Can EU-US data transfer deal counter China’s tech ascendency?

On July 10, the European Commission announced a new data transfer pact with the United States, a landmark and long-delayed deal that will allow the seamless transfer of personal data from the EU to companies based on US soil.

Titled the EU-US Data Privacy Framework, this accord permits US firms to maintain and process European data, thus securing the operations of tech behemoths like Google and Meta.

Although the agreement was inked in 2022, Europe’s top court had struck down two previous pacts because of concerns about US intelligence agencies accessing European citizens’ private data.

The Computer & Communications Industry Association, a non-profit whose members employ one million people in the tech sector and generate $540 billion annually, hailed the decision as a milestone which would allow the EU and US businesses to have “full legal certainty again to transfer personal data across the Atlantic”.

Against a backdrop of mounting tensions with Russia and an escalating rivalry with China, the US has increasingly found the value of its transatlantic partnership with Europe.

The US-EU data transfer pact has implications beyond the bilateral relationship between these two entities. The splintering of the Western bloc, driven by unresolved data transfer disagreements, would provide an opportunity for China to fortify its position in the global digital ecosystem.

Indeed, in its effort to revitalise the transatlantic alliance, the Biden administration recognised that data fragmentation within this unity would potentially empower China, allowing it to expand its digital influence globally.

Beyond commercial interests, the US is endeavouring to elevate the importance of the Western model of digital governance as a counterbalance to China.

Struggle over transatlantic data privacy

EU privacy laws have long prohibited the transfer of its citizens’ data outside of the EU unless it is moved to a location considered to provide ‘adequate’ privacy protections in line with those of the EU.

The Safe Harbour Agreement, a former pact established between the European Commission and the US in 2000, fundamentally committed to protecting the data of EU citizens when transferred by American companies to the US.

Nonetheless, in 2015, after a protracted two-year legal battle and in the aftermath of the revelations from Edward Snowden, the top court in the EU invalidated the Safe Harbour Agreement. The court determined that this arrangement did not provide sufficient safeguards for consumer data.

In response to the Safe Harbour ruling, the Privacy Shield was established in 2016 to enable businesses in the EU and the US to transfer data more easily between the two regions. Over 5000 companies utilised this system. However, in 2020, the European Court of Justice declared that the Privacy Shield agreement too did not align with European privacy rights.

This decision marked the second time Austrian data-protection activist Max Schrems successfully overturned an EU-US data-sharing pact. In 2015, he campaigned for the court to invalidate Safe Harbour, the predecessor to the Privacy Shield, citing concerns that American spy agencies could access data transferred from the EU.

Schrems used a similar argument with the Privacy Shield agreement. He filed a complaint against Facebook, arguing that his privacy rights were compromised when his data was transferred to the US, thereby making it susceptible to American surveillance. The case eventually grew into a broader referendum on the legitimacy of data-transfer agreements when data is exported from the EU.

What changed?

The European Commission officially acknowledged the US as a country providing sufficient protection for European citizens’ personal data, by adopting what is referred to as an adequacy decision under its privacy legislation, the General Data Protection Regulation.

An adequacy decision is a method through which the EU evaluates whether a non-EU country provides an adequate level of data protection.

“Adequacy” does not necessitate that the third country’s data protection system exactly mirrors that of the EU, but it must meet a standard of “essential equivalence” determined by an assessment of the protections applicable to personal data as well as the oversight mechanisms and avenues for redress available.

The Data Framework offers several new rights to EU individuals whose data will be transferred to participating US companies. These rights include the ability to access their data, as well as to seek correction or deletion of inaccurate or unlawfully processed data.

Additionally, the framework provides various redress channels in the event of incorrect data handling, including recourse to independent dispute resolution mechanisms and an arbitration panel, both available free of charge.

US companies can certify their participation in the framework by pledging to adhere to a comprehensive set of privacy obligations. These could encompass privacy principles like limiting the purpose of data use, minimising data collection, and controlling data retention, as well as specific responsibilities related to data security and third-party data sharing.

A pivotal element of the US legal framework, upon which the adequacy decision is anchored, is the executive order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Signed by President Biden on October 7 last year, this order is supplemented by regulations put in place by the attorney general.

These measures were specifically designed to address the issues highlighted by the Court of Justice in its Schrems II judgement. They include binding safeguards that limit the access of US intelligence authorities to data, confining it to what is necessary and proportionate for the protection of national security.

Moreover, the framework enhances the oversight of activities carried out by US intelligence services to ensure compliance with limitations on surveillance activities.

The new regulation also establishes an independent and impartial redress mechanism. This includes the creation of a new Data Protection Review Court tasked with investigating and resolving complaints regarding access to data by US national security authorities.

However, the latest agreement does not necessarily mean an end to the long-standing saga. Schrems signalled his intent to likely contest the new deal in court by the end of August, anticipating his grievance to be presented before the European Court of Justice in early 2024.

According to Schrems, the updated deal fails to provide Europeans with satisfactory safeguards, even in light of changes to US data policy.

He mentioned the need for substantial amendments to US surveillance law for effective implementation, a requirement he sees as not being met. He also expressed concerns over new provisions, such as the inclusion of climate change and international health crises as justifications for mass surveillance.

Data is the new weapon

Lingering concerns notwithstanding, the newly-brokered deal is expected to smooth the operations within the colossal commercial relationship between the US and EU, potentially opening the door to further developments.

As stated by the White House, the magnitude of these transatlantic data flows is formidable, underpinning an estimated $7.1 trillion in economic activities. With thousands of companies operating across both continents, the impact of this deal is vast.

Amid geopolitical tensions with Russia and rivalry with China, the US significantly values its transatlantic alliance. The latest agreement alleviates a major point of contention between the US and EU, reinforcing unity at a critical time when geopolitical challenges demand a solid transatlantic front.

While data transfer issues have often been sidelined in mainstream conversations, the absence of a resolution could drive the world’s two largest markets towards forming distinct blocs. This fragmentation, likely to exacerbate as the global economy further digitalises, would serve to benefit the third significant player in the digital landscape: China.

The contemporary adage that ‘data is the new gold’ rings especially true for China, which aims to emerge as the global AI (artificial intelligence) leader by 2030.

The sheer size of its population provides the country with an unrivalled data trove, serving as a strategic advantage in the AI battlefield. A vivid example of this prowess is the pervasive use of facial recognition across China, underscoring the country’s broad AI application.

However, while the US and EU enhance their data interoperability, China is doubling down on isolating its data from the rest of the world. This isolation is not born out of privacy concerns, as is the case with the EU, but rather out of a deep-seated apprehension surrounding espionage fueled by national security considerations.

As a result, global companies are trying to adapt to the country’s increasingly stringent data and anti-espionage laws amid deteriorating relations between Washington and Beijing.

The US mirrors this stance towards Chinese firms, including popular platforms like TikTok. It’s clear that both sides of this rivalry are taking steps to shield their valuable data from potential external risks.

The ultimate frontrunner in the technology race could likely be determined by the size of the market they serve, in conjunction with the volume of data they control and process.

The race for AI is a marathon, not a sprint. It’s crucial to understand that AI is an evolving target, one that constantly transforms and recedes even as we close in. Therefore, fostering an environment conducive to AI development is arguably more important than the pursuit of a specific technology breakthrough.

While individual technologies undeniably serve as stepping stones to further discoveries and implementations, the true essence of the AI competition resonates more with the analogy of the industrial revolution. The technological race we are currently witnessing is more akin to an expansive, epoch-defining shift rather than a singular, isolated technology.

In light of this, increased access to data undoubtedly creates more room for manoeuvre for the US and the transatlantic alliance. Europe’s stance on competition with China remains somewhat nebulous - they could potentially decide to take a neutral, non-committal position. However, empowering US firms with greater access to data will undoubtedly serve as a significant boost.

As the world pivots towards the digital, the data-access advantage can become a determining factor in the AI race.

Whether it is the US, Europe, or China, each entity must strive to cultivate a fertile environment for innovation while harnessing the power of data to fuel its AI ambitions. Ultimately, the winner of the AI race will be the one who can best utilise data within a nurturing innovation ecosystem.