Digital World

Transatlantic Digital Trade

Is the Data Flows Conundrum Fixable?

With the European Court of Justice’s ruling striking down the transatlantic Privacy Shield program, U.S. and EU companies, government agencies and people who need to do business with virtually anyone across the Atlantic were sent into legal limbo.

The cross-border flow of data is the modern engine of global economic growth. By one estimate, it increased global GDP by $2.8 trillion in 2014 alone. Just between the European Union and the United States, about $1.3 trillion worth of data and communications travel each year, making it the single-largest data highway in the world. The COVID-19 pandemic has led to an exponential rise in transatlantic cross-border data flows, as people, businesses, organizations and governments moved to remote working.

Yet in July 2020, the key legal edifice protecting the confidentiality of all that data and information collapsed, sending tremors throughout the EU-U.S. trade community, since nearly every cross-border transaction of any kind has a digital component. With the European Court of Justice’s ruling striking down the transatlantic Privacy Shield program, U.S. and EU companies, government agencies and people who need to do business with virtually anyone across the Atlantic were sent into legal limbo.

In the meantime, possible replacements for Privacy Shield, such as standard contractual clauses, are to be interpreted by each EU country’s own data protection authorities, while the European Commission and the union’s central data protection agency cannot agree on a way forward.

The European Commission and the U.S. Commerce Department have embarked on yet another attempt to create a stable legal framework for transatlantic data flows. Other countries are waiting for the EU to accept their approaches to data protection, most notably the United Kingdom, which also needs to reach a comprehensive trade deal with the bloc. Is there a legal fix, or will we end up with costly and impractical data localization measures in Europe, a de facto consequence of the ECJ ruling?

What is the Privacy Shield and why does it matter?

The movement of data and information across the Atlantic is crucial for both Europe and the United States, accounting for more than one-half of Europe’s data flows. That ceaseless exchange of information and data, almost 40 percent of which is through business and research networks, is the fastest and largest in the world. The total value of this data relationship between the EU and United States is estimated to be $7.1 trillion.

Companies of all sizes and industries transfer data across the Atlantic for all kinds of reasons, such as reaching new customers, managing supply chains, building research partnerships or simply improving their services. Business customers on both sides of the Atlantic are also increasingly aware of potential risks and demand reassurances that their data is kept private and secure.

For this reason, EU and U.S. regulators have sought to create a legal framework that sufficiently protects the personal data that gets sent back and forth across the ocean. The primary hurdle has essentially been to ensure that U.S. entities meet the higher EU standards for privacy when handling the personal data and information of EU citizens. A first attempt, Safe Harbour, was struck down by the European Court of Justice in 2015, after Edward Snowden revealed the extent to which U.S. intelligence agencies had access to personal data.

EU and U.S. regulators went back to the negotiating table and created a new framework, addressing some of the concerns raised by the ECJ ruling. Their second attempt, Privacy Shield, took effect in August 2016. It is essentially a list of principles issued by the U.S. Commerce Department for handling EU citizens’ personal data. Companies self-certify their compliance.

Since 2016, Privacy Shield has been the most flexible, easiest and most trusted compliance mechanism for more than 5,300 companies transferring personal data across the Atlantic.

Through this agreement, the United States committed to extra privacy protections for EU citizens, granting them the rights to control the use of their personal information and to go to court in the United States over data misuse. Privacy Shield also barred the U.S. government from collecting personal data without reasonable cause and required an ombudsman to handle queries from EU citizens about intelligence agencies’ access to their data. The agreement has since been reviewed annually. In its 2019 review, the European Commission made several recommendations for improvement, including that U.S. companies have less time to recertify their compliance and that officials exercise more oversight to ensure that companies are following the rules for transferring data on to third parties.

Since 2016, Privacy Shield has been the most flexible, easiest and most trusted compliance mechanism for more than 5,300 companies transferring personal data across the Atlantic. It is widely used by small- and medium-sized enterprises for transatlantic business and provides legal certainty in a space that is often legally complex and difficult to understand or manage for smaller companies. In its absence, companies can use standard contractual clauses (SCCs) or binding corporate rules as other legal mechanisms to transfer data under the GDPR, but these are costly and bureaucratic, and are not legally ironclad.

European privacy activists have long challenged these transfer mechanisms. Max Schrems, the Austrian activist who brought the case that took down Safe Harbor in 2015, also took aim at the standard contractual clauses mechanism. This case, known as Schrems II, was tied together with the Privacy Shield, and it eventually reached the ECJ, which issued its decision on July 16, 2020. In ruling Privacy Shield invalid, the court left the legality of SCCs up to the interpretation of European data protection authorities.

What does the ECJ ruling mean for transatlantic data flows?

The ECJ gutted Privacy Shield primarily because U.S. law enforcement and national security powers conflicted with EU data protection requirements. It also ruled that the ombudsman was an ineffective remedy for government violations of the Privacy Shield in the United States. In general, to meet EU privacy requirements, other countries’ laws must permit intelligence and law enforcement agencies only “necessary and proportionate” access to people’s private information for national security purposes. The ECJ determined that domestic surveillance laws in United States do not satisfy this principle.

Standard contractual clauses remain valid under the ruling, mainly because they contain EU-style requirements. The ECJ, however, effectively left it to holders of the data to assess whether the SCCs they use provide adequate privacy protection, making data custodians more accountable for understanding whether the law in a third country meets the European Union’s required level of protection. The European Data Protection Board, made up of EU countries’ data protection authorities, has recommended that EU-based organizations analyze the surveillance laws and practices in non-EU countries where they send data and where the laws and practices have not received the stamp of approval from the EU. They should keep that information up to date and check regularly for any relevant changes in national security laws in the receiving countries.

In a long-awaited review of SCCs that came out in November, the European Commission proposed set of clauses that appear to contradict the Data Protection Board’s recommendations. It is a technical improvement and provides guidance to companies on how to accommodate the Schrems II ruling. It allows for new types of transfer, does not require a data exporter to be established in the EU and offers a one-year grace period to implement the new clauses. The proposals just finished a public comment period, and the EDPB and the European Data Protection Supervisor will be asked for their opinions.

In Washington, there was initial disappointment at the ECJ ruling but also a commitment to find a way forward for transatlantic data flows. As early as August, the European Commission and the Commerce Department started talks on ways to shore up Privacy Shield to satisfy the court’s objections.

If these discussions fail or if any new agreement is yet again struck down by the court, companies could be forced to store and process data in the European Union, instead of sending it back and forth, which would generate new costs and frustrate global efforts against data localization. Schrems, the privacy activist, said the ruling meant the United States would need to change its surveillance laws for data to be able to flow freely across the Atlantic, but it is not clear what appetite there will be in the new U.S. administration to undertake a revision of its laws to meet EU requirements. And should the United States undertake a major revision of surveillance practices and even adopt a federal privacy law, there is no guarantee that they would survive what will be an almost certain new challenge at the ECJ. What then?

If these discussions fail or if any new agreement is yet again struck down by the court, companies could be forced to store and process data in the European Union, instead of sending it back and forth, which would generate new costs and frustrate global efforts against data localization.

The court’s rejection of Privacy Shield highlights the fractures in the transatlantic relationship over economic, security and digital issues that have widened over the past four years. An inability to find a way forward among countries that ultimately share the values of an open internet economy, with strong protections for privacy and security, will only embolden players on the global market that have little regard for either of those.

Where does that leave the UK?

The ECJ decision will affect other countries as well. The ruling on SCCs suggests potential for worldwide enforcement with a specific impact on certain countries. For instance, countries the European Union has previously determined to have adequate privacy protection, such as Israel, also conduct surveillance for national security. Under the new Data Protection Board guidance, SCCs used to transfer EU personal data to such countries could come under new scrutiny.

The United Kingdom is a special case, with the Brexit agreement on future trade relations yet to be reached. Separate from the trade negotiations, the UK is seeking a nod from the EU that its data protection measures are adequate so that data can continue to flow freely between the EU27 and the UK come January 2021.

With Privacy Shield invalid, the UK has no way to transfer data it receives from EU countries to the United States that meets EU requirements.

London is also negotiating a free trade agreement with the United States that includes provisions for the free flow of data similar to what is contained in the recent UK-Japan Comprehensive Economic Partnership Agreement.

With Privacy Shield invalid, the UK has no way to transfer data it receives from EU countries to the United States that meets EU requirements. London, too, awaits the outcome of talks between Brussels and Washington. It is worth noting that 75 percent of UK data transfers are with the European Union. Should it have to choose between EU adequacy or free flow of personal data with the United States, the UK may be compelled to choose the former. In the absence of an agreement between the EU and United States, it appears unlikely that the UK will be able to have both.

Is there a fix?

Both the EU and United States seem willing to at least try to find a solution. Recognizing the importance of data transfers for the transatlantic economy, and especially for the post-pandemic economic recovery, the commission and the Commerce Department are considering enhancing the Privacy Shield framework to address the ECJ ruling.

One relatively easy step would be to move the ombudsman to an independent agency to counter criticism over its lack of independence and oversight capacity. But the fundamental conflict between Europe’s privacy laws and U.S. national security laws threatens to scuttle these negotiations. The EU has enshrined privacy rights in the Charter of Fundamental Rights, while the United States is unlikely to change its national security and law enforcement rules in the name of EU citizens’ privacy rights.

Moreover, the European Commission is championing the concept of ‘digital sovereignty’, a search for ways to make the bloc more self-sufficient and less vulnerable to global disruptions. To that end, the EU is working on updating some of its laws, regulations and financial instruments to more actively promote European values and principles in areas such as data protection, cybersecurity and ethically designed AI.

Given such a potentially inward-looking direction of travel and the uncertainty surrounding rules on transatlantic information transfers, companies are likely to opt for data localization measures to avoid legal headaches. This will be a particularly difficult and costly exercise for smaller companies.

The EU is working on updating some of its laws, regulations and financial instruments to more actively promote European values and principles in areas such as data protection, cybersecurity and ethically designed AI.

All of which leaves the European Commission in a peculiar spot. On the one hand, it advocates internationally for open borders and the free flow of data. On the other, the inward gaze of its quest for “strategic autonomy” looks to some a lot like protectionism. How the EU will end up matching its international interests with this part of its domestic agenda will be a key element in solving the data flows conundrum.

This dilemma is as much about the economy as it is about geopolitics. Should Europe wish to remain a relevant player in an increasingly crowded digital trade arena, it will need to expand its digital economy and reject protectionism. And the EU and the United States must work together to resolve differences and help shape rules for how the global digital economy should function.


Sabina leads techUK's work on EU and trade policy. Based in Brussels, she covers a wide range of international policy issues, ranging from the EU tech agenda to the UK’s ongoing international trade negotiations. She leads techUK’s engagement with EU institutions and member states. Outside of the EU, her work focuses on key trade partners, such as the United States and Japan, as well as key international organizations, such as the WTO and OECD. Previously, she worked as a policy adviser in the European Parliament for almost a decade, where she specialized in tech regulation, international trade and EU-U.S. relations. Sabina is the founder of the Gentlewomen’s Club, co-organizer of the Young Professionals in Digital Policy and a member of the Global Shapers Brussels Hub, where she has led several youth civic engagement and gender equality projects. She holds a master’s degree in war studies from King’s College London and a bachelor’s degree in classics from the University of Cambridge. Sabina participated in the Bertelsmann Foundation CEPI program in 2018.

Ms. Ciofu is writing in a personal capacity, and her views expressed in this paper do not express the views of her employer.

Print

Sabina Ciofu