this, an approach such as “Schengen for Data” is the wrong conclusion from the right considerations. Much more important are arguably open and neutral networks and IT infrastructures as well as advanced regulations for their usage. With them, our capabilities to shield our data effectively will continuously grow!