U.S. Businesses  Face  the Specter of  Data Localization in Europe 

06/01/2021

|

Evangelos Razis | U.S. Chamber of Commerce

In a few weeks, President Biden will meet with European Union leaders in Brussels. With global economic recovery a priority, and bilateral trade and digital cooperation on the agenda, one test of whether the  renewed  U.S.-EU partnership can deliver results is  the  conclusion  of a new Privacy Shield. A new  pact  will inject much needed certainty into the transatlantic economy, which relies on the ability of  all  firms  to transfer personal information  from  Europe  to  the United States. Without a new Privacy Shield, U.S.  exports  and American affiliates in  the  EU  will  continue to  be  targeted by privacy regulators and other proponents of forced data localization. U.S. businesses will consequently  face diminished access to a market of 450 million consumers, threatening  American  competitiveness  and millions of  American  jobs.   

Transatlantic Data Flows in  Disarray   

Transatlantic data flows  have been in disarray  since the European Court of Justice’s decision last July to invalidate the Privacy Shield. The Court’s ruling in the “Schrems  II”  case  centered on European concerns about U.S. government access to  personal information, not  on  U.S. consumer privacy protections. U.S. businesses have nonetheless found themselves in the middle of a dispute between the U.S. Government, whose  lawful surveillance  practices  keep Americans and Europeans safe from shared threats to our security, and European privacy regulators insistent on a fundamentalist reading of the Court’s ruling. The Biden Administration’s decision to appoint a seasoned privacy leader as  its  chief negotiator, together with a joint U.S.-EU statement in March that talks were “intensifying,” offered  hope that a successor agreement was in sight.   

Europe’s Privacy Regulators are Changing Facts on the Ground  

As negotiations  drag on, however, U.S. businesses are facing  the  very real  specter of  forced  data localization in Europe.  A ruling on May 14 by the Irish High Court against Facebook  means that the Irish Data Protection Commissioner may be one step closer to invalidating  the use of  standard contractual clauses, a legal tool used by 90 percent of companies to transfer data out of Europe.  Meanwhile,  smaller companies  are already seeing their access to the market disrupted. In April, Bavaria’s data protection authority ordered a German fashion magazine to discontinue using Mailchimp, because the Atlanta-based newsletter service transferred European email addresses to the United States. Weeks later, Portugal’s national statistics authority was ordered to immediately stop using Cloudflare, because the San Francisco company’s terms of service did not guarantee that it stored and processed European personal information  exclusively  in Europe.  

With vocal support of the European Parliament, the EU’s privacy regulators are embracing forced data localization.  Last year, the EU’s  caucus of privacy  enforcers, the European Data Protection Board, issued draft guidelines to implement the  Schrems  II decision. The Board went well beyond the Court’s ruling, proposing to  ban  companies in the EU from using U.S.-based cloud or software services and  entirely  cutting off U.S. services exporters’ access to commercially meaningful data. While the Board is currently finalizing  its  guidelines, privacy regulators are already citing them in  enforcement actions against U.S. companies.  Importantly, neither Chinese nor Russian companies, nor EU data transfers to these jurisdictions, face  this  kind  of  scrutiny.  No doubt China’s state-backed and heavily protected tech giants see  a business opportunity. For American businesses and the U.S. government, there are now legitimate and intensifying questions as to why European regulators seem more inclined to grant better treatment to Chinese and Russian tech companies than their U.S. counterparts. 

Protecting American Commercial Interests in Europe  

A new Privacy Shield will ward off the worst threats of data localization.  Absent a deal, however,  European regulators are changing facts on the  ground,  threatening to undermine U.S. economic interests—and transform Europe into a digital island.  In 2019, the U.S. exported more than $245 billion in digitally enabled services to Europe, double what it exported to the entire Asia-Pacific  region. This trade  supports  millions of good paying U.S. jobs  and is key to  U.S. competitiveness in the data-intensive industries of the future. Transatlantic data transfers  enable  an array of essential activities, including  multi-country clinical trials  for innovative medicines  such as COVID-19 vaccines, cybersecurity threat information sharing, and anti-fraud and anti-money laundering efforts.  

Supporting U.S. digital trade exports has long been a priority of  U.S. policymakers on both sides of the aisle.  Leaders  in Congress and across U.S. administrations have  pushed  back against discriminatory digital services taxes levied against U.S. companies  in Europe and beyond. The U.S. business community is eager to see  a revitalized transatlantic partnership. However, advancing a shared digital economy and trade agenda  will prove exceedingly  difficult if the U.S. is considered a singularly untrustworthy destination for EU personal information. In lieu of a swift conclusion to the Privacy Shield negotiations,  U.S. policymakers  may need to act to protect American commercial interests  in  Europe.   

Evangelos Razis is Director at the U.S. Chamber of Commerce’s Center for Global Regulatory Cooperation. He serves as policy lead for the U.S. Chamber’s work on digital trade and global data privacy and artificial intelligence.  

To read the full commentary, please click here.