Thinking global, living local: Voices in a globalized world

Regimes Governing the Re-Use of Personal Data in the US and the EU: A Primer on Mass Surveillance and Trade

Written by on . Published in The Transatlantic Colossus

Abstract: Like others before them, the negotiators of the Transatlantic Trade and Investment Partnership (TAFTA | TTIP) must observe differences in the regimes of their respective trading blocs. The international trade regime, for instance, is an EU competence, but national security is not. As for the re-use of personal data, some of that data is processed in ways relating to trade such as airline records and financial data. Other ways of re-using personal data, though, concern national security in EU member states, and hence cannot be part of TAFTA | TTIP negotiations. This paper offers a look at such distinctions as they exist in the critical time where the European public is calling on its leaders to take action to better protect the populace from surveillance after the Snowden revelations. Critics of the status quo must provide realistic alternatives on the basis of their more complete understanding of the background. Coincidentally TAFTA | TTIP negotiations were scheduled to begin at the same time, but for which of these issues would TAFTA | TTIP be an appropriate venue? Any efforts to address surveillance in the US and the EU must also reflect the different ways that data protection measures are organized in these blocs: In the US they are structured by sectors of the economy, and in Europe by “blanket” legislation; in the US there are regimes ranging from the federal to the university level, and in Europe a new EU regulation is supposed to harmonize the disparate regimes that have evolved in member states.


Governments have always wanted to know more about their enemies and their own citizens. In the late 20th century, rapid advances in information and communication technologies (ICT) accelerated governments’ means for surveillance of both groups, and through the Internet are used on a global scope for reaching the putative enemies or citizens wherever they might be.

After Bradley Manning and Wikileaks, it was in 2013 Edward Snowden who revealed the alarming extent of US surveillance activities in the PRISM and – with the British – TEMPORA programs. As a result, Viviane Reding (2013a), Vice-President of the European Commission, threatened to derail the TAFTA | TTIP because her confidence in the negotiating partner (USA) had been shaken by the Snowden revelations.

Perhaps the trade negotiators will leave data protection regulated as it is currently. Perhaps they will take the issue up – on the initiative of the Europeans – and look to outstanding problems. The Congressional Research Service, an influential US government think tank, has conjectured: “Data privacy issues also may receive greater scrutiny following the publication of classified information related to National Security Agency (NSA) surveillance activity in June 2013” (Akhtar & Jones 2013, i). That certainly appears likely, although “the topic raises a host of unbounded, complex, difficult, and contested legal and constitutional issues” (Gellman 2010, 273). The next section will look at the two foremost outstanding issue areas of this type: airline records and financial data.

The International Trade Regime as an EU Competence

International trade policy has the advantage of involving real law, not just aspirational pronouncements, backed up by legal recourse to an appeals board and a dispute settlement mechanism. For any data protection provisions in a trade agreement to be taken seriously by privacy advocates, great transparency in how they are worded would be important. Such transparency is not straightforward during negotiations with a partner for fear of being taken advantage of. Instead, metaphorically ‘one keeps one’s cards close to one’s chest’. The negotiating mandate has to be secret, and can be revealed only gradually (George 2010, 15). At the same time, to maintain good relations with civil society is the challenge.

Long-standing controversies that could be taken up and renegotiated in TAFTA | TTIP as “21st century issues” (Akhtar & Jones 2013, 9) involve the Passenger Name Records (PNR) maintained by airlines and the financial data handled by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). Tyson Barker (2013, 3), an analyst writing for the Bertelsmann Foundation in Washington, however, is pessimistic about success in solving these controversies after the Snowden revelations.

Both of these controversies were addressed by the Safe Harbor Agreement in 2000, a self-regulatory commitment by US companies, which continues in a program of the same name. However, they have continued to cause debate in the European Parliament with a plenary vote coming up in autumn 2013. The European Parliament (EP) has recently acquired new powers and, henceforth, its approval would be required to ratify any TAFTA | TTIP (Archick, 2013). PNR and SWIFT (TFTP) are only two of a total of seven agreements that could be consolidated into one by TAFTA | TTIP according to Statewatch. Negotiations on such a general agreement to consolidate them have been running since 2010.

Travel Data, such as Passenger Name Records (PNR), maintained by Airlines and Biometric IDs to Facilitate Entry to the US

In April 2012, a US-EU agreement was approved and adopted by the European Parliament on the use and transfer of PNR to the US Department of Homeland Security. Even before adoption of the agreement, the lack of a recourse for passengers was criticized by Europe’s Article 29 Working Party, a body consisting of representatives of the different national supervisory Data Protection Authorities, which in most cases cooperates well with the EU Commission.

The Visa Waiver Program gives priority to those non-US-persons desiring entry to the US who come from certain partner countries and have biometric passports. Applicants are advised to go through the Electronic System for Travel Authorization (ESTA). There are privacy implications from both PNR and the Advance Passenger Information System (APIS), as pointed out by journalist Ryan Singel (2007) and German Data Protection Supervisor Peter Schaar (2005). Many European tourists use the Visa Waiver Program each year, and the biometric data in European passports is a result of the EU governments complying with US requirements.

Somebody is watching you. Photo: Thomas Leuthard, published on Flickr under a CC BY 2.0 license.

Somebody is watching you. Photo: Thomas Leuthard, published on Flickr under a CC BY 2.0 license.


Financial Data such as that Handled by SWIFT

Financial data may also be covered by TAFTA | TTIP, as conjectured by analysts Akhtar & Jones (2013, 7). The US government was accessing Europeans’ financial data through the Society for Worldwide Interbank Financial Telecommunication (SWIFT), and claimed successes in finding terrorists by those means. This process, however, was perceived in Europe to be a violation of EU privacy legislation. The conflict was resolved in 2010, at least temporarily, when the European Council concluded with the US an agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program (TFTP). After the Snowden revelations it is likely that the TFTP will be up for reconsideration by the EU. Several parties in the European Parliament have called for renegotiation.

Regimes Involving Surveillance and Data Protection Complementary to the Transatlantic Trade and Investment Partnership (TAFTA | TTIP)

Attempts to reconcile data protection with security have repeatedly come up against the fact that national security is considered quintessential to sovereignty. Sovereign states reserve national security issues for themselves; this is referred to as the “national security exception”, which applies in multilateral trade law (Sofaer et al. 2010, 195). Furthermore, national security is thought to require clandestine agencies working in a sphere not subject to public scrutiny. Here one has to establish clarity on concepts like terrorism and its relation to cybercrime. Then one can see which government levels are held to be competent. Since the threat is global in nature, international cooperation is essential in addressing it. Likewise, the scope of the current section of this paper will become progressively more global, starting with regimes at the EU level (such as data protection) and advancing to regimes at plurilateral institutions (such as human rights).

In the EU, data protection is a competence shared between Brussels and the member states. On the EU level there is a directive dating back to 1995. A new regulation has been proposed to replace that directive with a new, more directly applicable regulation; however, even the new regulation leaves room for member states to manage their respective police and intelligence services guided only by an updated directive.

Unlike international trade policy, national security is not a competence of Brussels in the EU, but rather one reserved by member states for themselves. There will be a new EU grouping tasked with harmonizing any actions taken by member states: “Permanent Representatives of the EU member states at Coreper [the Committee of Permanent Representatives] have agreed on July 18 on the remit and composition of the EU side in the ad hoc working group tasked with discussing questions of data protection.” (European Council Presidency 2013; Gardner 2013). However currently, as of this writing in September 2013, the working group still carries in its name the restrictive descriptor ad hoc.

In the US, national security areas include cybercrime. The revelations by the NSA whistleblower Edward Snowden show that surveillance is being intensified ostensibly to combat terrorism, or perhaps a more mundane threat referred to as “cybercrime”. Thus, the US relates cybercrime to national security. The Obama Administration has issued an International Strategy for Cyberspace, which addresses cybercrime in the broader context of cyber security (Finklea & Theohary 2012, 23). The elements of US cybercrime policy also include the following two national strategies:

A National Strategy for Trusted Identities in Cyberspace (NSTIC) is an attempt to establish an identity ecosystem for better identity management;

A National Strategy to Secure Cyberspace was passed following the terrorist attacks of September 11, 2001 (ibid, 25).

The EU has a new cyber-security strategy pending passage by the Council. Viviane Reding (2013b) predictably praises the draft directive, while Member of European Parliament (MEP) Sophie in ’t Veld is critical calling it a mish-mash (in ’t Veld 2013; Bendiek 2012), but offering a more balanced appraisal. Differences between the EU and US approaches have been characterized by Jeremy Fleming (2013a) as light versus heavy regulation. Cybersecurity is a global issue that could hit Chinese manufacturers like Huawei with protectionist exclusion from the EU market, and is affecting trade negotiations with India (Fleming 2013b).

Before the current emphasis on cybersecurity, it was the George W. Bush Administration that set out to increase the surveillance of non-American espionage agencies. Privacy expert Caspar Bowden points out that the Foreign Intelligence Service Act (FISA) Amendments Act of 2008 (FISAA 2008) was focused on neither national security nor criminality, but rather on political surveillance. He describes the FISA-related Foreign Intelligence Surveillance Court (FISC) and the higher Review court (FISCR) in detail.

Bowden also discovered that EU data on servers in the US is not protected by the major regimes (e.g., Council of Europe (CoE), human rights) in cases involving US national security or political and/or foreign policy.

Caspar Bowden and Paul De Hert are two of the authors of the collection listed under Didier Bigo et al. (2013a). They propose that the European Parliament and the US Congress should interact more in the Transatlantic Legislators Dialogue on situations like the PRISM revelations.

"Orwell vous parle"

“Orwell vous parle” – Photo: Julie Rieg, published on Flickr under a CC BY-NC-ND 2.0 license.

Other Venues for Seeking Solutions in Plurilateral Institutions

Organisation for Economic Co-operation and Development (OECD) Jennifer Stoddart, Canada’s privacy commissioner, has stated that the recent update of the voluntary OECD guidelines for multinational enterprises in 2011 was relevant in the push towards stronger global data protection (Stoddart, 2013).

Council of EuropeThe signatory states to the aspirational Cybercrime Convention of the CoE have a committee (T-CY) that meets yearly. The CoE also has a Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CoE 108).

‘Five Eyes’ Agreement
EU member state Germany found itself to be an object of surveillance through the PRISM program instead of a subject doing any such surveillance itself. Other states in the alliance of intelligence operations known as Five Eyes (FVEY) are subjects. This secret agreement was first signed in March 1946 by the United Kingdom and the United States and later extended to encompass the three Commonwealth realms of Canada, Australia and New Zealand.

Ways that data protection measures are organized in the US

The common basis of US data protection policy is the Fourth Amendment to the United States Constitution, which comprises part of the Bill of Rights. In 1967 the US Supreme Court held that its protections extend to the privacy of individuals as well as its original object – i.e., to regulate physical intrusion for unreasonable searches and seizures. Most searches require a warrant; exceptions exist for inter alia foreign intelligence surveillance, the Supreme Court decided in 1972, subject to certain requirements (EPIC 2010).

Beyond the theoretical framework of the Fourth Amendment, though, “the US privacy landscape appears wild and unruly”, even to researchers at the renowned Institute for International Economics in Washington DC (Mann & Orejas 2001, 15ff.). One reason for that is that it developed organically and differently in multiple sectors; hence it is called sectoral. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a prime example of data protection implemented in only one field (in this case, health care). At the university level, scientific research is governed by Institutional Review Boards (in Europe called ethics committees), which also impact on patient rights. The privacy policies required of companies comprise a third example. These measures are separate from each other, not like the more comprehensive “blanket” legislation in the EU described in the next section below. The US sectoral approach has its disharmonies: the privacy aspects of HIPAA are administered by the Office of Civil Rights (OCR); hospitals, though, may resent being monitored by non-medical authorities. Banks are regulated by the Consumer Finance Protection Board, and they dislike the agency as being biassed toward consumers’ interests and disrespectful of banks’ integrity (Gellman 2013).

Here are some additional features of the US data protection landscape:

FISA dating back to 1978 was the framework for several developments:

Warrantless wiretapping by NSA was revealed publicly in late 2005 by the New York Times working with whistleblower Thomas Drake (Government Accountability Project 2010). Warrantless wiretapping was said to be then discontinued in January 2007 according to a letter from Attorney-General Alberto Gonzalez to Senator Patrick Leahy (US Commission on Civil Rights 2010, v).

The Protect America Act is a controversial amendment to FISA, which expired in 2007 (James Risen & Eric Lichtblau 2009). The FISA Amendments Act of 2008, known as FISAA 2008, replaced the Protect America Act. Both gave Bush-era officials more power, a watershed development analyzed in the video (Bowden 2013a).

American data protection legislation does exist, but it is sectoral and weak (except for liability issues and the PIAS done by the Federal Trade Commission (FTC) ; see below). The US has had an Electronic Communications Privacy Act since 1986. In 2001 Senator Leahy began an attempt to get it updated. However these efforts have not garnered much support. President Barack Obama set up his own Privacy and Civil Liberties Oversight Board, which has also called for updating the 30-year-old privacy legislation (Roberts 2013). There has been a consumer privacy bill of rights since February 2012, but it is based on only voluntary codes of conduct (EPIC 2013).

Privacy Impact Assessment (PIA) is a method to analyze measures often applied by companies in the light regulation atmosphere of the Anglo-Saxon world. It is described in detail by David Wright (2011, 89). Security expert Bruce Schneier summarizes a paper co-authored by a well-known US privacy legal scholar Daniel J. Solove (Solove & Hartzog forthcoming) contending that the extensive PIAs currently carried out by the FTC potentially comprise the beginnings of a regulation system (Schneier 2013). This is an explanation that complements the conventional characterization of US data protection law as “sectoral”. A form of Anglo-American common law would thus confront Continental European civil law. Privacy expert Gellman (2013) dissents from the praise for the FTC. The Americans may expect privacy to be governed by a commission on trade; in the EU, though, data protection is seldom associated with trade policy.

Given the sectoral nature of US legislation described above, and the additional conflicts between common law and civic law, it becomes clear that EU legislation takes a very different approach (i.e., a coordinated blanket approach). For TAFTA | TTIP to bridge these differences would comprise either a significant hurdle for a trade agreement or a watering-down of European standards.

"Spies are everywhere"

“Spies are everywhere” – Photo credit: Amory Ellen, published on Flickr under a CC BY-NC 2.0 license.

Ways that data Protection Measures are Organized in the EU

The EU data protection legislation can be described as comprehensive, centralized and “blanket”-like in contrast to the US patchwork approach. The EU’s legislation reflects the Charter of Fundamental Rights of the European Union.

There is a data protection supervisor at the European level, Peter Hustinx. In addition, there is a system of data protection supervisors in each member state. They meet in the Article 29 Working Party, named so for its inclusion at that section in the data protection directive. The latter is currently undergoing replacement by a more binding regulation, the General Data Protection Regulation (GDPR), which will replace all existing national laws on data privacy. The regulation will be complemented by a new directive addressed to police matters, which remain a member state competence.

The new EU regulation has been subjected to intense lobbying by US companies, and – at least until the Snowden revelations – was bogged down by over 3000 amendment proposals. Many amendments seek to water-down the draft legislation, which contains provisions perceived as hindrances from a business standpoint (such as the right to have data about oneself deleted by third-party providers). This state of affairs can be found documented by an activist (Schrems 2013) and in detail (American Chamber of Commerce, 2013, in total 89 pages). One piquant detail is that just before the Snowden revelations, lobbyists had appeared to be successful in removing a clause that would have precluded FISA surveillance; now parliamentarians are calling for its reinsertion of the “Anti-FISA” clause into the draft. Lawyers working at Sidley Austin LLP, a US corporate law firm, doubt whether FISA surveillance would even fall under the draft regulation, as it comprises a policing measure. (Sidley Austin 2013). Analyst Evgeny Morozov goes a step further in his pessimism about using regulation as the solution without addressing the real problem: information consumerism. He points out that even the strict European regulation is no match for the commercialized Internet of Things that is coming about rapidly (Morozov 2013). That futuristic evolution of today’s Internet will mean everyday “things” can perform surveillance on consumers, delivering their results to private-sector market “intelligence” firms.


There is still much uncertainty about the inclusion of data protection in the TAFTA | TTIP (J. Fleming 2013c). This paper was not intended to speculate about the outcome of ongoing developments, but rather to provide background for a more accurate assessment of developments as time goes on. George W. Bush’s war on terror wreaked havoc on EU-US relations, at least as regards data protection. The subsequent Snowden revelations threatened to derail the TAFTA | TTIP negotiations before they even started. Even if the members of the ad hoc working group succeed in coordinating their states’ action without violating each other’s sovereignty, that accomplishment would remain only one measure at the nation-state level. Intelligence services work covertly, one level removed from democratic structures. It is there that the governance and monitoring of the agencies must be improved. The Electronic Freedom Foundation has described past attempts to reform the FISA Court and current proposals (Jaycox 2013).

Strategically, it will matter whether the EU or the US has the stronger interest in concluding an agreement. Business interests in America may be pushing for trade policy to trump EU data protection. Which side would be more willing to make concessions on data protection? If the Americans are not willing to compromise, the Europeans might find that a trade agreement is not the venue with the best chances of success regarding d ata protection.



Akhtar, S. I. / Jones, V. C. (2013): Proposed Transatlantic Trade and Investment Partnership: in Brief. Available online:

American Chamber of Commerce (2013): AmCham EU Proposed Amendments on the General Data Protection Regulation. Available online:

Archick, K. (2013): CRS Report for Congress Prepared for Members and Committees of Congress, The European Parliament. Available online:

Atlantic Community (eds.) (2013): NSA Scandal Heightens EU Data Concerns with TAFTA | TTIP: Press Commentary. Available online: | TTIP

Barker, T. (2013): Blown Cover – The NSA and the Unraveling US-EU Intelligence Relationship, Bertelsmann Foundation Brief. Available online:

Bendiek, A. (2012): European Cyber Security Policy. Available online:

Bigo, D. et al. (2013a): Open Season for Data Fishing on the Web: The Challenges of the US PRISM Programme for the EU. CEPS Policy Brief, 293. Available online:

Bigo, D. et al. (2013b): National Programmes for Mass Surveillance of Personal Data in EU Member States and their Compatibility with EU Law, Study PE 493032. Available online:

Bowden C. (2013a): How to Wiretap the Cloud (without almost anybody noticing), Video of presentation at:

Bowden C. (2013b): The US National Security Agency (NSA) Surveillance Programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) Activities and their Impact on EU Citizens‘ Fundamental Rights‘. Available online:

Center for Digital Democracy (2013): US/EU Trade Deal Should Keep Privacy and E-Commerce Off-the-Table Until Public Learns about impact of NSA Data Gathering and Role of Online Companies. Available online:

EPIC (2010): Foreign Intelligence Surveillance Court (FISC). Available online:

EPIC (2013): Electronic Privacy Information Center, White House: Consumer Privacy Bill of Rights. Available online:

European Council Presidency (2013): Presidency Statement on Outcome of Discussions on EU-US Working Group. Available online:

European Parliament (2013): MEPs call for Suspension of EU-US Bank Data Deal in Response to NSA Snooping, Plenary Session Press Release – Fundamental Rights, 23-10-2013. Available online:

Finklea, K. M. / Theohary, C. A. (2012): Cybercrime: Conceptual Issues for Congress and US Law Enforcement. Available online:

Fleming, J. (2013a): EU, US Go Separate Ways on Cybersecurity. Available online:

Fleming, J. (2013b): Cybersecurity Offers Commercial Opportunity, but also Stokes Trade Tensions. Available online:

Fleming, J. (2013c): EU-US Trade Talks: Moving Forward? TTIP: Data is the Elephant in the Room. Available online:

Gardner, A. (2013): [blog] Through a Prism, Darkly: Preliminary Attempt to Gain Clarification about the Ad-hoc Working Group Created to Extract Clarifications from the US‘.

Gellman, R. (2010): Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks, in: Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for US Policy ( 2010 ), National Academies Press.

Gellman, R. (2013): Who Is The More Active Privacy Enforcer: FTC or OCR?. Available online:

George, C. (2010): The Truth about Trade, Zed Books.

Government Accountability Project (2010): NSA Whistleblower Tom Drake. Available online:

Greenwald, G. (2013): NSA Prism Program Taps in to User Data of Apple, Google and Others, The Guardian, 7th June 2013. Available online:

in ‚t Veld, S. (2013): EU Cyber Security: MEP in ‚t Veld Laments the Lack of a Clear Strategy. Available online:

Jaycox, M. M. (2013): How to Reform the Secretive FISA Court: Make It Less Secret. Available online: https://

MacAskill, Ewen et al. (2013): Mastering the iInternet: How GCHQ Set Out to Spy on the World Wide Web, The Guardian, 21 June 2013. Available online:

Mann, C. L. / Orejas, D. (2001): Can NAFTA Forge A Global Approach to Internet Governance?. Available online:

Morozov, E. (2013): Information Consumerism and the Price of Hypocrisy. Available online:

Poullet Y. / Gutwirth S. (2008), in: Asinari, Palazzi (eds.): Défis du droit à la protection de la vie privée.Challenges of Privacy and Data Protection Law. Available online:

Public Voice (2013): Our Data, Our Lives: The 2013 Public Voice Conference in Warsaw, 25 September 2013. Available online:

Reding V. (2013a): Letter to Eric Holder. Available online:

Reding V. (2013b): Speech: The EU‘s Data Protection Rules and Cyber Security Strategy: Two Sides of the Same Coin, Speech/13/436 19/05/2013, NATO Parliamentary Assembly/Luxembourg. Available online:

Reilly Gavin (2013): Civil Liberties Groups Claim PRISM Breaches International Human Rights. Available online:

Risen, James / Lichtblau, Eric (2009): Court Affirms Wiretapping Without Warrants,January 15. Available online:

Roberts, D. (2013): US Surveillance Guidelines not Updated for 30 Years, Privacy Board Finds, The Guardian, 23 August 2013. Available online:

Ruddy T. F. / L. M. Hilty (2007): Impact Assessment and Policy Learning in the European Commission, Environmental Impact Assessment Review, vol. 28(2-3), pp. 90-105.

Schrems, M. (2013): LobbyPlag brings Light to the EU Data Protection Jungle: Online Project Evaluates more than 3,100 Amendments. Available online:

Austin Sidley, PLL (ed.) 2013): European Parliamentarians Seek Reinsertion of Onerous ‘Anti-FISA’ Article 42 into Proposed EU Data Protection Legislation. Available online:

Singel, R. (2007): Government Auditors Find Traveler Threat Rating Program Fails to Comply With Privacy Rules, Wired, 18 May 2007. Available online:

Schaar, P. (2005): Transfer of Passenger Name Records: The Transparent Passenger. Available online:

Schneier, B. (2013): The Federal Trade Commission and Privacy. Available online:

Sofaer, A. D. et al. (2010): Cyber Security and International Agreements, in: Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for US Policy, National Academies Press.

Solove, D. J. & Hartzog, W. (forthcoming, 2014): The FTC and the New Common Law of Privacy‘. Columbia Law Review, vol. 114.

Statewatch (2012): EU-USA General Agreement on Data Protection and the Exchange of Personal Data. Available online:

Stoddart, J. (2013): Will the United States be Given a Free Pass on Privacy Again?, in: Public Voice (ed.): Our Data, Our Lives: The 2013 Public Voice Conference in Warsaw, 25 September, 2013, EDRI no. 11.18. Available online:

US Commission on Civil Rights (2010): Domestic Wiretapping in the War on Terror: A Briefing Before The United States Commission on Civil Rights Held in Washington, DC, page v. Available online: https://

US Foreign Intelligence Court ‘FISC’ (2009): Order from the Foreign Intelligence Court. Available online:

Wright, D. et al. (2011): Precaution and Privacy Impact Assessments as Modes towards Risk Management, European Commission.

Zorz, Zeljka (2013): EU Politicians want to Suspend Banking Data-sharing Program, 10 September 2013. Available online:

Tags: , , ,

Thomas Ruddy Thomas

Thomas Ruddy is an American-born political scientist living in Germany. He recently retired from EMPA Swiss Federal Research. His publications are listed at In the area of privacy, for instance, he has published on data handling by Anglo-American credit-scoring companies in a journal on surveillance studies. Financial data is also a focus of the Wiki he manages on Privacy in E-Governance and Senior Users' Security (PEGASUS), His most recent publication is “Regimes Governing the Re-Use of Personal Data in the US and the EU: A Primer on Mass Surveillance and Trade”, which includes a clickable bibliography