Transatlantic Data Transfers
Report from Digital and Cyberspace Policy Program and Renewing America
Report from Digital and Cyberspace Policy Program and Renewing America

Transatlantic Data Transfers

The Slow-Motion Crisis

Cables run into the back of a server unit inside an Equinix data center outside Paris, on December 7, 2016. Benoit Tessier/Reuters

U.S. surveillance activities have alarmed European partners, throwing the future of transatlantic digital trade into question. The United States should embrace collaboration and protections for personal data.

January 2021

Cables run into the back of a server unit inside an Equinix data center outside Paris, on December 7, 2016. Benoit Tessier/Reuters
Report

Introduction

Data transfers are at the heart of the robust transatlantic economy, but they have long been plagued by Europe’s doubts about privacy protections in the United States.

Kenneth Propp

Senior Fellow, Atlantic Council; and Adjunct Professor of Law, Georgetown University

The economic stakes are high. Information and communications technology (ICT) services such as social networks and cloud service providers depend on cross-border data transfers, as do other services that can be delivered over ICT networks, including engineering, software, design, and finance. Although trade in digital services is hard to measure precisely, it has become one of the fastest-growing areas for the United States internationally. In 2017, digital services constituted 55 percent of U.S. services exports, yielding 68 percent of the U.S. global surplus in services trade, according to a transatlantic trade study [PDF]. U.S. exports of digital services to Europe that year amounted to $204.2 billion, generating a surplus of more than $80 billion. The transatlantic is the world’s largest area for digital trade.

More on:

Cybersecurity

Trade

Digital Policy

Privacy

Technology and Innovation

In order to maintain and expand this trade, U.S. policymakers should develop a strategy to address the European Union (EU)’s concerns and promote cooperation with other democracies at a multilateral forum, such as the Organization for Economic Cooperation and Development, to develop a shared legal framework for government access to personal data.

Background

In mid-July 2020, in a case known as Schrems II, the Court of Justice of the European Union (CJEU), the EU’s highest judicial body, threw into doubt whether companies could continue to transfer personal data to the United States.

The headline from the CJEU ruling was that Privacy Shield, a data transfer arrangement between the United States and the European Union, was invalidated with immediate effect on more than 5,300 companies. However, the court endorsed the continued use of so-called standard contractual clauses (SCCs), an alternative, contractual set of privacy guarantees that ensure that data importers in the United States and in other countries accord European-origin data the same level of privacy protection that it would enjoy within the EU. Companies that rely on SCCs initially believed they had dodged a bullet.

Indeed, the Schrems II ruling did not immediately change the situation for companies exporting data to the United States. A survey conducted by a European law firm revealed that only 12 percent of companies intend to reduce their data exports to the United States, and hardly any plan to cease them entirely. But as companies have considered the full logic of the judgment, a more alarming reality has emerged. The CJEU gave SCC-reliant companies a reprieve, but likely only a temporary one. Soon after the CJEU ruling, the Irish Data Protection Commission (DPC) notified Facebook of its proposed decision to suspend SCC use for massive data transfers from Europe to the United States. Facebook won a temporary injunction against the DPC order, starting yet another phase in its legal battle to sustain its business model in Europe.

At the EU level, the European Data Protection Board (EDPB), made up of member state data protection authorities that are responsible for enforcing EU privacy law, recently issued a draft recommendation [PDF] that casts doubt on the continued European use of U.S. cloud service providers in certain circumstances, and even intercorporate transfers of personnel data to the United States. The European Data Protection Supervisor has similarly issued guidance that “strongly encourages” EU institutions considering new contracts with service providers “to avoid processing activities that involve transfers of personal data to the United States.” A slow-motion crisis over transatlantic data transfers is unfolding.

More on:

Cybersecurity

Trade

Digital Policy

Privacy

Technology and Innovation

While European activists and policymakers have long been skeptical of U.S. privacy protections, their concerns about transatlantic commercial data transfers intensified with the 2013 revelations from National Security Agency (NSA) contractor Edward Snowden about the extent of U.S. government surveillance programs in Europe and the compelled or unwitting cooperation of U.S. firms in those programs. Snowden’s disclosures formed the immediate backdrop for a 2015 CJEU decision (Schrems I) that invalidated data transfers made pursuant to Privacy Shield’s predecessor, the Safe Harbor Framework, on grounds that the European Commission had failed to properly consider the scope of U.S. surveillance activities.

Five years later, the CJEU’s Schrems II judgment examined whether additional privacy safeguards for data transfers from the EU to the United States incorporated into the Privacy Shield in response to the Schrems I ruling were “essentially equivalent” to those stipulated under the EU Charter of Fundamental Rights and its General Data Protection Regulation (GDPR). The CJEU found that they were not: persons in EU territory whose transferred personal data was obtained by U.S. intelligence agencies still did not, contrary to EU law, enjoy “effective legal remedies” before an “independent and impartial court.”

Part of the difficulty, the court observed, is the secrecy of U.S. government surveillance. If foreign persons can only suspect that information about them has been gathered, they have little prospect of proving the “injury in fact” that is the prerequisite for suit in U.S. court. The Privacy Shield negotiators attempted to circumvent this dilemma by allowing a European person who suspects surveillance to complain directly to a designated senior official in the U.S. Department of State, who would refer the matter to U.S. intelligence agencies to investigate. The CJEU found this mechanism insufficient, however, since it lacked both independence from the U.S. executive branch and the power to make corrective decisions binding the intelligence community.

A slow-motion crisis over transatlantic data transfers is unfolding.

Moreover, U.S. surveillance law also lacked a “principle of proportionality,” the CJEU claimed, to ensure that data collection and use by the government only occurred when “necessary” to meet legitimate interests. It pointed in particular to NSA bulk data collection programs. These shortcomings—lack of individual redress and of proportionality—rendered the Privacy Shield inadequate as a means of protecting European individuals’ privacy in commercial data transfers to the United States.

While the court endorsed SCC use as an alternative for protecting privacy interests in principle, it also insisted that companies using them adopt additional safeguards against the risk of NSA surveillance. One potential safeguard the CJEU suggested was for a data exporter to suspend or terminate data transfers to the United States if the NSA levies a data demand upon it.

U.S. Firms After Schrems II

With the future of SCCs uncertain, companies have begun to consider a range of options to appease EU regulators. Internally, they are assessing the extent to which their data transfers have been the subject of past NSA demands or could be in the future. The number of companies that publicly disclose the scale of government data demands upon them in annual corporate transparency reports is likely to increase. Some are considering undertaking commitments to challenge government data demands or to decline to respond to them unless compelled to do so. Additionally, many companies could adopt some form of pseudonymization or encryption for data transfers, which in some circumstances could frustrate U.S. intelligence. A further option would be data localization, or simply keeping data in Europe and processing it there, avoiding transfers to the United States entirely. Data localization can be costly and inefficient, and is not technically feasible for all types of data processing activities. A further splintering of the internet along regional lines is one likely consequence of Schrems II.

European regulators are beginning to release guidance on how companies should implement the Schrems II holding on SCCs. The European Commission has issued for comment an implementing decision substantially revising the language of SCCs, while the EDPB has developed a draft recommendation specifically identifying transfer tools for companies to use in frustrating foreign government surveillance. The EDPB’s guidance has the potential to upend the transatlantic business models of companies, including European ones, that rely on U.S. cloud service providers, or share data internally for personnel or customer service purposes, if data is not encrypted at all times. Pressure on SCC use is building through litigation as well as regulatory pronouncement, as the rapid Irish Data Protection Commission decision to move against Facebook’s use of SCCs shows. Further stress is being exerted by legal actions initiated by the privacy advocacy group None of Your Business. Soon after the Schrems II ruling, it filed 101 complaints in thirty European jurisdictions against companies that use Facebook Connect or Google Analytics to transfer data to the United States. In October, a German privacy advocacy group brought a similar suit against Amazon for its transatlantic data transfer practices.

The future of SCCs in transatlantic data transfers is clouded in doubt. It will be determined through a series of administrative and judicial proceedings playing out gradually in a decentralized fashion across the EU. Harmonization of law may be the EU’s watchword, but in this case the CJEU has delivered a recipe for fragmentation.

A further splintering of the internet along regional lines is one likely consequence.

No sooner had the Schrems II judgment been issued than the U.S. government and the European Commission pledged to “explore” ways in which the defects of the invalidated Privacy Shield could be remedied in a new accord. However, neither side expects to reach a new accord in the immediate future. The U.S. government also issued a white paper [PDF] intended to help companies meet the national security concerns the CJEU highlighted. It included the reassurance that “companies whose EU operations involve ordinary commercial products or services, and whose U.S.-EU transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.”

Washington has not embraced national security hawks’ suggestions that it fight back against European regulation. The Office of the U.S. Trade Representative (USTR) has reportedly studied whether the disproportionate challenges of the Schrems II judgment for major U.S. technology companies amounts to a colorable case of trade discrimination, but so far there is no indication that it could move in this direction. The U.S. government has stated that while it is “actively considering its options,” it seeks a “durable political solution.”

Recommendations

It will take an orchestrated, three-part strategy for the United States to achieve a lasting resolution to the privacy and surveillance conundrum with the EU. One prong entails expanding possibilities for individual redress under U.S. surveillance law and, separately, adopting the long-mooted comprehensive domestic privacy law. A second would be to create a firmer legal foundation for unrestricted transatlantic data flows through negotiation of a digital trade accord with the EU. The third would be for the United States to cooperate with other democratic states at a multilateral organization in a search for legal principles common to government access to personal data.

U.S. Legal Reform

Establishing a judicial remedy in U.S. courts for non-Americans aggrieved by U.S. electronic surveillance could require changes to intelligence law statutes. Proposals for how to do this have begun to appear publicly and have sparked interest within the U.S. executive and legislative branches. Congress could adapt the current roles of officials and bodies charged with privacy protection within the national security community, such as the Privacy and Civil Liberties Oversight Board and the Foreign Intelligence Surveillance Court, to meet the standard set by the European court. Alternatively, the executive branch could order similar changes without statutory change. The task is legally complex as well as politically charged: a remedy should overcome the standing hurdle that has stymied litigants in the past without deluging U.S. courts with frivolous, hypothetical claims.

The future of SCCs in transatlantic data transfers is clouded in doubt.

Passage of a comprehensive U.S. privacy law could also respond to the criticisms underlying Schrems II. Such a law would establish baseline rights for individuals on the use and handling of their personal data, generally parallel to those contained in the EU’s GDPR, and similarly empower an independent regulatory agency to enforce them. More broadly, the U.S. government would send a signal that it has finally entered the global privacy law mainstream. It would thereby gain desperately needed credibility for its future privacy law collaborations with the EU.

U.S.-EU Digital Trade Agreement

In recent years, the USTR has successfully included protections for unrestricted data flows in a series of bilateral trade agreements, including the U.S.-Mexico-Canada Free Trade Agreement and a digital trade agreement with Japan [PDF]. A digital trade chapter is also under negotiation in the proposed free trade agreement with the United Kingdom (UK).

A core provision in all these digital trade agreements would secure cross-border transfer of electronic data for business purposes by importing disciplines from World Trade Organization law that guard against protectionism and discrimination. Governments would be allowed to impose transfer restrictions based on their privacy laws, but only to the extent that they are not arbitrary or disguised restrictions on trade and are narrowly tailored to achieve a public policy objective. A formal dispute settlement system would address alleged breaches of the rules.

The EU, during the failed negotiations on a Transatlantic Trade and Investment Partnership, adamantly refused to consider a U.S. proposal along these lines, but the U.S.-UK free trade agreement talks offer a promising opportunity to revisit the topic with a more sympathetic European partner. While the post-Brexit United Kingdom has closely aligned its privacy laws with the EU’s, it also wants to buttress Anglo-American digital trade. If the United Kingdom can reconcile these equities and agree on a data transfer provision with the United States, the precedent could eventually help inspire a similar U.S.-EU reconciliation.

Multilateral Cooperation on Government Access to Data

For many years, Europe has principally associated foreign government access to its citizens’ personal data with one country—the United States. Increasingly, however, aggressive Chinese and Russian surveillance activities in Europe have begun to change that perception. Schrems II accelerates this trend, by insisting that private companies safeguard data transfers from the EU to any country with a government surveillance apparatus, whether democratic like Israel or authoritarian like China or Russia. The ruling also forces attention to EU member states’ own foreign surveillance regimes. The CJEU recently expanded its purview [PDF] to discipline member states’ national security surveillance programs, and other courts in Europe, such as Germany’s Federal Constitutional Court, are beginning to examine whether their governments’ foreign surveillance activities observe requisite privacy protections.

No one expects that a multilateral 'no spy' pact is imminent.

The broadening judicial lens on government surveillance has in turn stimulated efforts to convene multilateral dialogues on comparative practices. Such a discussion is already underway at the Organization for Economic Cooperation and Development in Paris, with U.S. government participation, and the Council of Europe in Strasbourg is also bidding to undertake work on the subject [PDF].

No one expects that a multilateral “no spy” pact is imminent, but discussions on comparative government surveillance regimes nonetheless place U.S. practices in an international context. National security officials in Washington are firmly convinced that the legal constraints under which the U.S. foreign surveillance system operates are at least as transparent and rigorous as those of European counterparts. A broad consensus on the types of legal controls on foreign surveillance needed in democratic societies should be achievable. Successful multilateral cooperation could in turn improve the political atmosphere for transatlantic data transfers.

All of these initiatives would take time. Meanwhile, data transfers from Europe continue in an atmosphere of legal uncertainty, with inevitable further shocks from European regulatory and judicial actions. It will take bold and decisive action, political as well as legal, on both sides of the Atlantic to bring this slow-motion crisis to an end.

 

This Cyber Brief is part of the Digital and Cyberspace Policy program. The Council on Foreign Relations takes no institutional positions on policy issues and has no affiliation with the U.S. government. All views expressed in its publications and on its website are the sole responsibility of the author or authors.

Top Stories on CFR

Artificial Intelligence (AI)

Sign up to receive CFR President Mike Froman’s analysis on the most important foreign policy story of the week, delivered to your inbox every Friday afternoon. Subscribe to The World This Week. In the Middle East, Israel and Iran are engaged in what could be the most consequential conflict in the region since the wars in Afghanistan and Iraq. CFR’s experts continue to cover all aspects of the evolving conflict on CFR.org. While the situation evolves, including the potential for direct U.S. involvement, it is worth touching on another recent development in the region which could have far-reaching consequences: the diffusion of cutting-edge U.S. artificial intelligence (AI) technology to leading Gulf powers. The defining feature of President Donald Trump’s foreign policy is his willingness to question and, in many cases, reject the prevailing consensus on matters ranging from European security to trade. His approach to AI policy is no exception. Less than six months into his second term, Trump is set to fundamentally rewrite the United States’ international AI strategy in ways that could influence the balance of global power for decades to come. In February, at the Artificial Intelligence Action Summit in Paris, Vice President JD Vance delivered a rousing speech at the Grand Palais, and made it clear that the Trump administration planned to abandon the Biden administration’s safety-centric approach to AI governance in favor of a laissez-faire regulatory regime. “The AI future is not going to be won by hand-wringing about safety,” Vance said. “It will be won by building—from reliable power plants to the manufacturing facilities that can produce the chips of the future.” And as Trump’s AI czar David Sacks put it, “Washington wants to control things, the bureaucracy wants to control things. That’s not a winning formula for technology development. We’ve got to let the private sector cook.” The accelerationist thrust of Vance and Sacks’s remarks is manifesting on a global scale. Last month, during Trump’s tour of the Middle East, the United States announced a series of deals to permit the United Arab Emirates (UAE) and Saudi Arabia to import huge quantities (potentially over one million units) of advanced AI chips to be housed in massive new data centers that will serve U.S. and Gulf AI firms that are training and operating cutting-edge models. These imports were made possible by the Trump administration’s decision to scrap a Biden administration executive order that capped chip exports to geopolitical swing states in the Gulf and beyond, and which represents the most significant proliferation of AI capabilities outside the United States and China to date. The recipe for building and operating cutting-edge AI models has a few key raw ingredients: training data, algorithms (the governing logic of AI models like ChatGPT), advanced chips like Graphics Processing Units (GPUs) or Tensor Processing Units (TPUs)—and massive, power-hungry data centers filled with advanced chips.  Today, the United States maintains a monopoly of only one of these inputs: advanced semiconductors, and more specifically, the design of advanced semiconductors—a field in which U.S. tech giants like Nvidia and AMD, remain far ahead of their global competitors. To weaponize this chokepoint, the first Trump administration and the Biden administration placed a series of ever-stricter export controls on the sale of advanced U.S.-designed AI chips to countries of concern, including China.  The semiconductor export control regime culminated in the final days of the Biden administration with the rollout of the Framework for Artificial Intelligence Diffusion, more commonly known as the AI diffusion rule—a comprehensive global framework for limiting the proliferation of advanced semiconductors. The rule sorted the world into three camps. Tier 1 countries, including core U.S. allies such as Australia, Japan, and the United Kingdom, were exempt from restrictions, whereas tier 3 countries, such as Russia, China, and Iran, were subject to the extremely stringent controls. The core controversy of the diffusion rule stemmed from the tier 2 bucket, which included some 150 countries including India, Mexico, Israel, Switzerland, Saudi Arabia, and the United Arab Emirates. Many tier 2 states, particularly Gulf powers with deep economic and military ties to the United States, were furious.  The rule wasn’t just a matter of how many chips could be imported and by whom. It refashioned how the United States could steer the distribution of computing resources, including the regulation and real-time monitoring of their deployment abroad and the terms by which the technologies can be shared with third parties. Proponents of the restrictions pointed to the need to limit geopolitical swing states’ access to leading AI capabilities and to prevent Chinese, Russian, and other adversarial actors from accessing powerful AI chips by contracting cloud service providers in these swing states.  However, critics of the rule, including leading AI model developers and cloud service providers, claimed that the constraints would stifle U.S. innovation and incentivize tier 2 countries to adopt Chinese AI infrastructure. Moreover, critics argued that with domestic capital expenditures on AI development and infrastructure running into the hundreds of billions of dollars in 2025 alone, fresh capital and scale-up opportunities in the Gulf and beyond represented the most viable option for expanding the U.S. AI ecosystem. This hypothesis is about to be tested in real time. In May, the Trump administration killed the diffusion rule, days before it would have been set into motion, in part to facilitate the export of these cutting-edge chips abroad to the Gulf powers. This represents a fundamental pivot for AI policy, but potentially also in the logic of U.S. grand strategy vis-à-vis China. The most recent era of great power competition, the Cold War, was fundamentally bipolar and the United States leaned heavily on the principle of non-proliferation, particularly in the nuclear domain, to limit the possibility of new entrants. We are now playing by a new set of rules where the diffusion of U.S. technology—and an effort to box out Chinese technology—is of paramount importance. Perhaps maintaining and expanding the United States’ global market share in key AI chokepoint technologies will deny China the scale it needs to outcompete the United States—but it also introduces the risk of U.S. chips falling into the wrong hands via transhipment, smuggling, and other means, or being co-opted by authoritarian regimes for malign purposes.  Such risks are not illusory: there is already ample evidence of Chinese firms using shell entities to access leading-edge U.S. chips through cloud service providers in Southeast Asia. And Chinese firms, including Huawei, were important vendors for leading Gulf AI firms, including the UAE’s G-42, until the U.S. government forced the firm to divest its Chinese hardware as a condition for receiving a strategic investment from Microsoft in 2024. In the United States, the ability to build new data centers is severely constrained by complex permitting processes and limited capacity to bring new power to the grid. What the Gulf countries lack in terms of semiconductor prowess and AI talent, they make up for with abundant capital, energy, and accommodating regulations. The Gulf countries are well-positioned for massive AI infrastructure buildouts. The question is simply, using whose technology—American or Chinese—and on what terms? In Saudi Arabia and the UAE, it will be American technology for now. The question remains whether the diffusion of the most powerful dual-use technologies of our day will bind foreign users to the United States and what impact it will have on the global balance of power.  We welcome your feedback on this column. Let me know what foreign policy issues you’d like me to address next by replying to [email protected].

Iran

As Trump weighs whether to join Israel's bombing campaign of Iran, some have questioned if the president has the authority to involve the U.S. military in this conflict.

RealEcon

The Global Fragility Act (GFA) serves as a blueprint for smart U.S. funding to prevent and end conflict, and bipartisan congressional leaders advocate reauthorization of the 2019 law.