The entry into force on May 25th
of this year of the European Union’s General Data Protection Regulation (GDPR) has brought privacy and digital security issues to the front burner. In the wake of numerous data scandals and breaches (Facebook
, Under Armour
, and too many others to list), the EU has implemented the most comprehensive and stringent privacy standards on earth. Where many welcome this development, and seek to emulate it (e.g. California’s recent data privacy laws), others view the implementation of GDPR as a form of regulatory protectionism that contains a degree of extraterritoriality due to the requirement that any firm, European or not, that processes the personal data of EU citizens, is bound by GDPR. It is this legally expansive element and the requirement that the GDPR must be “embedded in any new EU trade deals
” that must be more thoroughly reviewed in an international context.
The Trump administration’s response to the GDPR arrived very late – days after May 25th
– and was voiced through two prisms: national security (through Department of Homeland Security Secretary Nielsen, who warned
the GDPR would have “unintended consequences” such as delaying the government’s ability to notice cyber threats) and trade (Secretary of Commerce Wilbur Ross wrote an Op-Ed in the Financial Times
where he warned that the GDPR would “create unnecessary barriers to trade”).
The U.S. government has strong concerns about GDPR but has not yet promulgated an alternative approach. Does the U.S. have a counter proposal to the GDPR? Will the United States accept the EU’s right to set the guidelines for all firms and all future FTAs unilaterally? Or, will Washington negotiate with Brussels to create a “mutual adequacy” mechanism to cover data protection between the EU and U.S. (similar to Privacy Shield) or tweak the GDPR in a more liberal
direction instead? Or, should the United States chart its own path on data privacy and encourage third countries to choose guidelines, for example APEC’s Privacy Framework enshrined in its Cross-Border Privacy Rights (CBPR)?
The Trump Administration is unlikely to accept the EU’s right to set global rules for data protection. Previous blog posts in this series have described the United States as the leader of the “liberalizers” in digital trade policy. Liberalizers might see the GDPR as an onerous EU regulation and a stealthy, high-tech form of protectionism. In this view, the GDPR exceeds previous EU regulations in its reach, if not its intent. European guidelines don’t usually penalize foreign firms operating in their home countries, but personal data crosses borders more freely, and the GDPR authorizes fines of four percent of a firm’s global revenue
if that firm is mishandling data gleaned from EU citizens. Fearful of such an expansive regulatory reach, many U.S. websites went dark in Europe when the GDPR entered into force. The number of lawsuits that have already been filed since implementation will continue to fuel the view in Washington that the GDPR is designed to penalize dominant American technology firms in Europe which are a source of American tax revenue as well as economic innovation and competitiveness.
A more likely scenario would be for U.S. regulators to push back at the edges of EU regulations and initiate a negotiation. This is what Secretary Ross began to do with his recent editorial by raising concerns about pharmaceutical companies who might not submit drug trial data to the CDC if patients are EU citizens, or nefarious website owners whose identities might be hidden from law enforcement. Ironically, Ross’s article was published on May 31st
—the date the United States applied tariffs on steel and aluminum imports from the EU. As such, Ross’s liberal appeals about free-flowing data and the need to fight high-tech protectionism ring hollow.
Furthermore, Washington appears split on the GDPR. Businesses have complained, but some in Congress have expressed enthusiasm for the new regulations. Democratic senators introduced a resolution
that called for Americans to receive the same privacy protections that EU citizens are guaranteed by the GDPR. But so far, Republicans have not proposed an alternative, viewing “regulations” as a four-letter word.
If the United States attempted to chart an alternative to the GDPR alongside the EU, what form would that take? The U.S. pushed for an entire electronic commerce chapter
in the Trans-Pacific Partnership (TPP) that disavowed data localization requirements and required each signatory to create its own data protection legal framework. But Europe would find this inadequate, and the European Commission maintains
that “EU data protection rules cannot be the subject of negotiations in a free trade agreement.” But recent European FTAs with Canada and Japan have used “mutual adequacy decisions” to cover data protection. These are separate announcements that each country’s data protection laws satisfy the other’s regulations. Canada has held adequacy status with the EU since 2001, and under new GDPR regulations this status will be reviewed at least every four years. Japan has yet to bridge the gap, but the EU and Japan hope to approve each other’s privacy regime soon as a follow-up to their FTA (but not as a direct part of it because they cannot achieve consensus among the 28 EU members to do so). The EU has played hardball on this point. They have not negotiated away GDPR provisions in their most recent FTAs and reiterated
that, “Data protection is a fundamental right…privacy is not a commodity to be traded.” Even U.S. firms that comply with the GDPR regulations are only permitted to transfer personal data if they also comply with the EU-U.S. Privacy Shield Framework. But a case challenging Privacy Shield was recently kicked to the European Court of Justice
and there’s a chance it will be overturned in the middle of 2019. In that event, the pressure for the U.S. to reach a new, formal data protection agreement with Europe would be immense.
Rather than accept the GDPR, seek an adequacy mechanism or find a transatlantic regulatory “third way” with the EU, what if the U.S. creates its own data protection standards?
This runs into a couple more pitfalls: First, as mentioned earlier, the U.S. doesn’t appear to have an alternative proposal in mind although it could look to the CBPR as a possible way forward. Clearly, the GDPR will benefit from a first-mover advantage that makes third countries more likely to accept the EU model. The UK, for instance, has implemented the GDPR, passing a new UK Data Protection Act
that mirrors the GDPR’s requirements although the government has stated that it will not become part of the EU’s future e-privacy regulations. After Brexit, Parliament can of course change the law, but it is unlikely the UK will scrap existing data privacy laws for an American model because it does not wish to lose the existing economic benefits of harmonization despite a preference for a U.S.-style lighter regulatory touch. Moreover, Theresa May’s government is especially determined to maintain digital trade with the EU after Brexit. The Queen even used her June 2017 speech to Parliament
to emphasize Britain’s need “to maintain [its] ability to share data with other EU member states” after Brexit. This is an understandable policy approach. Even if the British seek a U.S.-UK FTA, their main trading focus will remain Europe. British trade with the rest of the EU dwarfs U.S.-UK trade. According to the British Office for National Statistics
, the UK exported £99.6 billion to the U.S. in 2016 and imported a further £66.3 billion. For British trade with the EU, the comparable figures are £235.8 billion and £318 billion. There is no way the UK will want (or be able) to replace EU trade with American trade.
This is not a challenge for the U.S. alone. Other third countries find themselves in similar positions vis-à-vis GDPR. Brazil has adopted the practice of ensuring trading partners have solid data protections before allowing digital trade, and its Mercosur partners Argentina and Uruguay are some of the few countries that have data adequacy status with the EU. It is perhaps telling that the next big trade deal the EU is negotiating is with Mercosur: The EU is positioning itself, in the absence of a compelling competing model, as the effective rule-maker for global digital trade and data protection concerns. The Commission admitted as much in a 2017 statement
that said, “The EU should seize this opportunity to promote its data protection values and facilitate data flows by encouraging convergence of legal systems.” It has since identified East and Southeast Asia, India, and the remaining Mercosur countries as specific targets for mutual adequacy talks. That could entrench EU data protection regulations among many of the world’s major economies and deepen the GDPR’s first-mover advantage before or if an alternative U.S. model is put forward.
New Zealand provides another example. The EU recognized New Zealand’s privacy regime as adequate in 2012, but as stated earlier, that status must be reviewed every four years. And because the GDPR passed after 2012, New Zealand fears that the EU will apply stricter standards in its periodic reviews than it did when it first granted adequacy. The Office of New Zealand’s Privacy Commissioner admits
the country may need to update its 1993 Privacy Act and that the GDPR will require “even more of a third country in the future.” This is particularly portentous because the EU itself says
New Zealand has played “a pioneering role in developing data protection laws.”
Will third countries have to choose between EU and U.S. models for data protection? It appears unlikely that the EU and U.S. will bridge the gap between their two worldviews or that a U.S. model will be as compelling for many third countries, leaving much of the world leaning toward the GDPR. In the absence of an alternative American model, it seems like the GDPR will rule the data protection roost.
William Alan Reinsch, Senior Adviser and William M. Scholl Chair in International Business
Andrew Chatzky, Intern, William M. Scholl Chair in International Business