Regional Organizations

Mihoko Matsubara is a cyber security policy director at Intel K.K. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. Unlike the previous strategy, this new one was approved by Japan’s cabinet. This additional step highlights the importance of cybersecurity to senior Japanese leaders. It also comes a year after the Japanese parliament passed a law formalizing the role of the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). The Japanese Prime Minister had originally established the NISC ten years ago but the lack of legal authorization meant that it held little sway over other ministries and agencies. Thanks to the new law, NISC is responsible for developing national strategy and policy, ensuring the cybersecurity of ministries and agencies, and serving as a focal point for international cooperation. There are four important takeaways in the 2015 strategy. First, it highlights the positive and negative aspects of cyberspace—it’s both the source of innovation and threats—unlike the 2013 strategy, which only focused on risks and mitigation measures. By focusing on innovation, the 2015 strategy recognizes that the Japanese government won’t have all of the answers to cybersecurity challenges and that all stakeholders—users, civil society, critical infrastructure companies, and business—should contribute to the safety and security of cyberspace, through measures like two-way and real-time information sharing. It also makes clear that security measures shouldn’t hamper Japan’s ability to innovate given the important role that cyber-enabled technologies will play in driving economic growth. Second, the Internet of things is described as an enabler to create new business opportunities and improve existing ones. The strategy, however, doesn’t provide any insight into how the Japanese government and industry will approach the security challenges associated with the Internet of things or set milestones as it becomes integrated in business operations. We are at the beginning of the Internet of things era, and government regulation or guidance would be somewhat premature. Now is the time for industry—both in Japan and around the world—to work with the government to begin addressing the security of Internet of things devices in a scalable and globally harmonized manner. Third, the 2015 strategy reiterates the Japanese government’s concern over the recent series of massive personal information leaks, such as the Japan Pension Service (JPS) incident of May 2015. The NISC plans to revise Japan’s basic cybersecurity law, first passed in 2014, allowing it to monitor and audit special government-affiliated organizations such as the JPS, similar to its existing authorities with respect to government ministries and agencies. The change is expected to improve the cybersecurity practices of state organizations as they would have government auditors looking over their shoulders. This is particularly important as Japan rolls out My Number, a twelve-digit identification number for Japanese residents to access the country’s social security and tax systems, akin to the U.S. Social Security number. To alleviate worries over potential massive leaks of personal information tied to My Number, industry needs to engage customers and the government to explain the security mechanisms that already exist to keep My Number data safe. Japan will struggle to grow and innovate if its population doesn’t trust new technology designed to improve access to government and private sector services. Finally, the strategy provides an overview of Japan’s international cyber efforts to date, noting its capacity building contributions in the Association of Southeast Asian Nations, South America and Africa and bilateral dialogues, including with the United States and the European Union. The strategy makes clear that Japan is keen to deepen existing dialogues, expand confidence building activities, and participate in the ever-increasing number of cyber-related conferences to convey its interests and cyber security posture to international audiences. Details as to how Japan would actually achieve this, however, are sparse. Overall, the new strategy strikes the right balance in emphasizing the government’s role in Japan’s cybersecurity without limiting the growth of the technology market—especially Internet of things—that will drive innovation.

Valerie Stocker explores the overlook conflict between Libya’s Tebu and Tuareg communities. Hossam Bahgat investigates a secret military trial in Egypt of twenty-six officers accused of plotting a coup with the Muslim Brotherhood to overthrow President Abdel Fattah al-Sisi. Matt Piotrowski discusses the challenges and implications of falling oil prices on Middle Eastern governments.

The BBC reports that troops from the African Union’s (AU) African Standby Force (ASF) have started military exercises in South Africa on October 20. This exercise is meant to establish whether the ASF will be fully operational by the intended December 2015 deadline. The AU’s aspiration is that the ASF will free the continent of the need for non-African outside forces for conflict resolution. On October 12, it was announced that the ASF’s logistics base will be in Yaounde, Cameroon. Established by the AU, the ASF will be multinational, and the goal is that it will be 25,000 strong. The current plan is that the force will consist of five brigades, one from each of the major regional groupings: the Economic Community of West African States Monitoring Group, the Southern African Development Community, the Economic Community of Central African States, the East African Standby Force, and the North Africa Regional Capability. The current training exercises involve 5,000 military and police. The exercise will continue until November 5. As is so often the case with multilateral initiatives in sub-Saharan Africa, the issue is money. In May, the AU said that it will need one billion dollars to make the force operational. The AU will be approaching international donors. Africans have long seen a standby force as an essential ingredient in “African solutions to African problems.” So, too, have international friends of Africa. The training exercise now underway in South Africa is a major step forward. The estimated cost of one billion dollars is probably realistic. At first glance, the number induces sticker shock. But, an effective standby force could significantly reduce the international community’s burden of providing – and funding – various peacekeeping missions. Unlike many international organizations, the AU does not recognize the sovereignty of its member states as unlimited. It has criteria for intervention, and has been increasingly willing to do so as it has developed. Grounds for uninvited AU intervention include war crimes, crimes against humanity, and genocide.

It’s almost cliché to say that the Internet’s transformative power has created challenges for governments on a host of policy issues. Countries disagree over privacy, espionage, cybersecurity, appropriate state behavior in cyberspace, trade, and freedom of expression. Devising solutions to these challenges is complicated by the Internet’s complex and nontraditional governance structure. While this has enabled the Internet to grow with incredible speed, it is struggling to cope as the next billion people come online. A new Council on Foreign Relations interactive, part of CFR’s Global Governance Monitor series, explores these challenges. It provides: a cinematic overview of Internet-related governance challenges; an issue brief, which argues that although collaborative governance structures are emerging, they are not developing fast enough to tackle policy challenges associated with the Internet; a matrix cataloging relevant governance institutions and documents; an interactive map detailing critical countries and events; and a resource guide for further information on the topic. The guide is designed to provide a primer for policy analysts looking to wrap their heads around cyber issues and their complexity, students looking to explore the relationship between privacy, security, and freedom of expression online, and business leaders who want to understand how decisions in obscure international institutions can affect their business. Seasoned Internet policy wonks may also find a new tidbit or two. You can find the new interactive here. I want to thank everyone who made this interactive possible. I also especially want to thank Ron Deibert at the Citizen Lab, who provided invaluable comments on the project, and the Robina Foundation.

Eurasia’s Shanghai Cooperation Organization has expanded its agenda to include wide-reaching security and economic initiatives, but it remains to be seen if the bloc’s members can develop and implement unified policy.

Alan Charles Raul is a partner in the Privacy, Data Security and Information Law practice of Sidley Austin LLP.  You can follow his group at datamatters.sidley.com. In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen. The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States. The CJEU, followed a recommendation of its Advocate General that assumed without any facts or analysis that NSA surveillance under section 702 is massive and "indiscriminate." Without the opportunity to receive any evidence or argument from the U.S. government, any U.S. company, or any amicus filing a brief on behalf of the United States, the CJEU decided that the EU’s executive branch, the Commission, had improperly determined that the U.S. Safe Harbor assured EU citizens an "adequate" level of privacy and data protection. This finding was necessary because the EU prohibits sending personal data to a non-EU country that does not provide "adequate" protection, which the CJEU understood as requiring the third country in fact to ensure, “by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” Accordingly, a company needing to send its HR data or customer records to the United States requires an EU-approved mechanism to legitimate transfers of the personal data across the Atlantic. Until yesterday, companies could certify to comply with the fundamental privacy principles worked out in the Safe Harbor framework in 2000 between the US Department of Commerce and the EU Commission. Participating companies must also agree to submit to the enforcement jurisdiction of the Federal Trade Commission in the event of non-compliance with those principles, making their commitments legally binding. Other than Safe Harbor, U.S. companies can transfer data pursuant to certain EU-approved data transfer contracts, which can be implemented even between offices of the same multinational in different countries, or by adopting so-called Binding Corporate Rules where a company agrees to self-impose EU privacy standards for transfers of EU data throughout the company’s global operations. International data transfers are also allowed if EU citizens are informed and freely consent to the transfer of their data. The rationale for the CJEU’s invalidating the Safe Harbor is not really clear. The CJEU was apparently not required to, and did not, conduct any analysis of U.S. law, let alone review the statute authorizing NSA collection of foreign intelligence material under section 702. Accordingly, the CJEU merely assumed, and did not actually rule (or even consider) whether the PRISM program of concern to Mr. Schrems was indeed indiscriminate or unjustified. If the CJEU had examined that statute, it would have found checks and balances, including judicial oversight, more rigorous than controls on government surveillance in most if not nearly all other countries, including EU member states. Even beyond the requirement for judicial approval, the Attorney General and Director of National Intelligence must both certify that the NSA surveillance involves obtaining foreign intelligence information, is subject to rigorous minimization procedures to avoid excess collection, and is a collection that requires the assistance of an electronic communication service provider. After such detailed authorization, the Department of Justice Inspector General and the relevant intelligence community Inspector General must investigate and report on the surveillance practices, and the relevant intelligence agency must provide an annual report to the House and Senate Intelligence Committees, and also to the House and Senate Judiciary Committees. The Privacy and Civil Liberties Oversight Board (PCLOB), now a fully independent, free-standing institution of the federal government, is another oversight body authorized to investigate and assess these national security surveillance practices. In fact, the PCLOB concluded that the Prism program “consists entirely of targeting specific persons about whom an individualized determination has been made”—hardly indiscriminate surveillance. Significantly, the PCLOB has specifically asserted its role and authority to assess the impact of such surveillance on non-U.S. Persons. In its 2014 report to Congress, the PCLOB addressed the issue head on, noting that many of the “applicable protections that already exist under U.S. surveillance laws apply to U.S. and non-U.S. persons alike” and that it will contribute to President Obama’s effort to add additional privacy protections to non-U.S. persons. So how could the CJEU be unaware of the extensive certifications, checks, balances, judicial approval and independent oversight applicable to the national security surveillance in question? The answer is because the U.S. government simply does not defend or even explain how the privacy system works—neither with respect to national security privacy issues, nor with respect to commercial privacy regulation. The President has designated no one to be in overall charge of coordinating these issues government-wide and to serve as a senior public spokesperson with responsibility to communicate effectively on privacy to foreign and domestic constituencies. Accordingly, it is no wonder that the CJEU made no real effort (indeed no effort at all) to understand the significant protections built into the U.S. system, even for foreigners. Another recent example of the negative consequences of having no White House privacy coordinator is that the Department of Justice was left free to serve a search warrant in 2014 on Microsoft to compel disclosure in the US of one of its customer’s communications that were stored in Ireland. With no senior policy person to tell DOJ how much damage this would cause to the United States’ international privacy reputation, the fallout has been highly damaging to global respect for the U.S. privacy and data protection regime. The data the DOJ seeks could have been readily obtained from Ireland using the Mutual Legal Assistance Treaty process. In sum, the sky may not fall with the (perhaps temporary) collapse of the Safe Harbor.  EU officials have indicated they are determined to protect transatlantic data flows, and are likely to find away to enhance the Safe Harbor in the future and acquiesce in short-term workarounds. In the meantime, companies can also sign data transfer contracts between their subsidiaries, or look to individual consent and other mechanisms for legitimating the transfer of personal data to the US. And while the CJEU’s decision in the Schrems case was neither logical nor informed, the US government needs to do a lot better job to explain (and defend) U.S. privacy and data protection laws so this sort of mess doesn’t happen again.  

The European Court of Justice (ECJ) invalidated the Safe Harbor framework between the United States and the European Union that, for the past fifteen years, has enabled the movement of Europeans’ data across the Atlantic. As the business community seeks clarification about what rules will apply going forward, both the White House and the European Commission promised that they will continue work on a new agreement. The case began in 2013 when Austrian law student Max Schrems complained to the Irish data protection commissioner that his Facebook data was inadequately protected when it moved to U.S. servers, citing Edward Snowden’s leaks about widespread NSA surveillance. The Irish commissioner rejected Schrems’s complaint on the grounds that the European Commission had determined in 2000 that the Safe Harbor framework adequately protected EU citizens’ data. On appeal, the Irish High Court referred to the ECJ the question of whether a national data protection authority is bound by the Commission’s finding. Yesterday, the ECJ ruled the Safe Harbor agreement invalid because it places “national security, public interest or law enforcement requirements” over privacy principles. The court found that the European Commission had approved the pact without making a determination that U.S. law provides adequate privacy protection for European citizens. It also ruled that each data protection authority in the European Union may examine whether a transfer complies with EU privacy rules and, if it deems that it does not, raise the issue with its national court that can then refer it to the ECJ for a ruling. However, the ECJ made clear that only it can issue a final determination that a country does not offer “adequate” protection for personal data. What are the implications of the decision? First, U.S. and EU negotiators will attempt to put Humpty Dumpty back together again by updating the Safe Harbor framework. Both sides have been renegotiating the agreement since the Snowden revelations. Negotiators were reportedly close to an agreement when they got wind of the breadth of the upcoming ECJ decision. The Commission may now attempt to use the decision to gain more leverage in these negotiations. However, Congress is already considering bipartisan legislation that would provide U.S. Privacy Act protections to European citizens. Second, the spotlight is now on European national data protection regulators. In addition to their new ability to examine data transfers, they have a role approving other mechanisms companies may deploy to replace Safe Harbor, including binding corporate rules for intra-company transfers of personal data. In a number of EU countries, national regulators also have the power to confirm whether model clauses are being used to transfer personal data to the United States and other third countries. Today, many of these national authorities have backlogs of several months. It is unclear if they will order suspension of transfers of personal data to the United States under model clauses arrangements until they work through what would surely become a much bigger backlog. Third, this decision is a direct fallout of Edward Snowden’s revelations of NSA surveillance. Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance. Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision “does not give the U.S. ‘unrestricted access’ to data.” Meanwhile, privacy advocates are citing the decision to prod Congress to engage in much broader reform U.S. surveillance programs. Jens Henrik-Jeppesen, director of European affairs for the Center for Democracy and Technology, for example, said “There is a clear need for the U.S. and Europe to set clear, lawful and proportionate standards and safeguards for conducting surveillance for national security purposes.” In the end, the ECJ’s willingness to invalidate the Safe Harbor framework underscores the unpredictable outcomes of the proposed reforms to European data protection regulation, new intra-European tax rules on digital goods, or the competition cases involving U.S. tech giants. Europe appears willing to act to protect its interests even if it means upsetting established business conventions.

The resolution of Burkina Faso’s week-long military coup that temporarily ousted a civilian interim government is a good example of “African solutions to African problems.” The coup was rolled back by the relevant regional organization, the Economic Community of West African States (ECOWAS), under its chair, Senegalese President Mackay Sall. Directly involved in the roll back were the presidents of Ghana, Benin, Togo, Niger, and Nigeria. A lead negotiator was the former ECOWAS Director President, Mohammed Ibn Chambas, now the head of the UN office for West Africa. ECOWAS has long pursued a policy that military coups are not acceptable. The elite presidential guard led by Gilbert Diendere deposed Burkina Faso’s interim civilian government on September 16. The plot leaders are close to deposed dictator Blaise Compaore. Their motivation appears primarily to have been fear that those close to Campaore were going to be excluded from power and influence, first by the interim government and then by the administration that will result from elections initially scheduled for October. Friction between the presidential guard and regular army units also played a role. The coup was denounced by the African Union (AU), the UN Secretary General, and numerous national governments, including those of France and the United States. The AU and ECOWAS were proceeding to levy sanctions on the coup organizers. Civil war threatened when units of the army opposed the elite presidential guard. Civil war was averted by the ECOWAS heads of state meeting in marathon meetings in Abuja. The ECOWAS intermediaries apparently have secured an agreement from all parties that restores the civilian interim government, postpones elections by one month, and military units on all sides have stood down.

The civil war and associated humanitarian disasters in South Sudan is reawakening Congressional interest and concern for South Sudan. A bipartisan group of seven congressmen have introduced a bill, HR 2989, “to encourage the warring parties of South Sudan to resolve their conflicts peacefully.” The congressional sponsors are Thomas Rooney (R-FL), Michael Capuano (D-MA), Michael McCaul (R-TX), Barbara Lee (D-CA), Maxine Waters (D-CA), James McGovern (D-MA), and Jeff Fortenberry (R-NE). The bill recalls the involvement of the United States in South Sudan coming to independence. It then chronicles the dreary history of the fighting that started in late 2013 between President Salva Kiir and his former vice president Riek Machar, and the resulting humanitarian disaster. It also recalls the numerous efforts to broker a peace, especially by South Sudan’s African neighbors. The bill calls on the Department of State to develop a South Sudan strategy and would require the department to report regularly to Congress on developments in South Sudan. Salva Kiir and Riek Machar have now both signed a peace agreement that would involve power sharing between their two factions and a cease-fire. Both parties, however, are already claiming that the other has broken the cease-fire. While friends of South Sudan can only hope that this peace agreement will stick, the numerous failures in the past provide little ground for confidence that Salva Kiir and Riek Machar are committed to making it work. Hence, in part, the revival of Congressional interest that HR 2989 represents. The events leading up to the 2011 separation of South Sudan from Sudan were a focus of intense American popular interest. The “lost boys of Sudan,” orphans of the fighting between the South Sudan liberation forces and the Khartoum government of Omar al-Bashir, became a focus of humanitarian concern and congressional engagement. Since South Sudan’s independence, however, U.S. popular interest in South Sudan has waned, and the most recent congressional hearing took place in February 2014. It is too early to say what the future of HR 2989 will be. As yet, no hearings have been scheduled. However, the bill’s introduction with bipartisan sponsorship is a sign of congressional reengagement.

Jacob Zuma’s term as president of South Africa’s governing African National Congress (ANC) ends in 2017; his term as South Africa’s president ends in 2019. Zuma’s successor as ANC president will almost certainly be South Africa’s next president, unless there is an electoral upset of an enormous magnitude. Among foreign observers, the leading candidate for succession within the ANC has been Cyril Ramaphosa, an architect of the 1994 transition from apartheid to “non-racial democracy.” Ramaphosa was close to Nelson Mandela and has subsequently become a highly successful and internationally respected businessman. At present he is the deputy of both the ANC and the national government. But, there has long been speculation that Ramaphosa is falling out of favor with Zuma. The view is widespread that Zuma’s primary succession concern is to protect himself against prosecution for alleged corruption and to protect the wealth he has accumulated for the benefit of his children. According to Africa Confidential (August 28, 2015, vol. 56, no. 17), Zuma has concluded that Ramaphosa cannot or will not do this. Accordingly, Zuma is behind the recent ANC Women’s League declaration that the next president of South Africa should be a woman. Two women often seen as potential future presidents of South Africa are Baleka Mbete, the speaker in the National Assembly and current chairperson of the ANC, and Nkosazana Dlamini-Zuma, the chairwoman of the African Union Commission. Mbete briefly served as deputy president of South Africa under former President Kgalema Motlanthe. Dlamini-Zuma is the former minister of health in the Mandela government (she is a medical doctor.) She was also foreign minister in the Mbeki government. She is Jacob Zuma’s former wife and remains close to him politically. The Zuma government mounted a serious campaign to secure her election as chairwoman of the African Union Commission. As president of the party and the nation, presumably she would look out for the interests of the by-then former president and their children. Mbete and Dlamini-Zuma are both plausible candidates if the party leadership is to go to a female. Of the two, Dlamini-Zuma would appear the stronger candidate because of her ministerial and African Union background. Baleka Mbete has never held a ministerial position. However, neither would appear to be as strong as Ramaphosa. Dlamini-Zuma was minister of health during the early days of the HIV/AIDS epidemic and her chairmanship of the AU Commission thus far has not been particularly noteworthy. Mbete in her position as speaker has appeared weak in the face of the parliamentary antics of the opposition Economic Freedom Fighters. Dlamini-Zuma is a Zulu, the largest ethnic group in South Africa, and campaigned extensively for the ANC and Jacob Zuma in KwaZulu Natal during the 2014 election campaign, even though she was chairman of the African Union Commission at the time, and Jacob Zuma faced little opposition among his fellow Zulus. Her campaigning may have been an early effort to strengthen her credentials as the future president of the ANC and of South Africa.

UN Secretary General Ban Ki-moon visited Abuja August 23 to 24, his first to Nigeria since the inauguration of President Muhammadu Buhari. The secretary general commemorated the fourth anniversary of the terrorist attack on the UN building in Abuja that killed some twenty UN employees and others. He also marked the 500 day anniversary of the Boko Haram kidnapping of more than 200 Chibok schools girls. As expected, the secretary general praised Nigeria for the conduct of the 2015 elections and the democratic transfer of power. According to the media, in his conversation with President Buhari, the secretary general affirmed his support for Nigeria’s struggle against terrorism stressed the need for education, especially for women and girls, and then emphasized the humanitarian challenges in northern Nigeria. In the past, Nigeria has been reluctant to ask for outside help in responding to humanitarian challenges. That appears to be changing. Just as President Buhari has supported a multi-national approach to Boko Haram, so long as Nigeria leads the effort on Nigerian territory, the Nigerian president is indicating an openness to international humanitarian assistance for the 1.5 million internally displaced persons in Nigeria’s northeast. In his public statement following his meeting with the secretary general, Buhari said that he hoped the secretary general would report to the UN what Nigeria is doing “so that Nigeria can be helped.” Nigeria’s opening up comes not a moment too soon, as Boko Haram depredations continue. Shortly before the secretary general’s arrival in Nigeria, Boko Haram tried to kill the chief of army staff. The magnitude of the humanitarian challenges in the northeast would appear to be beyond what any developing nation can meet alone.  An international effort will be required, in which the UN is bound to play a major role.

With a rapidly growing and urbanizing population, persistent poverty, and weak governance, Sub-Saharan Africa is likely to be the source of new epidemics that potentially could spread around the world. Understanding the disastrous response of African governments, international institutions, and donor governments to the Ebola epidemic is essential if history is not to be repeated yet again. That makes Laurie Garrett’s essay, "Ebola’s Lessons," in the September/October 2015 issue of Foreign Affairs, essential reading. Laurie Garrett steps back to understand the course of the Ebola epidemic and the mistakes made in the world’s response to it. Within African countries she profiles the lack of institutional capacity to facilitate an effect response: Liberia had two medical doctors for every 100,000 people when Ebola came. Liberia, Sierra Leone, and Guinea were unable to identify Ebola quickly and bring it under control. The developed world showed little interest until their own citizens were under threat; then, they hysterically overreacted. The relevant international health institutions, especially the World Health Organization (WHO), were inadequate for a variety of reasons. Garrett is also not afraid to address cultural obstacles to overcome. With respect to burial practices, for instance, “People across the region whispered that they were more afraid of angering their ancestors than they were of the disease.” Garrett’s picture of incompetence and short-sightedness is not pretty. But, she also describes heroes, notably Medicines Sans Frontiers (MSF), as well as specific individuals. There were the local, traditional chiefs in Liberia who independently initiated the necessary steps to quarantine victims of the disease, thereby stopping its spread. She also gives full credit to the American and British governments’ efforts – once they were finally mobilized. Of particular value is Garrett’s analysis of the World Health Organization and its future necessary remodeling. Garrett quotes a senior WHO official who, in my view, hits the nail on the head: “We’re in an extremely dangerous position, being pressured to make incremental changes until member states are assuaged, but not so much change that the organization, internally revolts.” Garrett quotes the official as going on to say that the WHO “has got to evolve, to be more than a mere technical organization. It must be a health emergency manager.” Garrett’s article is a gripping read. She tells an important story that is accessible to non-specialist readers. Policy makers in Washington, New York, and Geneva should heed her specific recommendations.

Nick Ashton-Hart was the senior permanent representative of the Internet sector to the UN and its agencies and member-states in Geneva until 2015 and remains active in international Internet policy. Connect with him on LinkedIn or Twitter @nashtonhart. When most people think of the Internet they think of what they use—search engines, social media, online and streamed video and audio services, and email. This is undoubtedly a big part of the reason why policymakers think that the digital economy is dominated by these “business-to-consumer” services. Nothing could be further from the truth. In fact, business-to-business digital commerce is ten times the size of the business-to-consumer space according to the UN Commission on Trade and Development’s Information Economy Report 2015. Seventy-five percent of the economic value of the digital economy goes to traditional bricks and mortar businesses and not Internet companies. This is true worldwide, not just in developed economies. I’m a proud European so allow me to focus on the tragic discussion of the Internet economy in Europe, where policymakers obsess over the activities of a handful of U.S. multinationals instead of focusing on what really matters. According to the OECD, the information and communications technology (ICT) sector, while growing rapidly, only employs three percent of Europeans. Small to medium sized enterprises are critical to every economy and account for more than ninety-nine percent of all businesses in many developed and developing countries and are the primary source of GDP growth and employment—not multinationals. Thanks to the Internet, many services can now be exported in a way previously unthinkable. Outsourcing is a case in point: the Internet has facilitated the rise of businesses that provide payroll services, legal discovery services, and customer relationship management. These facts explain why services have become the largest segment of the world economy in GDP terms. According to the International Labour Organization’s Global Employment Trends 2014, it is also the largest employer: services are forty-five percent of employment and growing, whereas agriculture is thirty-one percent and falling, and non-services commerce twenty-three percent. The Internet has also made possible the rise of global value chains (“GVCs”), a development which has led to an astonishing reality: services account for roughly a third of the inputs in tangible goods, such as cars, televisions, or pharmaceuticals. Pfizer is a perfect example of the Internet and GVCs. The pharmaceutical giant has transitioned its entire global supply chain and logistics to a cloud service-based system. While the business-to-business portion of the digital economy is larger than its counterpart, business-to-consumer services can have a profound multiplier effects on other types of commerce. It’s worth understanding why these multiplier effects exist and how they contribute to growth in an economy—not just the ICT sector. Let us imagine a debate about the digital economy that was driven by such pragmatic concerns rather than the almost Alice-in-Wonderland-discussion we have now, and again allow me to take my fellow Europeans as an example. A healthy and balanced European discussion should focus on: Identifying how traditional services can leverage the digital environment to compete, innovate and export, and the role ICT services can play to make this happen given that the European services industry accounts for seventy-three percent of the Euro area’s economy, not the single-digits that the ICT services sector represents. Developing ways to help traditional industries leverage the digital economy to compete. For example, Volvo, the world’s largest manufacturer of commercial diesel engines, offers a 100 percent uptime guarantee thanks to sophisticated technology in their vehicles that indicates when parts need service before they fail. These service-enabled products are central to competitiveness and most European countries have national champions just like this. Analyzing what kind of data flows across the Internet and why. If e-commerce between businesses is ten times that between businesses and consumers, it is logical that a large proportion—and almost certainly a large majority—of data flowing across borders does not consist of personal information—Volvo’s engines reporting back to Volvo being a perfect example. The challenge of finding information on the proportion of data flows that is not personal tells us that we’re missing an important element of the discussion. Europe is far from alone in suffering from an unhealthy economic debate on regulating multinational foreign business and consumer tech giants. Throughout the world policies being proposed as solutions—like demanding data to be hosted locally irrespective of any practical benefit to doing so—actually create far greater burdens on domestic competitiveness than on foreign multinationals. After all, multinationals have the economies of scale to afford burdensome data localization requirements. Of course when it comes to regulation, SMEs are often the very segment of the economy that suffers most despite being the most economically important. I think that we will look back in a decade on the public debate about the networked economy we are having today and ask ourselves: “What were we thinking?” We’re making rules about the digital environment right now that will have an enormous impact on our economies and our societies for decades to come. We need to stop allowing the economic tail to wag the dog.