By Martina Furlan, 89 Belgium
Day by day, it becomes increasingly evident that we need an international trade regime regulating the data flow. One of the burning issues is data privacy. While, on paper, the EU has proper legislation for this, it also faces two main problems: that it cannot function in isolation, if the other countries in the world have different standards, and that it is not enforced correctly.
The renowned economist Dani Rodrik recently draw our attention to the challenges to the international trade regime. In his opinion, the global commerce regime is outdated, and its setup is appropriate for cars, steel, and textiles, rather than data, software, and artificial intelligence. This type of regime is unfit to face the challenges of national security, privacy, and competition, leaving it to single national leaders use the leverage of data unpredictably and according to narrow geopolitical interests. [1]
At best, individual leaders are trying to fix just one aspect of this complicated relationship, missing out on the opportunity to start building an international regime regulating data transfer. Yet, national security, privacy, and competition are so intertwined that they need to be solved together, rather than separately. A prime example is the US President Donald Trump trying to ban Chinese mobile apps WeChat and TikTok on the grounds that data is being harvested from American users and sent back to the Chinese Government in Mainland China. Interestingly enough, a similar movement of data is happening with American tech firms, which collect users’ data in the EU and send it back to servers in the US, and might as well make it available to the US Government. In fact, the FISA surveillance law has primacy on matters related to data in the US, even on data harvested in the EU under the European GDPR. [2]
Fortunately, on the old continent, the EU Chart of Fundamental rights and the GDPR are there to protect European citizens’ privacy. Yet, things are not as good as they might look, despite the repeated claims of EU officials regarding the intention to protect EU citizens from the powerful private interest. A judgment by the European Court of Justice (ECJ) earlier this summer revealed the EU’s weaknesses.
The data transfer from the EU to the US has been regulated by the EU-US Privacy Shield Framework, jointly designed by the US Department of Commerce and the European Commission after the entry into force of the GDPR. The Shield has companies in the EU abide by higher privacy standards before transferring data to the other side of the Atlantic. In 2016, the Commission deemed the EU-US Privacy Shield adequate to enable data transfers under EU law. [3]
Nonetheless, in July 2020 the ECJ ruled the Shield invalid and maintained valid only the Standard Contractual Clauses. The EU and US law are crashing, and, according to Austrian lawyer and advocate Max Schrems, who brought this case before the ECJ, there is no way we can overcome such a clash. On the one side, the US law asks companies to disclose data while, on the other, the European Regulation prohibits it. The only way to solve this impasse would be that one of the parties takes one step back. Or one step forward, if the EU tried to push the US into changing its privacy law.
The advocacy activities carried out by Schrems came one year after another activist, Johnny Rian, filed a complaint with the Irish privacy regulator on Google’s and other data brokers’ violation of GDPR. According to Rian, data brokers harvest people’s information to build highly detailed online profiles, using the “Real-time Bidding” practice, which is in breach of the GDPR. It took two years for the Irish Data Protection Commission to issue a preliminary order to stop sending user data to the US. [5]
Both cases were triggered by NGOs that have waited for a long time for the regulators to act. This “David versus Goliath” scenario suggests that the EU is not keeping pace with its intentions of chasing Big Tech. A significant problem here is that single EU Member States, where companies have their headquarters, are responsible for overseeing how firms comply with European privacy standards. And it looks as if EU states were not too keen on taking tougher action on these companies. The dispersion of the EU executive power in this domain is indeed problematic. Therefore, besides changing the shield design after the ECJ ruling, the EU should carefully ensure that all Member States keep their eyes on the EU’s privacy standards.
The European privacy policy goes hand in hand with any digital policy. Hence, the necessity to fix its privacy policy by taking into consideration external and internal factors. Firstly, the EU will need to convince other countries to converge towards higher data privacy standards, with a view to build an international regime. Secondly, the EU Commission will need to ensure that rules are applied consistently throughout the EU and that all the stakeholders – including Member States as well as all the EU institutions – are doing their part.
[1] Rodrik, D. 2020. The Coming Global Technology Fracture. Available at https://www.project-syndicate.org/commentary/making-global-trade-rules-fit-for-technology-by-dani-rodrik-2020-09
[2] FAS. (2020). Foreign Intelligence Surveillance Act. Available at https://fas.org/irp/agency/doj/fisa/
[3] Owen, N. (2020). No EU instrument exists to overcome the clash between EU and US laws, says Max Schrems. Available at https://gdpr.report/news/2020/08/03/no-eu-instrument-exists-to-overcome-the-clash-between-eu-and-us-laws-says-max-schrems/
[4] European Data Protection Board. (2020). Statement on the Court of Justice of the European Union Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Available at https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_sl
[5] Irish Council for Civil Liberties. (2020). Submission to the Irish Data Protection Board. Available at https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2020/09/JohnnyRyanDocumnet.pdf