By: Paul Rosenzweig and Alan Wehler
Last month the Court of Justice of the European Union (CJEU) issued one of the most significant decisions in the court’s history, invalidating Privacy Shield, an important but relatively obscure agreement used to facilitate the transfer of private customer data between the U.S. and Europe, and also calling into question several privacy-related mechanisms. The decision has left widespread uncertainty and turmoil in its wake, threatening to further damage trans-Atlantic commerce amidst a global pandemic and strengthen Chinese and Russian efforts to push their own model of “privacy.” Now is the time work with our allies on privacy and economic recovery, not to cut off our nose to spite our face.
The court’s decision effectively applies European privacy law extraterritorially, meaning that all U.S. companies with European customers are expected to comply with the General Data Protection Regulation (GDPR), Europe’s sweeping privacy legislation. The court rejected Privacy Shield as incompatible with GDPR because it retained U.S. authorities’ ability to access European data once in the U.S. via special surveillance authorities.
To reach the Privacy Shield agreement with Europe, the U.S. made a series of concessions on this issue, restricting the use of such data while creating new surveillance oversight mechanisms. The result was one of the most restrictive trans-national data transfer agreements in the world, providing Europeans even greater privacy protections for their data than those afforded to American citizens. The CJEU decided this wasn’t enough. In effect it is demanding an end to American surveillance altogether, and seemingly equates the U.S. privacy regime to the draconian privacy perspective of China, Russia, and other authoritarian nations.
The impact on commerce will be dramatic, especially amidst the economic turmoil of a global pandemic. The court’s ruling disrupts a significant amount of trans-Atlantic economic activity, touching thousands of companies ranging from Boeing and Amazon to Airbnb and Uber. European authorities have already started to question companies on their transfer of data across the Atlantic, and many companies may be ultimately subject to millions of dollars in fines.
Sadly, the U.S. government must, yet again, respond to European privacy protectionism, without destroying the vital trans-Atlantic data bridge. Here’s what needs to happen:
First, the U.S. must engage with the Commission and EU member states to address the widening gulf between CJEU and the Commission on privacy. Privacy Shield was the commission’s best effort to square the Court’s aggressive position with the realities of international commerce and diplomacy – without it changes to European law are the only way to compromise. The court’s activist position – the extraterritorial application of GDPR without exception – has hamstrung the EU’s ability to engage in the usual give-and-take of international negotiation. It is this very sort of interference that has led U.S. courts to, generally, not apply U.S. law extraterritorially” doing so often creates significant complications.
Beyond engagement, the U.S. should contemplate further closing the privacy gap between the U.S. and Europe by enhancing privacy protections through nascent federal privacy efforts. The U.S. should also build a united front with other country’s left in a similar position by the decision, including the U.K., Canada, and Australia – together we can apply further pressure on European authorities to act. Indeed, the U.K.’s imminent departure from the EU’s privacy rules may provide an opportunity for a creative response to the CJEU decision that should be embraced by its traditional allies.
The road forward will not be easy, as the past five years have proven, but the alternative would be far worse. Taken to its extreme, the Court’s decision will lead to the breakup of the internet as we know it, creating a world of localized networks where data rarely, if ever, crosses international borders. Moving in this direction would be significant drag on an economy already struggling through a global pandemic. Worse yet, it would play into the hands of our Chinese and Russian adversaries, who already rely on close control of their own internets to oppress their citizens.
This decision has left Europe with a choice – a pure application of European privacy law abroad or compromise with like-minded allies that accommodates privacy, security, and international commerce. There is more that needs to be done to protect the privacy of U.S. citizens, and we can use this opportunity to advance those efforts. But the EU should be wary of blowing up the trans-Atlantic digital economy over what are relatively small differences of opinion, especially when compared to the abusive approach of other nations. The U.S. and the Commission have already worked in good faith. Without further cooperation we risk undermining a valuable trans-Atlantic exchange of ideas and commerce at moment we can hardly afford to make such sacrifices.
Paul Rosenzweig is a senior advisor to the Chertoff Group, a global security and risk management advisory firm with clients in the technology sector. He previously served as former Deputy Assistant Secretary for Policy at the U.S. Department of Homeland Security. Alan Wehler is a Director at The Chertoff Group where he advises clients on technology and security policy issues.
