The ruling doesn’t affect all data
The court’s July 16 ruling limits transfer to the United States of E.U. citizens’ “personal data,” not other data flows. Within this category of personal data, the judgment is further limited, as it does not apply to “necessary” data transfers to the United States, such as emails or online travel or hotel bookings. These types of data are dealt with under “derogations” under Article 49 of the E.U.’s General Data Protection Regulation (GDPR).
Many companies, however, choose to store personal data of E.U. citizens with a U.S.-based service provider, not because it is “necessary,” but because it’s cheaper or has become integral to their business model. These are the types of data targeted by the court. The CJEU has determined that U.S. privacy protections surrounding such data are inadequate, and thus do not satisfy Europe’s GDPR requirements. Penalties are tough: Companies found to have violated the GDPR face fines of up to 20 million euros (approximately $23 million) — or 4 percent of their global turnover.
The global consequences are huge
What happens now? Months of regulatory and commercial chaos are now likely to ensue, chilling the $5.6 trillion transatlantic economy — already in deep recession — as companies work to disentangle their data and decide what should go where.
These decisions won’t be straightforward. Transatlantic data flows in general account for more than half of Europe’s data flows and about half of U.S. data flows globally. Almost 40 percent of those flows are through business and research networks. Of course, this isn’t just personal data, but it does suggest that the U.S. role as a central hub in the global digital economy may be damaged as companies shift certain kinds of data from the United States to the European Union.
The court did not just stop transfer of E.U. personal data to the United States; it also forbade such flows to any country that does not have adequate protections like those of the E.U. The court not only struck down the Privacy Shield, it ruled that another key tool that businesses use to transfer personal data — standard contractual clauses (SCCs) — can work only for transfers to jurisdictions whose privacy protections are E.U.-equivalent.
The United States plausibly fails this test, and it’s likely the same story for China, Russia and India. Up to this point, apart from a few small European neighbors, the E.U. has recognized only six other countries as having such protections. Even those arrangements may be suspect; the CJEU’s ruling was an implicit warning to the European Commission, emphasizing that its existing “adequacy” determinations (saying that a country’s privacy rules are adequate) may be open to judicial review. Canada, Japan, Switzerland and Argentina are taking note.
Through these decisions, the E.U. court has brought us closer to a world fractured into data spheres of influence. Each of the world’s major powers is maneuvering to define the rules of the game for the digital economy by embedding and extending their data governance models to wide swathes of the globe, including through extraterritorial application of their laws. The CJEU just gave such efforts further legitimacy.
In China, the data governance model is very different
China is extending its tightly controlled data governance model across Eurasia, the Middle East and Africa via a strategy that external commentators have dubbed the Digital Silk Road. Beijing is building China-centric digital infrastructure that can include digital surveillance tools that hoover large pools of personal and corporate data with few legal guardrails. The result is the “Beijing effect”: Russia, Iran, Saudi Arabia and Egypt and a handful of other countries have adopted repressive laws resembling those of China, and have purchased Chinese surveillance technologies to access personal data of citizens and non-citizens alike.
The United States has traditionally championed the free flow of data, which essentially hands control to companies, even as the government engages in extensive surveillance activities that can access personal information. Washington enshrined its approach in the United States-Mexico-Canada Agreement (USMCA) and the U.S.-Japan Digital Trade Agreement, as well as the Trans-Pacific Partnership (TPP) and its successor, the Comprehensive and Progressive Agreement on Trans-Pacific Partnership (CPTPP). President Trump, however, pulled the United States out of the TPP and has failed to work with Congress to devise federal rules governing privacy of personal data.
The resulting vacuum in Washington has meant that the datasphere is being defined elsewhere. Many tech companies are aligning to the E.U.’s tough standards, based on the notion that “if I can make it there, I can make it anywhere.” Others could be guided by the “California effect”: The state’s recent Consumer Privacy Act could now become a standard-setter, much as its environmental regulations set global standards for auto emissions.
Daniel S. Hamilton (@DanSHamilton) is Austrian Marshall Plan Foundation Professor at Johns Hopkins University’s School of Advanced International Studies, and Richard von Weizsäcker Fellow at the Robert Bosch Academy in Berlin. Most recently he is the author, with Joseph P. Quinlan, of The Transatlantic Economy 2020.