Former Director, Center for Global Regulatory Cooperation
Published
June 01, 2021
[This is the third article in a series on policy priorities for transatlantic relations. Read articles one, two, four, and five.]
In a few weeks, President Biden will meet with European Union leaders in Brussels. With global economic recovery a priority, and bilateral trade and digital cooperation on the agenda, one test of whether the renewed U.S.-EU partnership can deliver results is the conclusion of a new Privacy Shield. A new pact will inject much needed certainty into the transatlantic economy, which relies on the ability of all firms to transfer personal information from Europe to the United States. Without a new Privacy Shield, U.S. exports and American affiliates in the EU will continue to be targeted by privacy regulators and other proponents of forced data localization. U.S. businesses will consequently face diminished access to a market of 450 million consumers, threatening American competitiveness and millions of American jobs.
Transatlantic Data Flows in Disarray
Transatlantic data flows have been in disarray since the European Court of Justice’s decision last July to invalidate the Privacy Shield. The Court’s ruling in the “Schrems II” case centered on European concerns about U.S. government access to personal information, not on U.S. consumer privacy protections. U.S. businesses have nonetheless found themselves in the middle of a dispute between the U.S. Government, whose lawful surveillance practices keep Americans and Europeans safe from shared threats to our security, and European privacy regulators insistent on a fundamentalist reading of the Court’s ruling. The Biden Administration’s decision to appoint a seasoned privacy leader as its chief negotiator, together with a joint U.S.-EU statement in March that talks were “intensifying,” offered hope that a successor agreement was in sight.
Europe’s Privacy Regulators are Changing Facts on the Ground
As negotiations drag on, however, U.S. businesses are facing the very real specter of forced data localization in Europe. A ruling on May 14 by the Irish High Court against Facebook means that the Irish Data Protection Commissioner may be one step closer to invalidating the use of standard contractual clauses, a legal tool used by 90 percent of companies to transfer data out of Europe. Meanwhile, smaller companies are already seeing their access to the market disrupted. In April, Bavaria’s data protection authority ordered a German fashion magazine to discontinue using Mailchimp, because the Atlanta-based newsletter service transferred European email addresses to the United States. Weeks later, Portugal’s national statistics authority was ordered to immediately stop using Cloudflare, because the San Francisco company’s terms of service did not guarantee that it stored and processed European personal information exclusively in Europe.
With vocal support of the European Parliament, the EU’s privacy regulators are embracing forced data localization. Last year, the EU’s caucus of privacy enforcers, the European Data Protection Board, issued draft guidelines to implement the Schrems II decision. The Board went well beyond the Court’s ruling, proposing to ban companies in the EU from using U.S.-based cloud or software services and entirely cutting off U.S. services exporters’ access to commercially meaningful data. While the Board is currently finalizing its guidelines, privacy regulators are already citing them in enforcement actions against U.S. companies. Importantly, neither Chinese nor Russian companies, nor EU data transfers to these jurisdictions, face this kind of scrutiny. No doubt China’s state-backed and heavily protected tech giants see a business opportunity. For American businesses and the U.S. government, there are now legitimate and intensifying questions as to why European regulators seem more inclined to grant better treatment to Chinese and Russian tech companies than their U.S. counterparts.
Protecting American Commercial Interests in Europe
A new Privacy Shield will ward off the worst threats of data localization. Absent a deal, however, European regulators are changing facts on the ground, threatening to undermine U.S. economic interests—and transform Europe into a digital island. In 2019, the U.S. exported more than $245 billion in digitally enabled services to Europe, double what it exported to the entire Asia-Pacific region. This trade supports millions of good paying U.S. jobs and is key to U.S. competitiveness in the data-intensive industries of the future. Transatlantic data transfers enable an array of essential activities, including multi-country clinical trials for innovative medicines such as COVID-19 vaccines, cybersecurity threat information sharing, and anti-fraud and anti-money laundering efforts.
Supporting U.S. digital trade exports has long been a priority of U.S. policymakers on both sides of the aisle. Leaders in Congress and across U.S. administrations have pushed back against discriminatory digital services taxes levied against U.S. companies in Europe and beyond. The U.S. business community is eager to see a revitalized transatlantic partnership. However, advancing a shared digital economy and trade agenda will prove exceedingly difficult if the U.S. is considered a singularly untrustworthy destination for EU personal information. In lieu of a swift conclusion to the Privacy Shield negotiations, U.S. policymakers may need to act to protect American commercial interests in Europe.
About the authors
Evangelos Razis
Evangelos Razis is former Director at the U.S. Chamber of Commerce’s Center for Global Regulatory Cooperation.