Is the third time the charm for a trans-Atlantic data privacy framework?
The United States and the European Union have the world’s largest digital trading relationship, underpinning their overall $7.1 trillion economic exchange. A large share of corporate data transfers between the two economies have nevertheless been in legal limbo since the Court of Justice of the European Union’s July 2020 decision, known as Schrems II, invalidated the framework that allowed the two trading blocs to bridge their different privacy regimes, just as a similar challenge invalidated the previous framework. Both rulings determined that U.S. laws and regulations granting government access to private individuals’ data for intelligence purposes made it impossible for companies engaged in trans-Atlantic data transfers to ensure that E.U. citizens’ data would receive equivalent protection in the United States and in the European Union.
At the time of the Schrems II decision, more than 5,300 companies — mostly small and medium-sized enterprises — relied on the framework to move personal data, such as employee records or customer names and email addresses, between Europe and the United States. While many of them continue to do so using standard contractual clauses, compliance under this method is more expensive and less uniform due to the Court of Justice’s follow-up ruling that when using them, data exporters must verify on a case-by-case basis that the destination country provides E.U. citizens’ data with equivalent protection or, if necessary, ensure that “supplementary measures” are adopted. Implementing a new framework would reduce compliance costs and generate efficiencies for companies operating in both markets, especially for SMEs for whom compliance under the standard contractual clause approach represents a disproportionate cost relative to their size.
There is now a glimmer of hope for a more durable solution. Shortly after the May 2022 meetings of the U.S.-E.U. Trade and Technology Council, officials announced an agreement in principle on a new data transfer framework. A forthcoming executive order is set to guide implementation on the U.S. side. Though details are scant, a court challenge is inevitable: The eponymous Max Schrems maintains that an executive order is an insufficient guarantee of privacy protection for E.U. citizens.
E.U. mistrust of U.S. data handling forms a shaky foundation for a new framework
A perennially skeptical European public — specifically when it comes to U.S. data privacy practices — is likely to serve as an additional roadblock to an enduring resolution by preventing European national authorities from pushing back too forcefully against a Schrems-style legal challenge.
Generally speaking, E.U. and U.S. adults trust one another quite a bit. When asked to what degree they trust the other party on a range of 14 foreign policy issues, adults in France, Germany, Italy and Spain more often than not trust their U.S. counterparts on eight of them. But they reported the least trust in the United States to store and manage their personal data. Only the Spanish are more likely than not to trust the U.S. to handle their personal data (second figure below). Across all four countries, distrust of the United States prevails on this front.
Adults in Major E.U. Markets Don’t Trust the United States to Store and Manage Their Personal Data
Europeans’ doubts are well-founded. Years after WikiLeaks sparked concerns in Europe about U.S. intelligence services having access to E.U. citizens’ personal data, recent reporting on the U.S. government’s ongoing data collection initiatives suggests not all that much has changed.
By contrast, data nativism is less prevalent in the United States. U.S. adults are roughly equally split on the issue, with a third trusting the European Union to store and manage Americans’ personal data, a third distrusting it, and a third unsure.
U.S. Adults Are More Unsure of Whether to Trust E.U. Data Handling Practices Relative to European Sentiment Toward U.S. Practices
Companies should wait for the dust to settle before going all-in on the new framework
U.S. implementation of a new privacy framework via executive order will give the agreement a more robust foundation than previous iterations, which centered around designating a senior bureaucrat as an ombudsman to handle E.U. citizens’ complaints. But it may not be enough to overcome the inevitable legal challenge claiming that the new framework still does not provide equivalent protection to E.U. law, given the relatively strong public skepticism.
Large companies with sufficient resources to deal with compliance requirements under the existing workaround approach involving standard contractual clauses should continue to do so in the interim. Large companies as well as small and medium-sized enterprises should also wait to see how legal challenges shake out in the E.U. Court of Justice before making costly adjustments to align their data transfer practices with the new framework.