Flags of the EU and the US waving in the wind showing privacy alignment

Different Approaches to Data Privacy: Why EU-US Privacy Alignment in the Months To Come Is Inevitable

Even though it is hardly disputable that origins of modern data privacy, as well as computer technology, are to be found in the US, it is currently the EU with its GDPR that sets the global tone in terms of what is the generally accepted privacy standard, especially for multinational companies operating worldwide.

The reasons for this are many, but in brief the US still does not have a comprehensive, federal privacy law for the private sector. It is discussed for many years now, but there are no signs for anything definite just yet, even though substantial progress is being made in the recent months. Having said that, FTC enforcement against companies failing to protect personally identifiable information, as well as a plethora of state laws, most notably California Consumer Privacy Act, result in de facto privacy standard which in some ways meets or exceeds EU practices. One interesting example would be with the NIST standards and frameworks which, even though primarily intended for federal agencies, are widely adopted on a voluntary basis by private organizations and enable a very refined and mature ways to govern privacy and cybersecurity. Of course, there are still many areas where US privacy falls behind its UE counterpart. One topic, ardently disputed, is so called indiscriminate access by US state agencies to UE personal data. This resulted in invalidating the previous US – EU privacy deals by EU Court of Justice in so called Schrems I and Schrems II cases, named after the privacy activist Max Schrems who initiated the proceedings with his complaints. In reality the issue at hand is a bit different, deeper and rooted in the US legal system which protects US citizens and permanent residents but does not offer the same protection to the persons in the EU whose data is being processed. Many say that offering the same or equivalent rights to the persons in the EU would resolve at least some of the concerns and disputes in this regard, as access to data by state agencies in the EU is also present and growing with the evolving risk landscape, as well as the social expectation to combat crime and external threats.

So why is the EU-US privacy alignment in the immediate future not only possible but de facto inevitable?

First of all, the EU privacy policy does not exist in isolation but is strongly connected to its trade policies and agreements. This is true for some other areas of EU policy, but the data privacy is very much connected with the growth of modern technology, digital trade, AI etc. We have seen this synergy in action in recent years with how EU reached deals concerning transfers of personal data with Japan and South Korea. With the said countries it was very clear that EU sought strategic trade partnerships and enhanced trade relations and the aspect of data privacy fitted into how EU saw and still sees itself as one of the leaders, if not the leader, in terms of ethical and human-centric technology standards. At the same time EU took several steps to regulate global technology companies, many which are from the US, in an attempt to impose its decision-making powers far beyond the EU’s borders. This global reach is, however, true for many modern laws and you could say that arguably US was one of the pioneers in this regard with its Sarbanes Oxley Act.

With the current geopolitical situation, the factors determining the EU politics are inevitably shifting. It was not long, after the war started, that the top EU and US leaders discussed the need for regulating transfers of personal data between the EU and US and even announced a so-called agreement ‘in principle’. Even though immediately after that many legal and privacy commentators as well as some of the EU country data protection authorities issued statements that such agreement ‘in principle’ does not bear any legal meaning until and unless the final deal is reached and meets all standards and requirements, still this shows an enormous political will and commitment to find a common ground. Something which in the past required months and years of discussions on different levels, is now achieved almost instantly.

In the background, there are other processes and changes, both in the EU and in the US, which fuel this alignment. Most notably, there is more and more willingness to regulate technology and social media so that ethical, social and environmental considerations are an integral part of business activities, duly implemented and enforced. Secondly, increased geopolitical alliance, common threats and resulting cooperation, go hand in hand with sharing common values, something which in turn results in what destination countries and activities involving personal data are generally accepted.

As the bonds and the economic cooperation go deeper and deeper, there are many avenues and initiatives for cooperation and discussion, such as the EU-US Trade and Technology Council. As things seem to accelerate rapidly, it is not possible to bridge all EU – US data privacy differences overnight. For this reason, we will very likely see a more modest, short-term solution with long term alignment in many areas of policy in the years to come. There are already activists threatening to challenge such EU-US data privacy accords. With things very much in the flux it is yet to be seen who is better in listening to the voice of time and adequately responding to evolving societal and political environment. While old problems will not immediately go away, the perception will likely shift very much in favour of the UE-US increased cooperation in the areas of trade, compliance, environment and human-rights. This is already happening and further communication regarding the EU-US privacy alignment is expected soon.