World Trade Organization (WTO) disputes over aircraft manufacturing are regularly front-page news, but data privacy decisions from Europe this summer may have a far larger impact. In fact, if the U.S. and the EU don’t find a way to overcome the sudden hurdles placed in front of Transatlantic commerce, billions of dollars in trade are in jeopardy.
The hurdles have been erected by important decisions at the EU Court of Justice (CJEU) and the Irish Data Protection Commission (IDPC), that invalidated the Privacy Shield Framework — a Transatlantic agreement about how to legally transfer data from the EU to the U.S. — and associated standard contractual clauses that could be used by U.S. companies to be in compliance with EU law.
In essence, the CJEU and IDPC decisions may mean that no data can leave the EU if the U.S. is its destination. At a minimum, the prohibition will impact large platform companies like Facebook, Google, and Microsoft. But, thousands of smaller providers of connected services will also likely be covered by the rulings and, depending on how other parts of U.S. law are judged by the EU, a far larger amount of Transatlantic trade could also be impacted.
Under EU law, residents have a fundamental right to privacy, which is enforced through a series of legal protections, including the General Data Protection Regulation (GDPR). Max Schrems, a German privacy activist, undertook a series of lawsuits beginning in 2013 to challenge the adequacy of U.S. law to protect EU privacy rights. One of the main contentions in his suits is that U.S. national security laws are incompatible with the EU’s right to privacy.
In Schrems II, the CJEU agreed, holding that the U.S. government’s ability to collect data on EU residents without proper procedural protections makes it impossible for U.S. firms to be generally capable of complying with EU law. It left open the question of whether standard contractual clauses could be used by firms to individually guarantee adequate compliance with EU law. Two months later, however, the IDPC issued a preliminary opinion that such clauses were also unavailable.
The costs of this trade disruption will be enormous. According to the U.S. Chamber of Commerce, Transatlantic trade generates upward of $5.6 trillion, of which at least $333 billion was related to digitally-enabled services. The truth is that likely far more of that overall commerce is facilitated in some way by cross-border data transfers, such that a significant chunk of that commerce is now illegal.
What’s worse, it’s hard to see how the Internet doesn’t splinter under the strain of these types of rulings, as it seems likely that other countries have national security laws as invasive as those of the U.S.
Fortunately, the impact of the rulings out of the EU may be blunted by the fact that they place the EU in violation of international trade agreements. Under the General Agreement on Trade in Services (GATS), the EU is obligated to afford U.S. service providers the same level of treatment it affords domestic service providers. But the EU foundational treaty and GDPR both afford EU members discretion to manage their national intelligence, and it appears that EU members conduct surveillance in the same or substantially similar manner as the U.S. This trade imbalance put the EU in violation of GATS.
Of course, all of these concerns could be obviated were Congress to apply broad due process requirements to our nation’s surveillance programs that the EU believes are necessary for data transfers. After all, even if the EU applies its laws inconsistently to its own members, ensuring that our spy agencies don’t have essentially unlimited discretion is a good idea.
Whether Congress takes the easy way, or trade representatives and courts are compelled to take the hard way, the cost of not seeking a resolution to this uncertainty is enormous. At stake is no less than hundreds of billions of dollars in annual Transatlantic commerce.
Kristian Stout is Associate Director at ICLE where his research focuses on intellectual property, antitrust, telecommunications, and internet governance.