A Transatlantic Data Privacy Framework is Essential

Close collaboration with allies is vital if America is to succeed in today’s strategic competition with authoritarian rivals. We offer some examples in this three-part blog series relating to the December 5, 2022 United States – European Union Trade and Technology Council meeting. 

It is important that America and its partners define the terms of digital commerce in a manner that embraces openness and respect for individuals, instead of control and coercion. Toward that end, it is essential that the United States and Europe bring into force an agreement on data privacy.

Disagreement between Brussels and Washington over the protection of data is not new; it very much reflects differing legal systems and cultures on either side of the Atlantic. The European assessment of acceptable risk levels is very different from that held in the United States. In the European mind, stricter regulation upfront reduces the possibility of adversarial action down the road should the regulations not be followed. There is also a very different philosophical perspective in Europe.

Beyond differing legal perspectives, the issue of trust is essential in any common understanding of what represents data security. Trust between the United States and the European Union was severely strained when WikiLeaks revealed in 2015 that the United States National Security Agency had tapped the phones of then Chancellor Angela Merkel and other top German officials.

Already uncomfortable about the vast amount of personal data held by United States tech companies, this was for many in the EU, the last straw. So, in 2018, the EU implemented the General Data Protection Regulation (GDPR), the toughest data privacy and security law in the world. Any company holding data on EU citizens must protect that data, obtain the consent of those whose data is held, ensure that whatever data is processed is accurate, store only the minimum amount of data required, and store it for a limited amount of time.

Failure to adhere to GDPR requirements brings big penalties: 20 million euros or four percent of global revenue, whichever is higher. Data processing companies can also be sued by those whose data they hold. For example, under GDPR, the Irish Data Protection Commission recently fined Meta 265 million euros for failing to protect the personal data of some 533 million people in 106 countries for importing contact information from their phones to the apps of Facebook and Instagram, two of Meta’s subsidiaries.

The United States and EU tried to negotiate a framework for addressing data transfer across the Atlantic, and thought they had found the solution in July 2016 when the European Union Commission accepted the Privacy Shield Framework as a means of ensuring adequate data privacy and protection. But four years later, the European Court of Justice struck down the agreement arguing that the privacy requirements had not been met.

The failure to agree on data privacy and protection standards leaves business in an uncomfortable legal limbo. It is also a major obstacle to a global agreement on the flow of data across borders, and requirements on how and where data can be stored.

In March, the Biden administration and the EU Commission reached an agreement on a second transatlantic data privacy framework, which the two sides believed would address the court’s concerns. On October 7, President Biden signed an executive order to facilitate this agreement that essentially checks United States Intelligence Agencies, limiting their access only to what is “necessary and proportionate” for the protection of national security. Additionally, EU citizens who believe that their data has been unfairly accessed can bring a complaint to the United States Data Protection Review Court. This framework has received broad support among the American business community who want to see a mutually agreed set of rules in both markets.

The EU Commission will now go through the procedural steps required to render its “draft adequacy decision” final. Commission officials and most European business leaders are largely supportive of the new measures, though some business leaders complain that an executive order is no guarantee that future presidents won’t backtrack on the deal.

In is important that this framework be put into force. It is an important step forward, but needs to be followed with broader agreement on digital trade matters. While taken off the agenda of the December 5, 2022 United States–European Union Trade and Technology Council meeting, a common approach between the United States and Europe is essential to reaching broader global agreement on defining the terms of digital commerce.