Skip to main content
  • Sections
  • Search

Center for Strategic & International Studies

User menu

  • Subscribe
  • Sign In

Topics

  • Climate Change
  • Cybersecurity and Technology
    • Cybersecurity
    • Data Governance
    • Intellectual Property
    • Intelligence, Surveillance, and Privacy
    • Military Technology
    • Space
    • Technology and Innovation
  • Defense and Security
    • Counterterrorism and Homeland Security
    • Defense Budget
    • Defense Industry, Acquisition, and Innovation
    • Defense Strategy and Capabilities
    • Geopolitics and International Security
    • Long-Term Futures
    • Missile Defense
    • Space
    • Weapons of Mass Destruction Proliferation
  • Economics
    • Asian Economics
    • Global Economic Governance
    • Trade and International Business
  • Energy and Sustainability
    • Energy, Climate Change, and Environmental Impacts
    • Energy and Geopolitics
    • Energy Innovation
    • Energy Markets, Trends, and Outlooks
  • Global Health
    • Family Planning, Maternal and Child Health, and Immunizations
    • Multilateral Institutions
    • Health and Security
    • Infectious Disease
  • Human Rights
    • Building Sustainable and Inclusive Democracy
    • Business and Human Rights
    • Responding to Egregious Human Rights Abuses
    • Civil Society
    • Transitional Justice
    • Human Security
  • International Development
    • Food and Agriculture
    • Governance and Rule of Law
    • Humanitarian Assistance
    • Human Mobility
    • Private Sector Development
    • U.S. Development Policy

Regions

  • Africa
    • North Africa
    • Sub-Saharan Africa
  • Americas
    • Caribbean
    • North America
    • South America
  • Arctic
  • Asia
    • Afghanistan
    • Australia, New Zealand & Pacific
    • China
    • India
    • Japan
    • Korea
    • Pakistan
    • Southeast Asia
  • Europe
    • European Union
    • NATO
    • Post-Soviet Europe
    • Turkey
  • Middle East
    • The Gulf
    • Egypt and the Levant
    • North Africa
  • Russia and Eurasia
    • The South Caucasus
    • Central Asia
    • Post-Soviet Europe
    • Russia

Sections menu

  • Programs
  • Experts
  • Events
  • Analysis
    • Blogs
    • Books
    • Commentary
    • Congressional Testimony
    • Critical Questions
    • Interactive Reports
    • Journals
    • Newsletter
    • Reports
    • Transcript
  • Podcasts
  • iDeas Lab
  • Transcripts
  • Web Projects

Main menu

  • About Us
  • Support CSIS
    • Securing Our Future

Photo: Adobe Stock

Blog Post - The Future of Digital Trade Policy and the Role of the U.S. and UK
Share
  • LinkedIn
  • Facebook
  • Twitter
  • Email
  • Printfriendly.com

Must Third Countries Choose Between EU or U.S. Digital Trade Protection Preferences?

July 11, 2018

The entry into force on May 25th of this year of the European Union’s General Data Protection Regulation (GDPR) has brought privacy and digital security issues to the front burner. In the wake of numerous data scandals and breaches (Facebook, Equifax, Uber, Under Armour, Chili’s, and too many others to list), the EU has implemented the most comprehensive and stringent privacy standards on earth.  Where many welcome this development, and seek to emulate it (e.g. California’s recent data privacy laws), others view the implementation of GDPR as a form of regulatory protectionism that contains a degree of extraterritoriality due to the requirement that any firm, European or not, that processes the personal data of EU citizens, is bound by GDPR. It is this legally expansive element and the requirement that the GDPR must be “embedded in any new EU trade deals” that must be more thoroughly reviewed in an international context.

The Trump administration’s response to the GDPR arrived very late – days after May 25th – and was voiced through two prisms:  national security (through Department of Homeland Security Secretary Nielsen, who warned the GDPR would have “unintended consequences” such as delaying the government’s ability to notice cyber threats) and trade (Secretary of Commerce Wilbur Ross wrote an Op-Ed in the Financial Times where he warned that the GDPR would “create unnecessary barriers to trade”).

The U.S. government has strong concerns about GDPR but has not yet promulgated an alternative approach. Does the U.S. have a counter proposal to the GDPR? Will the United States accept the EU’s right to set the guidelines for all firms and all future FTAs unilaterally?  Or, will Washington negotiate with Brussels to create a “mutual adequacy” mechanism to cover data protection between the EU and U.S. (similar to Privacy Shield) or tweak the GDPR in a more liberal direction instead? Or, should the United States chart its own path on data privacy and encourage third countries to choose guidelines, for example APEC’s Privacy Framework enshrined in its Cross-Border Privacy Rights (CBPR)?

The Trump Administration is unlikely to accept the EU’s right to set global rules for data protection. Previous blog posts in this series have described the United States as the leader of the “liberalizers” in digital trade policy. Liberalizers might see the GDPR as an onerous EU regulation and a stealthy, high-tech form of protectionism. In this view, the GDPR exceeds previous EU regulations in its reach, if not its intent. European guidelines don’t usually penalize foreign firms operating in their home countries, but personal data crosses borders more freely, and the GDPR authorizes fines of four percent of a firm’s global revenue if that firm is mishandling data gleaned from EU citizens. Fearful of such an expansive regulatory reach, many U.S. websites went dark in Europe when the GDPR entered into force. The number of lawsuits that have already been filed since implementation will continue to fuel the view in Washington that the GDPR is designed to penalize dominant American technology firms in Europe which are a source of American tax revenue as well as economic innovation and competitiveness.

A more likely scenario would be for U.S. regulators to push back at the edges of EU regulations and initiate a negotiation. This is what Secretary Ross began to do with his recent editorial by raising concerns about pharmaceutical companies who might not submit drug trial data to the CDC if patients are EU citizens, or nefarious website owners whose identities might be hidden from law enforcement. Ironically, Ross’s article was published on May 31st—the date the United States applied tariffs on steel and aluminum imports from the EU. As such, Ross’s liberal appeals about free-flowing data and the need to fight high-tech protectionism ring hollow.

Furthermore, Washington appears split on the GDPR. Businesses have complained, but some in Congress have expressed enthusiasm for the new regulations. Democratic senators introduced a resolution that called for Americans to receive the same privacy protections that EU citizens are guaranteed by the GDPR. But so far, Republicans have not proposed an alternative, viewing “regulations” as a four-letter word.

If the United States attempted to chart an alternative to the GDPR alongside the EU, what form would that take? The U.S. pushed for an entire electronic commerce chapter in the Trans-Pacific Partnership (TPP) that disavowed data localization requirements and required each signatory to create its own data protection legal framework. But Europe would find this inadequate, and the European Commission maintains that “EU data protection rules cannot be the subject of negotiations in a free trade agreement.” But recent European FTAs with Canada and Japan have used “mutual adequacy decisions” to cover data protection. These are separate announcements that each country’s data protection laws satisfy the other’s regulations. Canada has held adequacy status with the EU since 2001, and under new GDPR regulations this status will be reviewed at least every four years. Japan has yet to bridge the gap, but the EU and Japan hope to approve each other’s privacy regime soon as a follow-up to their FTA (but not as a direct part of it because they cannot achieve consensus among the 28 EU members to do so). The EU has played hardball on this point. They have not negotiated away GDPR provisions in their most recent FTAs and reiterated that, “Data protection is a fundamental right…privacy is not a commodity to be traded.” Even U.S. firms that comply with the GDPR regulations are only permitted to transfer personal data if they also comply with the EU-U.S. Privacy Shield Framework. But a case challenging Privacy Shield was recently kicked to the European Court of Justice and there’s a chance it will be overturned in the middle of 2019. In that event, the pressure for the U.S. to reach a new, formal data protection agreement with Europe would be immense.

Rather than accept the GDPR, seek an adequacy mechanism or find a transatlantic regulatory “third way” with the EU, what if the U.S. creates its own data protection standards?

This runs into a couple more pitfalls: First, as mentioned earlier, the U.S. doesn’t appear to have an alternative proposal in mind although it could look to the CBPR as a possible way forward. Clearly, the GDPR will benefit from a first-mover advantage that makes third countries more likely to accept the EU model. The UK, for instance, has implemented the GDPR, passing a new UK Data Protection Act that mirrors the GDPR’s requirements although the government has stated that it will not become part of the EU’s future e-privacy regulations.  After Brexit, Parliament can of course change the law, but it is unlikely the UK will scrap existing data privacy laws for an American model because it does not wish to lose the existing economic benefits of harmonization despite a preference for a U.S.-style lighter regulatory touch.  Moreover, Theresa May’s government is especially determined to maintain digital trade with the EU after Brexit.  The Queen even used her June 2017 speech to Parliament to emphasize Britain’s need “to maintain [its] ability to share data with other EU member states” after Brexit.  This is an understandable policy approach. Even if the British seek a U.S.-UK FTA, their main trading focus will remain Europe. British trade with the rest of the EU dwarfs U.S.-UK trade. According to the British Office for National Statistics, the UK exported £99.6 billion to the U.S. in 2016 and imported a further £66.3 billion. For British trade with the EU, the comparable figures are £235.8 billion and £318 billion. There is no way the UK will want (or be able) to replace EU trade with American trade.

This is not a challenge for the U.S. alone.  Other third countries find themselves in similar positions vis-à-vis GDPR. Brazil has adopted the practice of ensuring trading partners have solid data protections before allowing digital trade, and its Mercosur partners Argentina and Uruguay are some of the few countries that have data adequacy status with the EU. It is perhaps telling that the next big trade deal the EU is negotiating is with Mercosur: The EU is positioning itself, in the absence of a compelling competing model, as the effective rule-maker for global digital trade and data protection concerns. The Commission admitted as much in a 2017 statement that said, “The EU should seize this opportunity to promote its data protection values and facilitate data flows by encouraging convergence of legal systems.” It has since identified East and Southeast Asia, India, and the remaining Mercosur countries as specific targets for mutual adequacy talks. That could entrench EU data protection regulations among many of the world’s major economies and deepen the GDPR’s first-mover advantage before or if an alternative U.S. model is put forward.

New Zealand provides another example. The EU recognized New Zealand’s privacy regime as adequate in 2012, but as stated earlier, that status must be reviewed every four years. And because the GDPR passed after 2012, New Zealand fears that the EU will apply stricter standards in its periodic reviews than it did when it first granted adequacy. The Office of New Zealand’s Privacy Commissioner admits the country may need to update its 1993 Privacy Act and that the GDPR will require “even more of a third country in the future.” This is particularly portentous because the EU itself says New Zealand has played “a pioneering role in developing data protection laws.”

Will third countries have to choose between EU and U.S. models for data protection? It appears unlikely that the EU and U.S. will bridge the gap between their two worldviews or that a U.S. model will be as compelling for many third countries, leaving much of the world leaning toward the GDPR. In the absence of an alternative American model, it seems like the GDPR will rule the data protection roost.

Authors:
William Alan Reinsch, Senior Adviser and William M. Scholl Chair in International Business
Andrew Chatzky, Intern, William M. Scholl Chair in International Business

Written By
William Alan Reinsch
Senior Adviser and Scholl Chair in International Business
Media Queries
Contact H. Andrew Schwartz
Chief Communications Officer
Tel: 202.775.3242

Contact Paige Montfort
Media Relations Coordinator, External Relations
Tel: 202.775.3173
Related
Cybersecurity and Technology, Europe, Europe, Russia, and Eurasia Program, European Union, Scholl Chair in International Business, Trade and International Business

More from this blog

Blog Post
An Opportunity to Bridge the Pond's Digital Gap
By William Alan Reinsch
In The Future of Digital Trade Policy and the Role of the U.S. and UK
May 4, 2018
Blog Post
The Global Battle for Digital Trade
In The Future of Digital Trade Policy and the Role of the U.S. and UK
April 13, 2018
Blog Post
A Data Localization Free-for-All?
By William Alan Reinsch
In The Future of Digital Trade Policy and the Role of the U.S. and UK
March 9, 2018
Blog Post
Building a U.S.-UK FinTech Sandbox?
By Kati Suominen
In The Future of Digital Trade Policy and the Role of the U.S. and UK
March 7, 2018
Blog Post
Blockchain to Accelerate Transatlantic Trade
By Kati Suominen
In The Future of Digital Trade Policy and the Role of the U.S. and UK
February 23, 2018
Blog Post
No Choice? GDPR's Impact on the U.S., UK, and the EU
By Kati Suominen
In The Future of Digital Trade Policy and the Role of the U.S. and UK
January 31, 2018
Blog Post
Fueling the Ecommerce Boom in U.S.-UK Trade
By Kati Suominen
In The Future of Digital Trade Policy and the Role of the U.S. and UK
November 2, 2017
Blog Post
Where the Money Is: The Transatlantic Digital Market
By Kati Suominen
In The Future of Digital Trade Policy and the Role of the U.S. and UK
October 12, 2017

Related Content

Commentary
Data: Governance and Geopolitics
January 11, 2021
Critical Questions
Transatlantic Data Flows: Permanently Broken or Temporarily Fractured?
By William Alan Reinsch
August 31, 2020
Report
What’s Ahead for a Cooperative Regulatory Agenda on Artificial Intelligence?
By Meredith Broadbent
March 17, 2021
Report
Digital Governance: It Is Time for the United States to Lead Again
By Daniel F. Runde, Sundar R. Ramanujam
August 2, 2021
Report
Data Protection or Data Utility?
By Alexander Kersten
February 18, 2022
Critical Questions
Global Digital Governance: Here’s What You Need to Know
By Daniel F. Runde, Sundar R. Ramanujam
October 1, 2021
Commentary
AI Regulation: Europe’s Latest Proposal is a Wake-Up Call for the United States
By Meredith Broadbent
May 18, 2021
Blog Post
The Shape of U.S.-India Data Relationship
In New Perspectives on Asia
February 8, 2021
Footer menu
  • Topics
  • Regions
  • Programs
  • Experts
  • Events
  • Analysis
  • Web Projects
  • Podcasts
  • iDeas Lab
  • Transcripts
  • About Us
  • Support Us
Contact CSIS
Email CSIS
Tel: 202.887.0200
Fax: 202.775.3199
Visit CSIS Headquarters
1616 Rhode Island Avenue, NW
Washington, DC 20036
Media Queries
Contact H. Andrew Schwartz
Chief Communications Officer
Tel: 202.775.3242

Contact Paige Montfort
Media Relations Coordinator, External Relations
Tel: 202.775.3173

Daily Updates

Sign up to receive The Evening, a daily brief on the news, events, and people shaping the world of international affairs.

Subscribe to CSIS Newsletters

Follow CSIS
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram

All content © 2022. All rights reserved.

Legal menu
  • Credits
  • Privacy Policy
  • Reprint Permissions