Friday

9th Jun 2023

Opinion

Schrems privacy ruling risks EU's ties to digital world

Last month, Europe's highest court issued a judgment that threatens to sunder Europe's digital ties to the world.

On its face, the decision is a rebuke of US surveillance practices and a blow to US exporters.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

But the more enduring effect of this decision may be to isolate not the United States but Europe itself.

There is no easy or obvious solution to this crisis, but if the EU cannot find a way to ensure continued data flows, particularly with like-minded allies, Europe risks becoming an island in the digital world.

The transatlantic digital economy is deeply integrated, with about $300bn [€254bn] in trade in services that can be supplied digitally.

While the United States and Europe have taken divergent approaches to protecting personal data online, a framework called Privacy Shield (and its predecessor, Safe Harbor) has allowed companies to guarantee the protection of European personal data when transferring it to the United States.

Thousands of US companies have depended on Privacy Shield.

The list includes familiar names like Marriott, lululemon, and Shake Shack, but most are small and medium-sized enterprises. Fishbowl of Alexandria, Virginia, provides marketing software for restaurants. Pelican Parts of Harbor City, California sells auto parts over the Internet direct to consumers.

These companies collect basic information about their European customers - name, email, and so forth - and transfer that data to the United States for processing and storage.

The "Schrems II" decision—named for Maximilian Schrems, an Austrian privacy activist who has spent most of the past decade fighting the free flow of European data to the United States—invalidates Privacy Shield, effective immediately.

The court's concerns go back to 2013, when Edward Snowden revealed the reach of US domestic surveillance practices.

Perhaps more importantly, the Schrems decision casts doubt on most other legal tools for transferring European data abroad.

The global digital economy runs on data, and this decision makes it legally risky to export European data—not just to the United States, but almost anywhere.

Suddenly, firms can only confidently transfer European data to countries that have been deemed "adequate" by the EU. These "adequacy determinations," which analyse how closely a country's data protection laws resemble the EU's own, typically take years to complete.

25 years, just 12 decisions

In 25 years, only 12 countries have received an adequacy determination, a list that includes Guernsey, Jersey, and the Isle of Man.

Among major digital economies, only Japan has full adequacy (Canada enjoys "partial adequacy"); for everyone else, there is no longer solid legal ground on which data can be transferred.

With this decision, Europe is sliding toward a system of data localisation in which European data must stay in Europe. Big companies can likely bear the cost of creating redundant data systems in Europe, and for cloud computing providers that already have data centres in Europe (such as Amazon, Microsoft, and IBM), this decision could bring new customers.

But many businesses might decide the cost is too great, and instead eschew the European market altogether. Where that happens, European consumers and businesses will suffer.

There is no disputing that US authorities have the legal power to compel firms to hand over data. But the United States also has meaningful legal limits on those powers.

The situation is not so different in Europe: almost all EU member states have laws that allow the government to carry out surveillance in certain circumstances.

French surveillance law, for example, gives the state broad authority to monitor phone calls and emails without a warrant, and requires internet companies to collect citizens' data and share it with intelligence and law enforcement agencies.

Meanwhile, reforms implemented in the United States since the Snowden revelations have yielded safeguards that are clearer and stricter than most.

The United Kingdom is experiencing this double standard first-hand.

When it was part of the EU, the UK's domestic surveillance programs were its own business: the European Commission has no authority to pry into member states' security practices.

Brexit

Post-Brexit, the EU is now evaluating the UK's laws, and given the harsh judgment of US rules and practices, it is possible that the UK will be denied adequacy, jeopardising digital trade across the English Channel.

Where the rule of law cannot keep data safe, restricting the free flow of data may make sense.

Given the deep surveillance state in China and Russia, and the primacy of party over law, there is good reason to believe that personal data transferred to Moscow or Shanghai is neither private nor secure.

But lumping the United States, Australia, India, Korea, and potentially the United Kingdom into this same category is nonsensical.

And holding other countries to a higher standard than the EU holds its own member states violates a core tenet of the international trading system - a regime to which Europe professes great loyalty.

There are no quick fixes to this conundrum: the court's argument is grounded in the EU Charter, and the decision is effectively constitutional. Tinkering with Privacy Shield at the margins is not likely to yield an agreement that will stand up under European judicial scrutiny.

The court has effectively demanded that other countries harmonise their laws with Europe's own—and thus become eligible for adequacy—or be cut off from digital trade with the EU.

This is impractical and likely self-defeating.

When US and EU negotiators hammered out Privacy Shield, they did so because different societies—even those with common values—inevitably take different approaches to addressing the same challenges. Without mechanisms for interoperability, that diversity creates barriers to trade and commerce.

While some privacy activists have cheered the Schrems decision, the largely theoretical gains for data privacy may come at the cost of very real economic pain. Europe is deeply trade-dependent: its exports and imports total 90 percent of its GDP.

With more and more trade moving to the digital realm, Europe can ill-afford to cut itself off. Meanwhile, China continues to advance a vision for an internet that is fractured along national boundaries and controlled by governments.

The Schrems decision, along with Europe's broader push for "technological sovereignty," is a double blow in support of this top-down model.

Resolving the current crisis will take time and will earnest engagement among governments that seek an open, global digital economy with democratic values at its heart.

If Europeans hope to take part in that economy, the EU must opt for interoperability over harmonisation, and must avoid holding other governments to a standard that it cannot hold its own member states.

The European and American economies are both built on a foundation of post-War openness and trade—with each other, more than with anyone else.

Another 75 years of prosperity will depend on recommitment to those priorities.

Author bio

Sam duPont is deputy director of digital at the German Marshall Fund.

Disclaimer

The views expressed in this opinion piece are the author's, not those of EUobserver.

EU top court bins 'Privacy Shield' in Schrems privacy case

The EU's top court ruled that the EU-US data-transfer pact fails to protect EU citizens' rights to privacy - following a legal challenge from Austrian privacy activist Max Schrems against Facebook. Washington said it was "deeply disappointed" with the ruling.

Agenda

EU 'in-person' summit plus key data privacy ruling This WEEK

EU leaders will meet in Brussels on Friday and Saturday to discuss in person the EU's long-term budget and recovery plan to respond to the crisis. Meanwhile, the future of the EU-US Privacy Shield might depend on this week's ruling.

ECJ to clarify power of Belgian watchdog on Facebook cookies

The European Court of Justice is due to decide whether the Belgian data protection watchdog can pursue legal action against Facebook - after the social media network was found guilty of breaching Belgian privacy legislation some five years ago.

EU vs US tech agenda under Biden

What will the new Joe Biden administration bring to the realm of digital policy, and how will it affect the relationship with the EU?

Letter

Right of Reply from the Hungarian government

Authors Samira Rafaela MEP and Tom Theuns present as facts the extreme views of a politically-motivated campaign in the European Parliament. By doing so, they undermine the very foundations of the European Union.

Latest News

  1. Belgian bâtonnier on Russia: 'You can have a client you don't like'
  2. EU's proposed ethics body 'toothless', say campaigners
  3. Study: 90% of Spanish inflation 'driven by corporate profits'
  4. If Spanish economy is doing well, why is Sanchez poised to lose?
  5. EU lawyering for Russia: making 'good' money?
  6. The 'BlackRock exemption' has no place in the EU's due diligence directive
  7. Europeans don't see China as a rival, but weapons to Russia is a red line
  8. Cleaning workers urge Parliament: 'Europe should lead by example'

Stakeholders' Highlights

  1. Nordic Council of Ministers20 June: Launch of the new Nordic Nutrition Recommendations
  2. International Sustainable Finance CentreJoin CEE Sustainable Finance Summit, 15 – 19 May 2023, high-level event for finance & business
  3. ICLEISeven actionable measures to make food procurement in Europe more sustainable
  4. World BankWorld Bank Report Highlights Role of Human Development for a Successful Green Transition in Europe
  5. Nordic Council of MinistersNordic summit to step up the fight against food loss and waste
  6. Nordic Council of MinistersThink-tank: Strengthen co-operation around tech giants’ influence in the Nordics

Stakeholders' Highlights

  1. EFBWWEFBWW calls for the EC to stop exploitation in subcontracting chains
  2. InformaConnecting Expert Industry-Leaders, Top Suppliers, and Inquiring Buyers all in one space - visit Battery Show Europe.
  3. EFBWWEFBWW and FIEC do not agree to any exemptions to mandatory prior notifications in construction
  4. Nordic Council of MinistersNordic and Baltic ways to prevent gender-based violence
  5. Nordic Council of MinistersCSW67: Economic gender equality now! Nordic ways to close the pension gap
  6. Nordic Council of MinistersCSW67: Pushing back the push-back - Nordic solutions to online gender-based violence

Join EUobserver

Support quality EU news

Join us