To address fully the CJEU’s concerns, the Biden administration needs to amend domestic regulations including Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), Executive Order 12333 and Presidential Policy Directive 28 (PPD-28). These legal adjustments will not be easy, but without them, any framework on data flow between the EU and the US will not be sustainable. Austrian digital privacy activist and lawyer Max Schrems, who was behind the lawsuits that challenged the Safe Harbor and Privacy Shield, said that the lack of details of the new framework was troubling, warning that he would not hesitate to go to court again if the final agreed text of TADPF failed to be in line with EU laws.
What is more, the future of EU-US cooperation on data transfers could be even less promising due to their differences in their approaches to data governance and, in particular, in the fundamental norms underpinning these strategies. As I have discussed in an earlier AsiaGlobal Online article, the US adopts a laissez-faire, minimalist approach, while the EU believes in a relatively more interventionist model. The divide is even more fundamental: The EU emphasizes fundamental rights of human beings, while the US is more focused on the market. In the US, data is a form of capital. Data privacy is required to safeguard the fairness of the marketplace and the consumer’s right to privacy. The Federal Trade Commission (FTC), whose mission is to protect consumers and competition, is therefore the designated federal agency responsible for data privacy protection. Due to this liberal and market-based perspective, the US has yet to issue any comprehensive data privacy laws at the federal level.
By contrast, the EU not only views personal data privacy as a fundamental human right but it also treats data protection as a critical part of creating a collective European identity. Thus, the protection of personal data privacy is written into the EU Charter of Fundamental Rights. This constitutional status means that the enactment of data protection is comprehensive, with no areas left unregulated. More important, in adhering to this human-rights norm, EU authorities are unlikely to compromise on their protection efforts under any circumstances. The US government’s stance on the protection of data privacy, meanwhile, is more open to debate and negotiation, as it is based on the market-state relationship rather than any commitment to protect fundamental human rights that are constitutionally guaranteed.
This divergence in philosophy is behind the so-called Transatlantic Data War that broke after national security consultant Edward Snowden revealed details of US data surveillance operations. The US federal government reserves the right to have access to personal data for reasons of national security. The EU disagrees, arguing that data privacy, as a fundamental human right, cannot be compromised anyway. It was because of worries that human rights of European citizens would not be adequately protected in the US that led the CJEU to nullify Safe Harbor in 2015 and its replacement, Privacy Shield, in 2020.
Although the US and EU have reached preliminary consensus on the replacement of the Privacy Shield, the norms underpinning their respective approaches towards data privacy have not changed. During the ongoing negotiations for the new framework, the EU was represented by European commissioner for justice, underscoring the primacy of human rights protection, while the US was represented by its secretary of commerce, reflecting Washington’s underlying market-based approach. Even though the two parties have reached a new consensus on the legal ground for transatlantic data transfers, the resulting framework could be as short lived as its two predecessors.