Digital trade is heading straight into a three-way pileup.
The European Union, the United States and the United Kingdom are facing off over how to handle data transfers that underpin billions of euros annually in trade. Officials are trying to hammer out separate agreements — between Brussels and Washington, Brussels and London, and London and Washington — by the end of the year or early 2021.
But negotiations are set to be difficult. Europe has been at odds with Washington for years over privacy protections, and London could also soon find itself at odds with Europe.
The EU has first-mover advantage after rolling out new protections in 2018 that were copied by governments from Bogotá to Seoul. A recent ruling from the region’s highest court also deemed U.S. data protections as insufficient for when Europeans’ citizens data is transferred across the Atlantic — irking many in Washington who consider their own standards, including the U.S. Constitution, as more than adequate.
Despite their disagreements, both sides are now under pressure to find a solution that will hold up to scrutiny in European courts. An upcoming U.S. election, as well as ongoing fights on Capitol Hill over new federal privacy legislation and efforts within U.S. states to pass their own data protection rules, have complicated those discussions.
Enter the United Kingdom. Officials have until the end of the year to sign a separate deal with the EU on data transfers when the Brexit transition period ends December 31. London isalso keen to reach a similar arrangement with Washington (both countries’ national security agencies have longstanding ties) after the British government said it would go it alone on setting its own rules on data protection. U.K. officials add, though, that they plan to stick close to the EU’s stance on privacy.
POLITICO talked to officials, company executives, privacy advocates and outside legal experts to break down where all three sides stand. Here’s what you need to know.
As soon as Europe’s highest court invalidated the EU-U.S. Privacy Shield agreement, which allowed data to be moved across the Atlantic, Brussels got working with its U.S. counterparts to update the deal. It hasn’t been easy.
Many of the issues highlighted by the Luxembourg-based court related to U.S. surveillance practices over which the European Commission has no power. The EU is waiting for proposals from Washington about potential changes to those surveillance laws. But early talks have centered on potentially beefed-up legal oversight of spying powers, which may fall short of what EU judges want.
Brussels is also finalizing changes to so-called standard contractual clauses — mechanisms that allow for the international transfer of data outside of the EU — by the end of 2020.
Complicating matters is that Ireland’s privacy regulator is expected to rule (pending legal appeals) that Facebook’s use of such clauses to move data on EU citizens to the U.S. breaches the privacy law. A decision is due in early 2021 over the legality of that ruling. If it stands, it could set a precedent limiting how other companies move data outside of the 27-country bloc.
In parallel, EU officials have been meeting with British counterparts since March over a potential adequacy agreement — a legal deal that would allow European data to move across the English Channel after December 31.
Two sticking points remain. Brussels is concerned how British national security agencies may access EU data, and if that data collection is illegal, particularly after another recent decision by Europe’s highest court. Officials are also worried the U.K. could become a go-between for U.S. authorities to similarly obtain EU data via the close relationship between American and British security agencies.
Washington has entered the Privacy Shield negotiations with one, if not two, arms tied behind its back. The November 3 presidential election, which may lead to changes in both the White House and Congress, has made any short-term decisions unlikely.
A multi-agency task force, led by the U.S. Department of Commerce, is currently preparing recommendations, though it’s unlikely to suggest wholesale legislative changes to restrict how U.S. security agencies collect and store data. New federal privacy rules — which have gained momentum after U.S. states like California passed their own data protection rules — could be on the cards in Washington, though there is no bipartisan agreement on how they should look.
In a paper published in late September, U.S. officials reiterated their view that EU citizens already have legal rights if they believe their data has been mishandled. They also said that domestic U.S. privacy rules provide “essential equivalence” to rights in the 27-country bloc. Europe’s highest court already disregarded both points.
Officials in Washington argue that companies can use standard contractual clauses to move data across the Atlantic. But in the wake of Ireland’s challenge to Facebook, it’s possible that other EU privacy regulators will question those transfers, too.
Among Capitol Hill staffers and within U.S. agencies, officials argue that Europe’s approach lacks coherence.
While the bloc has pushed its claim to limit how foreign security agencies access EU citizens’ data, some in Washington believe the region has not taken a similarly tough line on how domestic law enforcement agencies within member countries also siphon off people’s digital information. Under EU law, national security powers are left to national capitals, and Brussels has limited power to restrict such data collection practices.
After Brexit, the U.S. sees a potential data ally in Britain. The countries already have signed an agreement for data sharing between their national security agencies.
But, for most data transfers, Washington is likely to add London to any new agreement that it eventually signs with Brussels, albeit as an addition that would solely apply to U.S-U.K. transfers. It already recommends that companies previously reliant on the now-invalidated Privacy Shield to alter their policies so that transfers to the U.K. fall under this EU-U.S. deal.
London sees its data deal with Brussels as a slam dunk.
The country already complies with the EU’s privacy rules, and lawmakers remain adamant that an adequacy deal can be reached by December. In the past, such agreements between the EU and international partners have taken at least 12 to 18 months to hash out.
But EU officials have been scratching their heads over the U.K.’s intentions post-Brexit. The government’s insistence that it doesn’t intend to “wildly diverge” from EU rules once it leaves is undermined by the U.K. government’s intentions to do just that.
Some inside the country’s civil service have raised concerns that the EU will not approve of the data collection practices of the U.K.’s security agencies. As a third-party country, the U.K. does not have the same exemption as EU member countries do for the bulk data collection of its domestic national security agencies. But such concerns have yet to reach the upper echelons of Westminster, according to three officials who spoke on the condition of anonymity to speak about the internal discussions.
If an adequacy agreement is not in place by year-end, U.K. businesses will still be able to rely on standard contractual clauses to move data across the English Channel. London has already said that it would allow digital information to move freely from its side to Europe.
But just like the U.S., the U.K.’s ability to use these mechanisms is likely to be challenged by privacy campaigners, who must submit claims to EU privacy watchdogs if they believe their data is being mishandled by British national security agencies. Such cases, some of which are already being planned for early 2021, would likely take years to resolve.
As part of its negotiations with Washington over a free trade agreement, London has similarly voiced its support for a bilateral data agreement to build on its existing deal to share data around criminal and terrorism cases.
Some on both sides of the Atlantic also favor the creation of a data-sharing pact among the Five Eye Alliance, a group that includes the U.S., U.K., Canada, Australia and New Zealand. Such a group, according to its proponents, would offer a counterbalance to the EU’s push to export its data protection rules worldwide.
Yet as Canada and New Zealand already have adequacy agreements in place with the 27-country bloc, it’s unclear how such an arrangement could work if these countries wanted to maintain access to the EU. The U.K. is also reticent to go it alone with the U.S. on data as roughly three-quarters of its current international data transfers are with the EU, according to government statistics.