Data Privacy: A Transatlantic Priority
Lorane Visart de Bocarmé, Clémence Verhoest, Kate Lancaster-Ryan, Daniela Pasturczak, Bianca Melodia
Contemporary European and Transatlantic Governance
KULeuven, American University
Dr. Kolja Raube, Dr. Garret Martin
April 19, 2022
Section 1: Data Privacy in a Transatlantic Context
Author: Clémence Verhoest
With the advent of the digital age, technological innovation has become a key component in international cooperation and geopolitical rivalry (Csernatoni, 2021), it has also moved “privacy” into new realms with the issue of data governance (Celeste & Fabbrini, 2020). Data in itself has taken an immense place in this process, as Jordan Fischer puts it, data is “the oil of the digital era” (Fischer, 2020). The debates on data governance are numerous and often complicated, and there is a reason for it. Data in itself is quite difficult to govern, first of all, data is not one thing, it can be a good, a service, are both simultaneously. These different types of data call for different regulation frameworks, at different levels (Aaronson, 2021).
On the one hand, heavy restriction to free flow of data can reduce access to information, diminish domestic and global growth, and in turn even threaten Human Rights if freedom of information and freedom of speech are threatened by those restrictions (Aaronson, 2021). On the other hand, a lack of regulation represents a threat to data privacy, in this context, it is estimated that the average American’s information can be found anywhere between twenty-five and a hundred commercial databases (Moshell, 2005).
The final difficulty with data governance is the un-territorial nature of data, data from one country can be stored in another, which raises the question of jurisdiction. This means that effective data governance regulation should be interoperable with other countries, are even internationally agreed upon.
The need for interoperable or common data governance regulations was highlighted by the Snowden revelations. In 2013, Edward Snowden exposed the extent of US government surveillance programmes (Murphy, 2022). The news hit particularly hard in the European Union, although the EU and the US have very different approaches to data governance -the EU having “one of the most advanced for data privacy worldwide” (Celeste & Fabbrini, 2020) and the US following a more industry self-regulated path (Fischer, 2020)- the EU and the US had forged transatlantic data governance frameworks as early as the 2000s. The unveiling of surveillance programmes that authorized the access of European data by government authorities created a shock wave, as the EU believed that they stood on the same side of intelligence gathering as the US, not that it was its victim (Rotenberg, 2020).
As a response, Austrian student Max Schrems engaged in legal action before the Irish High Court because the Irish Data Protection Authority continued to transfer data between Facebook Ireland and Facebook Inc (US based) notwithstanding the fact that such data could be accessed by government agencies, as revealed by Snowden. This trial led to the Schrems I decision of the CJEU, then the Schrems II, each time highlighting the need for data governance regulations that could be upheld on both sides of the Atlantic (Grey & Henderson, 2017).
Section 2: Data Privacy, the Main Stumbling Block in Transatlantic Data Governance
Author: Lorane Visart de Bocarmé
As highlighted above, data governance is a very broad theme which crosses across various policy areas and overlaps with other overall themes in the Transatlantic relation. Its relevance can be seen across a multitude of dimensions ranging from climate change to democracy. First, addressing data governance could help address climate change as current practices of data storages leave much to be desired on that front. Second, the security implications of data governance are obvious, ranging from disinformation to cybersecurity. Third, data governance is closely connected to good governance as a whole, as it has implications for democracy, free speech, and privacy (Aaronson, 2021). The inherent global nature of data flows make data governance a Transatlantic issue with far reaching implications on the legal regimes, economic performances, and technological innovations of both the US and the EU (Wetzling, Sarkesian & Dietrich, 2021).
Data governance has been recognized as an important issue not only by the US and the EU separately but also by together, as shown by the creation of the Trade and Technology Council which has one of its ten working group focusing on the question and others covering overlapping topics (Aktoudianakis, Van der Loo & Vandenbussche, 2021). However, there remains one particular facet of data governance which seems to crystallize transatlantic tensions and differences: data privacy. While the EU is a global leader in this area, having established an impressive legal regime and regulatory system and having led the way in terms of how the rest of the world thinks about the issue, the US has continued to look at privacy as anchored in a customer-buyer relationship with varying legal regimes depending on the state (Voss, 2019). Further, the EU and the US’s legal definition of data and what makes it private differ greatly, highlighting the impact of values and principles on the quality of transatlantic governance (Voss, 2019).
Data privacy has strong implications for the flow of data between different countries, the regulation of which can have strong repercussions on businesses as well as on economic relations and trade between the EU and the US. As of now, the lack of shared standards and practices in the field of privacy and the lack of interoperability in the US and the EU’s legal regimes concerning data privacy is disproportionately harming SMEs which, unlike large US firms, do not have the capacity to handle the current regulatory complexity. In addition, different crucial industries rely upon those data flows for functioning such as insurance, manufacturing, financial services, or even the health care system (Cory, 2021). The question of data privacy has become even more pressing since the COVID19 crisis due to the increased reliance upon technology for remote working and digital services during lockdowns (Gordon, 2021). China’s growing importance as a global actor on the question of data privacy and the growing occurrence of cyberattacks also gives additional external incentive for the EU and the US to reach an agreement that would be acceptable for all parties involved (Baker, 2017).
In spite of the changing external and internal context which has made finding a common ground on data privacy even more important and the continued commitment of both the US and the EU to do so, a satisfying common ground remains to be found. As highlighted above, while the safe Harbour agreement managed the data flows between the EU and the US for years, it was found invalid by the CJEU in 2015. As a result, the EU and the US worked on another agreement, the privacy shield, but it was also invalidated by the CJEU in 2018 through the Schrems II ruling (Fahey, 2018). While the EU and the US have found an agreement in principle, it remains to be seen whether the CJEU will deem it acceptable. The current status quo remains thus unsatisfying and the current legal uncertainty only benefits the actors which have the capacity of navigating through the maze of EU regulations, which are mostly large US firms such as Facebook or Google (Cory, 2021). Given that those firms are handling an important amount of private data from EU citizens due to the size of the EU market and their international popularity, the incentives to find a workable agreement are considerable in the businesses and the civil society of both sides of the Atlantic. Considering all those elements, it seems evident that finding a common ground on data privacy is not only a priority for all the actors involved separately, but also has important implications for the Transatlantic Community as a whole.
Section 3: Between Divergence and Convergence
Author: Kate Lancaster-Ryan
The EU has arguably one of the strongest privacy regimes in the world since its enactment of the GDPR in 2018. This regulation prevents different forms of potential abuse of user data. Provisions include the limiting use of data to purposes that are previously outlined to the subject, limitations on length of storage and the right to erasure (GDPR, 2016). This follows the EU Charter of Fundamental Rights which includes both a right to privacy and a right to data protection. The US does not have an explicit right to privacy outlined in its constitution, instead the ninth amendment of the US constitution has been interpreted to have an implicit right to privacy. The GDPR is considered to be an omnibus law that protects individuals’ data across all companies and sectors (Solove & Schwartz, 2022). On the other hand, US privacy law is described as sectoral, that there are different privacy regulations depending on the sector and takes context into greater account. US privacy law is patchwork of different federal laws regulating privacy of certain groups (e.g. Children’s Online Privacy Protection Act (COPPA)) or industries (e.g. Gramm-Leach-Bliley Act regulates use of personal data by financial institutions) (Solove & Schwartz, 2022).
One of the fundamental reasons outlined by the court of justice when invalidating the EU US privacy shield was the use of surveillance by the US government (Murphy, 2022). This judgment rested on revelations brought to light by whistleblower Edward Snowden, the most controversial being the wiretapping of former German Chancellor Angela Merkel’s phone. The Patriot Act enacted in 2001 allowed the US government a greater ability to collect private information to fight terrorism. Numerous privacy violations have been alleged to have been committed under this act. For example, Section 215, which allowed the FBI to request information held by businesses on an individual suspected of terrorism, was revealed by Snowden to have bulk collected phone records from Verizon (Lind, 2015). However, this provision expired under a sunset clause in 2020. The stronger ability of US based companies to sell customer data to third parties has also created legal loopholes that allow for greater surveillance of those based in the US than would be allowed in the EU under GDPR. As law enforcement can simply purchase sets of user data from data brokers, they are not required to use warrants which is the legally required practice for searches. Privacy advocates have argued that this is in violation of the spirit of the 4th amendment of the US constitution that protects against unreasonable searches and seizures (Shenkman, Franklin, Nojeim, & Thakur, 2021). Though a new EU US agreement on data sharing has been achieved, it will be difficult to say whether that would hold under another legal challenge in light of current US privacy laws.
However there has been some signs of growing convergence in data privacy in the US. Many states have enacted GDPR-like legislation, like the California Consumer Privacy Act which contains provisions that inform customers the purpose of data collection or if the data is sold (Morrison, 2019). There has also been bipartisan collaboration between several state attorney generals in taking joint suits against big technology companies. While they have focused on other issues in big tech like anti-competitive practices, the most recent suit focuses on Google disregarding the privacy preferences of consumers regarding location tracking. Attorney General Karl A. Racine, the AG for the District of Columbia filed the first suit in January 2022, with AGs in Indiana, Texas and Washington State planning to file similar suits in collaboration (Kang, 2022). These developments show a willingness of different political actors in the US to improve privacy standards. But on the EU side, new proposals concerning privacy may further push EU standards ahead of the US. In 2017, the Commission adopted a proposal for the reform of the E-Privacy directive, aiming to replace it with a standardised regulation that increases the scope beyond traditional telecoms to digital communication ("ePrivacy Regulation'', 2022). The increasing standards in the EU may make it more difficult for convergence between the two as even if the US can enact legislation that would bring the US in line with GDPR standards, privacy policy in the EU will still be more stringent.
Yet the EU and US have shown a willingness to discuss and collaborate with each other in this area. The EU-US Trade and Technology Council was established in 2021 to create common standards and encourage closer cooperation in technology issues. It includes a working group on data governance and technology platforms. Whether this will lead to greater convergence remains to be seen, but it does at least signal closer cooperation between the two different regulatory regimes.
Section 4: Set of Proposals
Author: Daniela Pasturczak
Because of the nature of this issue, there are really only two options to help address or mitigate this transatlantic divergence: the EU gets rid of its laws, or the US comes on board and strengthens (creates) some laws. However, considering the benefits to citizens and consumers, the only legitimate proposal would be for the United States to create federal data privacy laws, to strengthen its relationship with the EU, and facilitate data transfer.
With regards to the EU, the General Data Protection Regulation (GDPR), is a law implemented by the EU in May of 2018 (Congressional Research Service, 2020). It was created to protect personal data of citizens and consumers, and was made in response to data breaches within the past decade with individual protection in mind (Gallagher, 2021). This law also established a common set of standards for all businesses, which has led to a facilitation in data transfer and e-commerce in the EU. Since this law was created by the EU, it has led to greater cohesion within the states, and further incentivizes the Digital Single Market the EU is hoping to entrench (Congressional Research Service, 2020). The GDPR is not just a set of words on a piece of paper, however. It has enforceable punishments in place, such as fining companies that violate the data privacy protections, to ensure that it is respected and followed (Gallagher, 2021).
The United States, on the other hand, has no such laws. Current data privacy laws are merely a mix of tacked together outdated state laws that vaguely cover certain aspects of data protection and privacy, but are relatively ineffective in today’s digital world (McCabe & Stevis-Gridneff, 2021). The “bottom-up” approach the United States has been used to take on this issue, preferring states to regulate amongst themselves. This lack of cohesion has created a situation one would expect to find in Europe (McCoy, 2021). However, the state laws haven’t been enough, and the lack of federal law to provide basic protection has created somewhat of a data privacy nightmare in the United States. The United States is finally attempting to change it, possibly because even companies like Facebook are begging the US government to do something. They have released numerous tv and radio ads to highlight the old and ineffective data regulation and privacy laws (Meta, 2022).
Therefore, the only real proposal to address this transatlantic divergence is for the United States to create federal data privacy laws (Lima, 2022). Ideally, the US government would model it after the GDPR, perhaps even adopt it. According to Congressional Research Service (2020), the United States and the EU trade adds up to roughly $1.3 trillion USD, with about 20% of that being information and communication technology services. It is imperative, purely based on numbers, that the United States and EU come to an agreement on this. Because the EU has led on this issue and created a precedent, many companies have been changing their practices to be in accordance with these laws (Lima, 2021). Even the larger companies, such as Google and Facebook have adjusted to meet the regulation requirements, albeit begrudgingly.
While the United States Congress continues to drag its feet on this issue, President Joseph R. Biden, Jr. has attempted to bridge the gap through executive order action. President Biden met with some EU leaders in late March specifically to address this issue. Although only a tentative agreement was reached, it was a step in the right direction. Schrems, the man who originally brought up the case that led to increased data privacy in the EU, stated that while he found the United States’ actions encouraging, anything weaker or countering the EU’s GDPR would still be insufficient (McCabe & Stevis-Gridneff, 2022)
This move by the US shows the validity in our proposal for the United States to go along with EU’s law. It makes significantly more sense not just for the EU and United States to be united, if not strictly for business reasons, but also because the framework already exists. Despite the fact that big tech is one of the few bipartisan issues left in Congress, politics in the United States overall are more divisive and tense than ever, and attempting to create a brand new law through Congress that would be as far reaching and enforceable as the GDPR is extremely unlikely (Lima, 2021). Of course, the other option is for the EU to drop its laws, but that would be impossible and irresponsible.
Section 5: Recommendations
Author: Bianca Melodia
The ultimate goal of an agreement of a policy framework of data transfer is to enable data to transfer between the EU and the US without a case-by-case analysis of data protection and compatibility with EU laws. A lasting solution is needed in order to reduce uncertainty for businesses and foster transatlantic trade, within the wider goal of reestablishing relations after the Trump administration. Ideally, such an agreement should satisfy business as well as privacy campaigners and the judicial bodies on both sides of the Atlantic (Carrera & Guild, 2015; McCabe & Stevis-Gridneff, 2022). The endeavor bears challenges, but also opportunities for both parties.
Among the most pessimistic of the experts on this issue, a radical reform of US law is the only solution possible. In fact, a lack of thereof implies that specific assessments of distinct transfers will be necessary (Murphy, 2021). The NSA (National Security Agency) mass surveillance program, called PRISM, currently is not fully in accordance with EU privacy rules, and profound changes are essential for a new (Safe Harbor) agreement to be effective (Carrera & Guild, 2015).
Overall, there should be a thorough coordination between the two trading blocs with respect to the legal basis and legality tests. The 2015 deal failed because the CJEU deemed the political deal not to be legally sound; therefore such an outcome should be avoided (Bracy, 2022). A way to achieve this would allow Europeans to “challenge that data collection through U.S. federal courts” (Scott & Manancourt, 2022), but an agreement in this direction seems politically unfeasible at the moment.
A suggestion brought forward by privacy experts lies in the set up of a new agency, under the supervision of the US Department of Justice (Scott & Manancourt, 2022). This new institution should be granted substantial investigative powers to verify and assess the handling of European data. In a similar direction, steps were taken forward during the EU-US summit of June 2021, when the establishment of a Trade and Technology Council (TTC) was announced (Csernatoni, 2021).
A more optimistic approach has its foundation in the considerable sharing of values on both sides of the Atlantic. The common interests will positively contribute to the establishment of bilateral principles and governance. For instance, the CJEU’s main concerns in 2020 were related to necessity and proportionality. However, these concerns, once specific to the EU, have been gaining ground in the US; ideally, the American government will also begin to address such concerns (Bracy, 2022). In this regard, coordination is essential. Both trading blocs should raise efforts to align their values.
Concerning the internal EU market and according to Meyer (2021), it is crucial that rules are consistent among member states, and the practice of adopting stricter national regulation should be utterly discouraged. Moreover, European consumers and businesses alike should be able to reap the fruits and have tangible results of the benefits of regulations, in order to acquire political consensus domestically and political leverage abroad. Lastly, rules need to be cost-effective.
Transparency is pivotal for joint dialogues and the TTC working group to operate in a bubble (DigitalEurope, 2021). Technology must be at the core of transatlantic cooperation and trust, especially in times of rapid transformations of the digital world, and their power to disrupt societies (Csernatoni, 2021). As an illustration, the Ukrainian war has shown that EU-US data flows were key to protecting websites from cyberattacks (Scott & Manancourt, 2022). Intelligence and Big Tech play a role at a global scale that must not be overlooked.
Comments
Post a Comment