The European challenge to a U.S. data privacy framework
Eight months into the enforcement of the EU General Data Protection Regulation, the global business community still has as many questions as it has answers.
But one thing remains quite clear: the GDPR has imposed big costs on business. The International Association of Privacy Professionals (IAPP) estimates that Fortune 500 companies will have spent $7.8 billion into GDPR compliance, which doesn’t even begin to touch on the efforts of smaller firms.
One can certainly argue that major investments in data protection were necessary, however these aren’t the only costs. There is serious risk of a chilling effect on innovative uses of data, as companies decide to wall off certain data, even if it is lawfully and productively exploited, rather than expend time and energy thinking through the bounds of the regulation.
But the GDPR model has more troubling costs than those imposed directly on businesses, namely supporting a proliferation of barriers to global data flows.
The GDPR is an adequacy-based regime – it requires that the European Commission make country-by-country determinations that a jurisdiction provides “adequate” levels of data protection before transfers can occur.
This is an inherently time-consuming and politically fraught process that does not meet the needs of global business for expediency, flexibility, and global scale. Unfortunately, it is also a popular concept, being one of the most commonly emulated provisions of the framework internationally.
When data primarily flowed between the EU and the U.S., the costs of a single EU-U.S. adequacy mechanism may have been manageable. However, other countries, including India, the Philippines, and Malaysia, are now developing digitally and taking on an outsized data processing role through business process outsourcing.
With this intricate geometry for global data flows, the spread of the adequacy standard may create additional barriers for businesses engineering their corporate networks – including European businesses looking to leverage these resources.
America to the Rescue?
Amid the ascendency of GDPR-like standards around the world, many in the business community are looking to the U.S. to put forward a more business-friendly model. A long champion of light touch regulation for business internationally – including the tech sector – the U.S. can help set global norms back on track for open cross-border data flows and data-based innovation.
Washington, D.C. may finally be getting its act together in this realm. The U.S. has embarked upon a process to develop a comprehensive consumer privacy framework at the federal level, bringing more coherence to previously fragmented and sector-based rules. Long overdue, substantial political pressure has been generated by troubling revelations of the privacy practices of tech giants and the legislative developments of the GDPR and the California Consumer Privacy Act which, though just as stringent, is not perfectly aligned with the GDPR from a compliance perspective.
But federal legislation may be as likely to emulate the GDPR as it is to push back against it.
If you can’t beat them, join them?
The problem for advocates of a looser U.S. system is that Europeans are already winning the global privacy debate. The GDPR has already shaped discourse and is helping to set the agenda everywhere – including in D.C.
The GDPR’s normative power has had a substantial influence on the language surrounding personal data protection. It is now commonplace to discuss data protection as an issue of fundamental rights, and to conceptualize legal obligations around data subjects, controllers, and processors. Proposals around the world are codifying these ideas and adopting elements of the GDPR such as an array of affirmative rights for individuals, onerously short breach notification windows, and heavy fines for non-compliance (four percent of global turnover is almost a mantra now). Legislative proposals in the U.S. Congress are already aping some of these elements.
Consumer advocates and civil society organizations are now comfortable with – or even advocating for – a similar European purist approach and tough-on-tech stance in the U.S. What’s more, while large companies certainly have no love for the GDPR, many have already invested major resources in complying with the framework. A similar one in the U.S. would save them time and resources.
The European’s restrictive framework also gives them a degree of leverage. U.S. companies deliver hundreds of billions of dollars’ worth of goods and services to the European market annually that are underpinned by uninterrupted data flows.
Currently, the adequacy determination for the U.S. enabling this flow hinges on the politically fragile Privacy Shield Agreement. Many political forces in Europe would like nothing more than to torpedo the arrangement, and have pressured the European Commission to ratchet up scrutiny. This leaves a perpetual sword of Damocles hanging over trans-Atlantic data flows that U.S. policy-makers need to be careful to protect.
The challenge is finding balance
This creates a tension that will be difficult for legislators to balance. One the one hand, it is important to develop a framework that supports innovation and international data flows. On the other, efforts that are transparently focused on undermining the GDPR or going easy on the unpopular tech industry will not be well received by Europe and others.
U.S. policy-makers need to draft a framework that satisfies these parties and doesn’t provoke a backlash that further restricts data flows. If they fail to do so, U.S. tech providers and tech users will bear the cost.
There is some hope that the U.S. could thread this needle. Japan successfully secured a mutual adequacy accord with the EU last year, despite promoting the pro-business and pro-data flows APEC Cross Border Privacy Rules mechanism by law.
As anyone who works in trans-Atlantic tech politics will tell you, the political dynamics between Europe and the U.S. are completely different than the ones between Europe and Japan. Nevertheless, U.S. legislators would do well to keep this success story in mind as they try to find a workable balance that both protects consumers and promotes business.