The window of opportunity for an agreement between the United States and European Union (EU) on a common tech rulebook is open once again. In December 2020, the European Commission, encouraged by the victory of ardent Atlanticist Joseph Biden in the US presidential election, issued A New EU-US Agenda for Global Change, an ambitious proposal for strengthening and broadening the transatlantic relationship in multiple key domains including technology governance. In turn, the Biden Admiration has vowed to restore US alliances harmed by the previous administration and to deepen its cooperation with like-minded countries to counter the influence of authoritarian states over global technology rules. This alignment of interests on both sides of the Atlantic has created an unprecedented opportunity to overcome the differences that have prevented the two parties from adopting a common, normative framework on tech regulation, most notably on data governance, privacy protection, and digital taxation. Building on the momentum generated by the EU-US summit, leaders from both sides should take advantage of this new political climate to strengthen the transatlantic bond and adapt it to the needs of data-driven economies.
Why does it matter?
First, the global economy and international trade have become increasingly data driven. According to the report on the future of international trade launched by the World Trade Organization in 2018, the growing digitalization of the global economy will impact international trade in three significant ways: the importance of cross-border data flows as a component of trade in goods and services will grow significantly in the coming years.; trade in digitizable goods (e.g. DVDs or physical books) will decline while trade in digital services such as streaming services and e-books will grow; and regulation of data flows and other technology legislation will become an important source of comparative advantage. Therefore, adopting an agreement on transatlantic data flows is indispensable to adapt the normative framework that governs the EU-US trade relations to the new data-based reality.
Second, innovation in the transformative technologies of the Fourth Industrial Revolution (e.g. artificial intelligence and cloud computing) requires a vast amount of data from various sources. As a consequence, countries and businesses that have access to large pools of data are more competitive than those that do not. Currently, China is often referred to as a country with access to almost infinite datasets while having data protection rules focused on national security rather than individual rights. This gives Chinese companies an enormous advantage over their European and American competitors in the development of AI and other technologies. Therefore, an agreement facilitating the exchange of data across the Atlantic via a secure and privacy-respecting framework may increase the competitiveness of both European and American companies in the global economy.
Third, authoritarian states such as Russia or China promote an illiberal, techno-nationalist vision of global governance based on harsh restrictions on cross-border data flows with little respect for fundamental human rights. Even more troubling is that these states export their vision of tech governance to developing countries by selling their technology and providing training programs on surveillance and other repressive techniques. They are also highly active at the multilateral level. China, for instance, promotes its approach to internet regulation as an alternative to the current internet architecture via various standardization fora and strategic documents such as China Standards 2035 or the new IP protocol proposed by China to the International Telecommunications Union (ITU). For this reason, by establishing a transatlantic framework on data governance that would ensure free flow of data while protecting human rights, the EU and United States would reiterate their commitment to free internet and set a global standard for other countries to follow.
Fourth, the COVID-19 pandemic has shown how crucial it is for governments to have well-functioning, speedy, and secure access to data of different types and origin. By using data modeling and AI technologies, public authorities can predict with greater accuracy the evolution of different public emergencies as well as long-term threats and thus adopt better informed, more precisely targeted policies. This will be of particular importance to refine societal adaptation capacity and resilience to climate change in a wide array of fields, ranging from agriculture to urban planning to public health. Secure data sharing between the US and European publics as well as research authorities may help significantly in this endeavor. However, to tackle the most pressing global issues such as global pandemics or climate change, the United States and the European Union need a data sharing framework that extend beyond the transatlantic space. Therefore, it is crucial that the EU and United States find agreement on the creation of a safe, rights-based data exchange framework that would foster the connection between experts and research institutions from other global players such as China, India, or Brazil.
Where are we now?
Despite the clear benefits to be harnessed by both sides in establishing a framework for free exchange of data across the Atlantic, there are multiple contentious points that make the adoption of such agreement difficult. Assessing the current transatlantic digital landscape, there is tremendous asymmetry between the United States and the European Union in tech legislation. Although the two entities often call each other like-minded, there are significant limits to this like-mindedness, notably when it comes to data governance, privacy protection, and digital taxation. While the United States applies a laissez faire approach to tech governance that leaves a lot of space for self-regulation by private entities, the EU has a robust regulatory framework that imposes firm guardrails for tech companies. The best illustration of the EU’s strict approach to tech regulation is the General Data Protection Regulation (GDPR) that defines how private data of EU citizens may be collected and processed. The EU plans to expand its tech rulebook even more through recently unveiled drafts of the Digital Markets Act, the Digital Services Act, and the Data Governance Act. However, despite its global leadership in tech regulation, the EU lags far behind the United States (and China) in industry innovation, with few major tech companies of its own.
On the other side of the Atlantic, as the the birthplace and home of the world’s five biggest tech companies, the United States is a global leader in tech innovation. However, for the moment, it has a relatively thin tech rulebook, lacking federal legislation on issues such as privacy protection or governance of online content. This regulatory asymmetry creates a challenging constellation for any potential transatlantic regulatory framework on technology as it would have to reconcile two partners with seemingly irreconcilable approaches to tech regulation and vastly different levels of innovation. Some EU policymakers have already identified this regulatory asymmetry as a problem and call for more innovation and less regulation. For instance, French president Emmanuel Macron has said, “when you look at the map, we have what we call the GAFA [Google, Alphabet, Facebook, Apple] in the US, the BATX [Baidu, Alibaba, Tencent, Xiaomi] in China and GDPR in Europe.”
This regulatory asymmetry is most palpable in the field of privacy protection. The difference of views between the EU and the United States on the subject stems from different paradigms and historical experiences. In the United States, the prevailing approach to the use of private data by tech companies has been driven to a great extent by a utilitarian market perspective, according to which a certain loss of privacy by data collection has been acceptable so long as it results in greater consumer satisfaction. The approach of EU regulators is completely different as it is rooted in the European experience with two totalitarian regimes that relied on massive surveillance programs to keep their citizens in check. For instance, in the former German Democratic Republic (GDR), the State Security Service (Stasi) kept detailed records on one in three citizens acquired by a vast network of agents and collaborators. Similar experience was lived by people in other totalitarian states in Europe. Therefore, the European Commission is highly cautious when dealing with issues pertaining to privacy of EU citizens.
Nonetheless, we witness a change in the US privacy paradigm with powerful voices in the United States Senate calling for tighter restrictions on the use of personal data by private companies. In March a bipartisan group of legislators led by Senator Amy Klobuchar of Minnesota proposed an ambitious body of legislation called the Social Media Privacy Protection and Consumer Rights Act that, if adopted, would grant internet users more control over their data by providing them with opt-out options on data tracking and collection. Although the future of this draft is still uncertain, US citizens will certainly demand more action from their legislators and government executives on the matter as, according to a poll by the Pew Research Center on privacy, surveillance, and data-sharing, the majority of Americans are increasingly more concerned about the safety and security of their data.
The European Union and the United States have already tried twice to find a framework that would allow a free flow of data between the two entities in full respect of European data protection rules. However, both attempts, Safe Harbor and Privacy Shield frameworks, were struck down by the European Court of Justice by its Schrems I and Schrems II, expressing serious doubts “as to whether US law in fact ensures the adequate level of protection [of personal data] required under Article 45 of the GDPR,” pointing to the risks of US surveillance programs to the rights of EU citizens recognized by the EU Charter of Fundamental Rights. To solve this impasse and develop a new framework for the exchange of data across the Atlantic, the European Commission has “intensified” the negotiations with the US Department of Commerce. However, these talks are still ongoing, so it is not clear yet whether they will produce a result acceptable to both parties.
Another contentious point in the mutual tech relations between the European Union and United States is digital taxation. In 2018, the European Commission issued a proposal for a 3 percent tax levied on digital business activities, arguing that under current rules it is impossible to tax the profits of influential tech companies generated in Europe as they are not physically present in the EU. The blueprint for a digital tax introduced by the Commission would replace the requirement of physical presence by a system taxing companies in the place where they “have significant interaction with users through digital channels.” The United States looked quite skeptically on this proposal. Then Trump Administration expressed a series of concerns that the tax would apply disproportionality to US companies operating in Europe and threatened retaliatory measures by increasing tariffs on European goods. The proposal has not been adopted yet as it is currently discussed by the European Parliament. However, there is a chance that the EU and the United States find a multilateral solution on digital taxation through a negotiated outcome of the discussions currently ongoing under the auspices of the Organization for Economic Cooperation and Development (OECD) and G20 within the framework of the Inclusive Framework on Base Erosion and Profit Shifting (BEPS).
Despite these differences, there are areas where the two parties are relatively in line or in the process of alignment. First, the US Congress is currently considering several pieces of legislation, the Platform Accountability and Consumer Transparency Act (PACT Act), Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act of 2020), and Online Consumer Protection Act (OCPA), that, if adopted, would alter the immunity granted to online content intermediaries by Section 230 of the Communication Decency Act (CDA) with a series of transparency and reporting obligations as well as enhanced protection of internet users as online service consumers. The same approach to the regulation of content intermediaries has been adopted by the European Commission in the aforementioned Digital Services Act, which imposes a set of transparency, reporting, and due diligence obligations on large content intermediaries but maintains their immunity under the e-Commerce Directive of 2000, a European version of Section 230.
Another area where the two entities may find some common ground is net neutrality. While the EU has already adopted a regulation guaranteeing its citizens “the right to access and distribute information and content, use and provide applications and services […] via their internet access service,” net neutrality has been the subject of fierce debate in the US, partly due to a hostile attitude of the previous administration on the matter. Nonetheless, the Biden administration seems dedicated to resubscribe the United States to this principle. Although such policy change has not been announced yet, Biden’s appointment of Jessica Rosenworcel, a vocal supporter of net neutrality, as the Chairwoman of the Federal Communications Commission (FCC) and the decision of the Department of Justice to drop the lawsuit filed by the Trump administration against California’s net neutrality legislation are signs that a reinstatement of the Obama-era rules on open internet repealed in 2018 by the Restoring Internet Freedom Order may be forthcoming.
Finally, the United States and the European Union seem aligned on the need for greater governmental involvement in financing and creating incentives for tech innovation. As a key component of its efforts to mitigate the economic consequences of COVID-19, the EU has approved the creation of the Next Generation EU fund worth of 750 billion euros that will be distributed in the form of loans and grants to EU member states. More that 50 percent of this unprecedented funding will be allocated to stimulate tech innovation and foster the digital and green transitions of European economies. In the United States, in an unusual bipartisan fashion and primarily with the objective to counter Chinese influence, the US Senate has approved the US Innovation and Competition Act (USICA), pouring more than $200 billion to support research and development in strategic tech sectors such as semiconductor industry, artificial intelligence, and wireless broadband. Although the underlying motivations behind the adoption of USICA and Next Generation EU differ, the two initiatives attest to the fact that governments both in the United States and the EU are now more inclined to support home-grown tech innovation by direct public financing programs.
What should be done?
Although there are serious differences between the EU and the United States on how the tech sector should be governed, these disagreements are not insurmountable. First and foremost, any successful negotiation on a transatlantic tech governance framework should start with issues where the policies and interests of the two parties (at least partially) overlap, such as with net neutrality or a more active role of the public sector in financing and incentivizing tech innovation. Having an agreement or declaration on cooperation in enhancing and promoting these policies on the domestic and global levels is a good starting point for talks on more delicate and contentious issues.
Since the issue of digital taxation is being dealt with at a multilateral level with reasonable chances of arriving at a negotiated outcome soon, the priority for EU and US negotiators should be finding an agreement on free data flows and privacy protection. However, such an agreement cannot simply be a refurbished version of Safe Harbor or Privacy Shield that would be struck down by another decision from the European Court of Justice. Instead, the solution must be durable to provide US and European companies with legal certainty in their business activities on either side of the Atlantic.
The first step towards such a sustainable solution must be a realization that data is a precious but reusable resource generated by human activity. This realization has two crucial implications for data governance: first, data can be shared across borders and sectors; second, any data regulation should be human-centered. However, these two conclusions are difficult to reconcile with each other as it is a challenging task to ensure the free exchange of data across multiple jurisdictions while guaranteeing the same level of privacy protection among them.
Considering the judgments of the European Court of Justice (ECJ) in the Schrems I and Schrems II cases, the prospects for full and unhindered flow of personal data from the EU to the United States does not seem realistically attainable given a negative attitude from the ECJ towards US surveillance policies. Therefore, EU and US negotiators should be extremely cautious and creative in crafting a regulatory framework for personal data transfers. However, there are data processing solutions that may present a reasonable compromise such as encryption or anonymization of personal data.
Nevertheless, even without an agreement on personal data transfers, there are plenty of opportunities to be harnessed by establishing a legal framework on the exchange of non-personal data across the Atlantic. On this note, it is important to keep in mind that industrial data and non-personal public sector data also have enormous potential to empower innovation and progress.
Some of the mechanisms introduced in the draft of the Data Governance Act (DGA) recently unveiled by the European Commission may serve as inspiration for a future transatlantic regulatory framework on non-personal data transfers. The underlying philosophy behind DGA is a vision of data as an indispensable resource for increasing and sustaining the competitiveness and innovative potential of European companies. First, the regulation lays out the conditions for reuse of data produced by the public sector that is protected by law (e.g. personal data protection, commercial confidentiality, and intellectual property protection). Most importantly, DGA allows public authorities to share their data with other entities only if they are pre-processed (e.g. anonymized) and via a non-discriminatory and publicly accessible mechanism. Second, the regulation institutionalizes the functioning of data sharing platforms that will serve as intermediaries between those who produce data (mainly private companies) and those who seek data for their business, research, or other activities. The providers of these services are required to commit to a number of safeguards and protections with respect to sensitive and commercial data. Third, the DGA establishes a voluntary framework for data altruists—nonprofit organizations that collect data made available voluntarily by data owners for the common good.
Since the above-described data sharing mechanisms introduced by DGA deal almost exclusively with non-personal data (data not protected by GDPR), some of them, with minor modifications, could be implemented also in a new regulatory framework on data transfers between the EU and the United States. Institutionalizing and regulating the exchange of non-personal data across the Atlantic by some of the aforementioned legal mechanisms would not only give public entities, private companies, and nonprofit organizations from both sides a secure channel for a data exchange but also would dramatically increase the pool of they have access to. This would be a positive regulatory incentive for innovation that is increasingly more dependent on the quality and quantity of data that researchers and businesses can access and process.
Finally, it is indispensable that the United States respond positively to the call by the European Commission for the establishment of the EU-US Trade and Technology Council (TTC)—a forum for government executives to discuss trade facilitation, the development of compatible standards, and innovation promotion. TTC would provide both parties with a permanent channel for dialogue and exchange of views even in situations of political tensions that could hinder the progress on tech related issues.
Although there are multiple contentious points between the European Union and the United States regarding tech regulation, the political climate on both sides of the Atlantic seems favorable for finding agreement on these issues. The benefits that such an agreement may generate for US and European businesses, research institutions, and civil society in terms of secure and facilitated data sharing are too important to ignore. This is especially true during what is often coined the Fourth Industrial Revolution, with data as its main driving force. The good news is that data is reusable, unlike oil or coal, which were behind previous industrial revolutions. The same data that empowers innovation on one side of the Atlantic can generate another kind of innovation on the other side. Doing so, however, requires institutionalized, secure, human-centered channels that would allow both stakeholders in both the European Union and the United States to harness the full potential of data in the modern digitalized economy.
Juraj Majcin (@JMajcin) is a PhD Candidate in International Law at the Graduate Institute of International and Development studies in Geneva, Switzerland and a GeoTech Action Council expert.