This article is part of our special report Re-connecting Europe.
Three years after the EU’s flagship GDPR data protection regulation came into force, confusion over international data transfers following the landmark Schrems II ruling is threatening to hamper new technologies and jeopardise the bloc’s digital agenda.
On 16 July 2020, the Court of Justice of the European Union ruled for the second time that the EU-US Privacy Shield Framework was invalid as the United States did not ensure a data protection level comparable to the EU’s GDPR.
The Schrems II ruling, as it came to be known, has far-reaching consequences not only for EU-US data relations, but for all third countries as it requires European firms to assess if the country they are transferring data to provides adequate protection under EU law.
“Schrems II invalidated one transfer mechanism and cast serious doubts over the others. It left businesses with no clear path to transfer data to the US – or other countries that haven’t been deemed adequate. It weighs heavily [on] the most important channel of global trade and the global economy,” Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals told EURACTIV.
In November, the European Data Protection Board (EDPB) issued a series of recommendations detailing how to ensure an “EU level of data protection.” The EDPB also gave its opinion on data protection offered in third countries, which although not legally binding is a key step for formal recognition.
If a third country does not provide the minimum data protection level required by GDPR, the data processor must either enact additional protection measures or stop the data transfer altogether. The most recent example is the Portuguese Data Protection Authority, which on 28 April requested the National Institute for Statistics stop the transfer of personal data to the United States.
GDPR enforcement is left to the member states’ Data Protection Authorities (DPAs). For third countries where data protection level is not considered adequate by the EU, the individual DPAs are left to interpret the requirements on their own. Too loose an interpretation is a risk to GDPR, while too strict an interpretation risks creating additional barriers to global data transfer.
The EU is essentially asking third countries to comply to its data protection rules or it will halt data flows with them, effectively putting GDPR forth as the global standard. Several countries have followed the GDPR example in their data protection regulation, notably Japan, Brazil and South Korea.
Europe’s pulling power comes from the size of its economy, which represents 15% of the world’s GDP. However, projections show the bloc’s economic importance will shrink in relative terms as growth concentrates elsewhere. Brussels’ influence is likely to wane as a result.
What’s more, legislative ambiguity or strict regulation might create barriers or raise the cost of accessing the EU digital market. Data transfers are at the core of international trade and technological exchanges. Unpredictable data flows could marginalise European technological development and jeopardise the bloc’s digital ambitions.
The uncertainty following the Schrems II ruling has proven massively disruptive in terms of EU-US data transfer, the largest data flow in the world.
“Virtually all industries that conduct transatlantic business are affected by this uncertainty,” wrote Jason Oxman, president and CEO of the Information Technology Industry Council (ITI), in a blog post.
“Avoiding disruptions to data flows is key to minimize any negative economic consequences, particularly in the wake of the COVID-19 crisis and the ongoing economic recovery in both Europe and the US,” he added.
Members of the European Parliament have urged the European Commission to provide clear guidelines for the data transfers with the US. Negotiations are in fact taking place already, ahead of the EU-US leaders’ meeting taking place next month.
“We have seen enough with the Cambridge Analytica, hacking and data leakage scandals to understand that data protection is not a luxury, it is a must […] the European Union is focusing on the protection of fundamental rights in all different areas, including the digital world,” European Commission Vice-President Věra Jourová told a recent Digital Europe event.
In September, China issued the Global Initiative on Data Security, a global data governance proposal aimed at assuaging Western and Chinese mutual distrust. This move intended to counter the Trump administration’s Clean Network initiative, which explicitly mentioned the Chinese Communist Party as an “authoritarian malign actor”.
Beijing tried to dissipate the distrust in Chinese tech companies, detailing measures against “back doors” that would enable surveillance by public authorities. Tech giant Huawei was recently excluded from 5G infrastructure projects across Europe on the back of such allegations.
A Huawei spokesperson told EURACTIV that the company “is fully supportive of the EU’s European data strategy as this will allow Europe to unleash the potential of data for European people, business, researchers and public administration.”
Some observers have been sceptical of the intentions behind the Chinese move. Rebecca Arcesati, an analyst with MERICS, wrote in a blog post at the time that the Chinese global data initiative was “not so much a concrete proposal as a rhetorical exercise,” and argued China was trying to take advantage of “transatlantic divergences” on data governance.
China followed up with a draft Personal Information Protection Law (PIPL), a privacy framework broadly inspired by GDPR. The second draft of the law was published for comments at the end of April, and includes obligations to have individual’s consent for data collection, limits to data processing and the institution of independent privacy committees for large online platforms.
Experts note that PIPL, if adopted in its current form, would see China ensure greater data protection than in the US, as well as limit the power of Chinese public authorities.
However, Teme of the International Association of Privacy Professionals said the proposed Chinese framework would not solve the issues raised by Schrems II because it would protect data transferred to Chinese businesses but not apply to the Chinese government.
Global data governance
Observers continue to call for a global agreement on data governance to clarify issues related to Schrems II and GDPR.
“So far … most countries have made an effort to avoid shutting down opportunities to transfer data,” Frederik Erixon, director of the European Centre for International Political Economy (ECIPE), told EURACTIV.
However, “as regulations change, and as we move into more applied areas for personal data in AI, the frictions will only grow larger. There is a serious risk that cross-border exchange will suffer pretty badly,” he warned.
[Edited by Josie Le Blond]