On July 23, the Center for Technology Innovation convened a panel to discuss the issues of cross-border data transfers and data localization in the context of ongoing negotiations to replace the Privacy Shield.
As Rep. Suzan DelBene (D-Wash.) underscored in her keynote address, data flows are vital to trade and competitiveness in the digital economy. All industries—from agriculture and manufacturing to e-commerce—hinge on cross-border data flows, which enable everything from online communication and cloud computing to the management of global supply chains. At the same time, cross-border data flows raise serious questions about the privacy and security of personal data and the potential for government surveillance or corporate abuse.
Prior to July 2020, the EU-U.S. Privacy Shield underpinned transatlantic data flows. Its invalidation in Schrems II one year ago sent European and American businesses scrambling to find alternatives for data transfers, with outsized consequences for small and medium-sized businesses.
The CJEU’s decision to strike down the Privacy Shield due to inadequate U.S. surveillance protections underscores the ways in which recent increases in data localization measures intersect with growing concerns over insufficient data protection standards. Strengthening American privacy and security safeguards in the public and private sectors will be critical to addressing the concerns of Europe’s highest court and protecting the $6.2 trillion EU-U.S. trade relationship in the wake of the Schrems II decision.
The Schrems II Decision
Schrems II was decided on the basis that Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 do not satisfy the European requirements for “necessity” and “proportionality,” which require that data be collected and processed for specific, justifiable purposes using methods that are not disproportionately invasive of fundamental human rights. The CJEU also found that the U.S. lacks an adequate redress mechanism for European citizens whose data may be implicated in U.S. surveillance. Under the principle of redress, European citizens should be able to learn whether U.S. agencies like the NSA have collected or processed their data in ways that violate the principles of necessity and proportionality and seek legal remedies before US courts. Schrems II therefore requires substantive changes to U.S. surveillance law as well as the establishment of a new mechanism for redress.
The speed with which negotiations occur over a replacement for the Privacy Shield will be largely contingent on whether the U.S. can sufficiently address the CJEU’s surveillance concerns through executive branch action. Though the legislative process is longer and often more challenging, Congress may be required to step in to establish an adequate redress mechanism. Therefore, the extent to which surveillance reforms can be achieved through executive action will likely be a primary point of contention in negotiations.
Another source of friction will likely stem from the fact that Schrems II implicates U.S. autonomy. Congress and the executive branch may be disinclined to implement surveillance reforms at the behest of a European court, particularly since the CJEU is holding the U.S. to a higher standard than European governments. Swire and Franklin emphasized that these frustrations should not prevent the U.S. from seizing the opportunity to make necessary surveillance reforms.
Implications for American and European Businesses
According to Barbara Cosgrove, who was on the panel from Workday, the invalidation of the Privacy Shield has disproportionate costs for small and medium-sized businesses that lack the resources to adapt their data transfer mechanisms in the wake of the Schrems II decision. While larger businesses like Workday have relied on standard contractual clauses and impact assessments to continue data transfers, Cosgrove shared on the panel that it is crucial for the EU and U.S. to negotiate a successor agreement to the Privacy Shield so that businesses on both sides of the Atlantic have confidence in the durability of transatlantic data transfer mechanisms.
The Path Forward
All panelists agreed that the passage of a federal consumer privacy law would aid negotiations by sending a strong signal to European negotiators that the U.S. is edging closer to global data protection standards. Furthermore, imposing restrictions on what types of data U.S. companies are allowed to collect and store can safeguard the privacy and security of personal information while minimizing opportunities for government access to consumer data. In this way, commercial privacy legislation can help facilitate cross-border data flows by building confidence that the United States will treat data in ways that align with the privacy values, laws, and standards of U.S. allies and trade partners. Progress toward a national privacy standard is therefore essential to preserving trade relationships and ensuring that American businesses remain competitive within the global digital economy.
Beyond that, reforming American surveillance laws and enacting federal privacy legislation are central to the United States’ ability to be at the forefront of global efforts in developing norms and standards around the ethical use of emerging technologies. The outcome of negotiations over a replacement for the Privacy Shield will determine the extent to which the EU and U.S. can work together to establish principles for the responsible use of AI and emerging technologies through partnerships such as the EU-U.S. Trade Council.
Ultimately, negotiations over a replacement to the EU-U.S. Privacy Shield demonstrate the urgency for the United States to implement surveillance reforms and enact commercial privacy legislation if it wants to continue to reap the economic benefits of cross-border data transfers and drive global standards. As data flows become increasingly vital to international trade, strengthening privacy and security safeguards in the public and private sectors are an economic and geopolitical imperative for the United States.