Behind the US Concessions to the EU on Transatlantic Data Transfers

During US President Joe Biden’s March visit to Europe, the European Commission and the United States announced that they had agreed in principle on a new Trans-Atlantic Data Privacy Framework (TADPF). It is a breakthrough between the two parties on data transfers after the Privacy Shield was invalidated by the Court of Justice of the European Union (CJEU) in 2020 due to concerns about the shortcomings in US laws that impede the protection of personal data and are in conflict with Europe’s General Data Protection Regulation (GDPR). 

Such an agreement could not have been reached without what the Biden administration called “unprecedented commitments” made by the US. The legal text of the framework has yet to be published, but the US has promised to address the CJEU’s concerns on data privacy and security. Some of the measures are specified in the statement released by the White House. For instance, it will put new safeguards to ensure that surveillance activities are necessary and proportionate in pursuit of defined national security objectives. It will establish a multi-layer independent redress mechanism with binding authority that can apply remedial measures, and it will enhance rigorous and layered oversight of signals intelligence activities. 

After a yearlong battle over data traffic between the two parties, why did the United States make such compromises? No doubt economic interests mattered, but the ongoing Ukraine-Russia war made the deal more imperative. Although the announcement of the TADPF provides temporary relief for businesses which faced uncertainty over their ability to move data between the US and Europe, the future of the EU-US cooperation on digital data traffic is not promising due to the divergence between the two sides in their data governance approaches and underlying norms. 

Given the ever more digitalized world economy, the significance of data flows is profound. Trade and investment between the US and Europe, valued at US$7.1 trillion, are underpinned by digital data flows between the two. In 2020, Europe was the US’s main commercial partner in the digital economy. The US registered a surplus of US$105 billion in the trade of digitally-enabled services with Europe; it exported US$247 billion and imported US$142 billion.

About 46 percent of US digitally enabled services were exported to Europe, while about 45 percent of those services was imported from across Atlantic Ocean. The trade in digitally enabled services between the US and Europe was much more than US digital trade with the rest of the world. Meanwhile, the US only accounted for about 14 percent of total exports and 25 percent of total imports of the digitally enabled services of the 27 EU members. This data indicate that the US depends more on the EU in terms of the development of the digital economy rather the other way around. 

The US government is recognizing the need to cooperate with big technology firms, even as these companies are putting more and more pressure on Washington on digital trade policy. The Biden administration has been partnering with tech giants on cybersecurity. Meanwhile, due to the close links between them, including donations to the president’s election campaign, appointments of tech-sector executives to senior government positions, and the extensive lobbying activities by the companies, the White House simply cannot ignore the demands of the tech giants such as Meta Platforms, Alphabet and Microsoft. While they are headquartered in the US, Europe is a large market for them. The lack of an agreement on data transfers between the EU and the US created uncertainties and risks including the possibility of suspension of their operations in Europe. 

Meta Platforms, the parent company of Facebook and Instagram, had openly stated that it may be forced to retreat from Europe if authorities on both sides of the Atlantic cannot reach a new framework on data flow to replace Privacy Shield. Europe is the group’s second largest market after the US and Canada. Going by 2020 data, withdrawal from the European market would mean the loss of 24 percent of the company’s total revenue and 25 percent of its turnover. Meta Platform and other US tech giants simply cannot afford to lose lucrative European market. The major tech firms are not able to address the EU’s concerns over data privacy by themselves without the US federal government making improvements to data law and regulations. This means that the tech companies will have to step up their engagement with Washington.

On his first visit to Europe last year, Biden agreed to set up the US-EU Trade and Technology Council (TTC). It followed that on this recent trip, he would reach a preliminary deal on data transfers. The US is looking to forge a transatlantic tech alliance. This would be a logical step in shoring up the security alliance that was so damaged under the previous administration of Donald Trump, who had openly expressed doubts about the utility of NATO and was critical of fellow members for puling their fair share of the costs of the defense of Europe. Reversing Trump’s approach was a priority on Biden’s foreign-policy agenda, made all the more critical since Russia invaded Ukraine on February 24, with President Vladimir Putin contending that his actions were compelled by NATO’s expansion to his country’s borders.   

Maintaining unity between the US and EU has become an extremely important and urgent goal for the US since the outbreak of the war in Ukraine. The White House acknowledged that Biden’s visit to Europe in March was to consolidate the cohesion of the West in countering Moscow. While in Europe, in addition to the data transfers concessions, the US also made key offers of support to Europe on energy security. 

The EU and US agree that financial and economic sanctions are important to stop Russia’s war in Ukraine. But due to its heavy reliance on Russian gas and oil, the EU has hesitated to impose sanctions on Russia’s energy exports. In the joint statement aimed at addressing European energy supply concerns, the US promised to boost shipment of liquified natural gas (LNG) to Europe immediately and over the longer term. This demonstrated Washington’s willingness to contribute to EU energy security at this critical time. By issuing the joint statement on TADPF, the US also expressed its understanding of and willingness to assuage European worries on data transfers and security. These two statements clearly underscored the Biden administration’s determination to strengthen mutual trust between the US and EU, bolster the transatlantic alliance, and solidify their joint efforts against Russia over Ukraine.

The announcement of preliminary agreement on the long-awaited TADPF cheered business sector on both sides of the Atlantic. Microsoft applauded the framework, saying that it would “rebuild and strengthen the data protection bridge between the EU and the US.” Global Data Alliance, a cross-industry coalition of companies, reckoned that the new framework would increase economic opportunities in both the US and Europe. 

Whether the TADPF allows the US and EU to settle finally their long-running dispute over data transfers with TADPF is yet unclear. Finding that national security agencies of the US can have access to personal data transferred from Europe, CJEU invalidated both Safe Harbor Privacy Principles and the EU-US Privacy Shield, the two predecessors of the TADPF. 

Breakthrough: After an EU court invalidated two previous data governance mechanisms, the US made major compromises to secure a new Trans-Atlantic Data Privacy Framework (Credit: davidhirjak / Shutterstock.com)

To address fully the CJEU’s concerns, the Biden administration needs to amend domestic regulations including Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), Executive Order 12333 and Presidential Policy Directive 28 (PPD-28). These legal adjustments will not be easy, but without them, any framework on data flow between the EU and the US will not be sustainable. Austrian digital privacy activist and lawyer Max Schrems, who was behind the lawsuits that challenged the Safe Harbor and Privacy Shield, said that the lack of details of the new framework was troubling, warning that he would not hesitate to go to court again if the final agreed text of TADPF failed to be in line with EU laws. 

What is more, the future of EU-US cooperation on data transfers could be even less promising due to their differences in their approaches to data governance and, in particular, in the fundamental norms underpinning these strategies. As I have discussed in an earlier AsiaGlobal Online article, the US adopts a laissez-faire, minimalist approach, while the EU believes in a relatively more interventionist model. The divide is even more fundamental: The EU emphasizes fundamental rights of human beings, while the US is more focused on the market. In the US, data is a form of capital. Data privacy is required to safeguard the fairness of the marketplace and the consumer’s right to privacy. The Federal Trade Commission (FTC), whose mission is to protect consumers and competition, is therefore the designated federal agency responsible for data privacy protection. Due to this liberal and market-based perspective, the US has yet to issue any comprehensive data privacy laws at the federal level. 

By contrast, the EU not only views personal data privacy as a fundamental human right but it also treats data protection as a critical part of creating a collective European identity. Thus, the protection of personal data privacy is written into the EU Charter of Fundamental Rights. This constitutional status means that the enactment of data protection is comprehensive, with no areas left unregulated. More important, in adhering to this human-rights norm, EU authorities are unlikely to compromise on their protection efforts under any circumstances. The US government’s stance on the protection of data privacy, meanwhile, is more open to debate and negotiation, as it is based on the market-state relationship rather than any commitment to protect fundamental human rights that are constitutionally guaranteed.

This divergence in philosophy is behind the so-called Transatlantic Data War that broke after national security consultant Edward Snowden revealed details of US data surveillance operations. The US federal government reserves the right to have access to personal data for reasons of national security. The EU disagrees, arguing that data privacy, as a fundamental human right, cannot be compromised anyway. It was because of worries that human rights of European citizens would not be adequately protected in the US that led the CJEU to nullify Safe Harbor in 2015 and its replacement, Privacy Shield, in 2020. 

Although the US and EU have reached preliminary consensus on the replacement of the Privacy Shield, the norms underpinning their respective approaches towards data privacy have not changed. During the ongoing negotiations for the new framework, the EU was represented by European commissioner for justice, underscoring the primacy of human rights protection, while the US was represented by its secretary of commerce, reflecting Washington’s underlying market-based approach. Even though the two parties have reached a new consensus on the legal ground for transatlantic data transfers, the resulting framework could be as short lived as its two predecessors.