Europe may not have an Apple or a Facebook but it does have one killer export when it comes to technology: regulation.
The EU already sets the global rules for digital privacy, forcing countries from Argentina to Japan to rejig their national standards in line with the region’s tough stance on data protection.
Ahead of a G20 ministerial meeting this weekend in Japan, EU officials are pushing to cement the region’s dominance over new standards about how companies send data between trading blocs. Europe’s goal is to establish the right to privacy — enshrined as a fundamental right in the region — in the way that data is exchanged between global businesses ranging from banks and insurers to hotels and online retailers.
To impose their will on the rest of the world, the Europeans have the World Trade Organization (WTO) and a range of existing and potential bilateral trade deals worldwide in their crosshairs. That strategy would help safeguard the region’s revamped data rules, known as the General Data Protection Regulation, or GDPR, from legal challenges brought by trade adversaries including the United States, which have criticized Europe’s new privacy standards for being an unfair barrier to trade (and the epitome of extraterritorial lawmaking).
Europe’s latest privacy push will be tested in the coming weeks when the European Commission holds a series of crucial international meetings, during which it will likely face uphill battles with trade heavyweights including the U.S., China, Canada, India and Brazil.
“The bigger this zone will be, the better — for trade and for these soft but very important things like democracy and freedom,” European Justice Commissioner Věra Jourová told POLITICO in reference to Europe’s goal of exporting its data rules to the trade realm. “We have several principles which we want to see before we can speak about the zone for the free data flows.”
At the top of that list is privacy.
“The protection of privacy is quite close to the protection of democracy and freedoms,” Jourová said. The EU’s first line of attack is to push data protection rules in upcoming trade deals, as well in bilateral and multilateral trade agreements across the globe.
The tactic may split the world into two distinct “camps,” as the commissioner called it in a speech on her most recent visit to the U.S. in April. On the one side, Jourová said, there are countries that want to work to tame tech giants and surveillance states through tough privacy rules. On the other, there are companies like Facebook and Google and countries that support such data-harvesting practices. Jourová stressed that the EU partly aims to export its privacy regulatory regime — including installing data protection as a prominent right in other countries’ national laws.
“The United States, of course, would be greatly welcomed. The missing federal law, relevant or adequate or comparable with GDPR is a missing thing. That’s why we’re offering our support,” she told POLITICO of the national debate in the U.S. on creating federal privacy legislation.
Europe isn’t hanging around to push its privacy claim.
In May, the region filed proposals for e-commerce rules with the WTO that would enshrine so-called net neutrality, free data flows and basic consumer protections as part of the organization’s international rulebook for trade. When it comes to privacy, Europe also wants to create exceptions to limit the free flow of data to guarantee privacy, as well as enshrine the protection of personal data as a fundamental right. The potential changes would extend Europe’s control over global data laws that affect people’s personal data like social media posts and online search histories to digital trade law that would affect transfers of all data, including so-called non-personal data like general corporate digital information.
Europe’s existing privacy regulation gives it an “aura” on the issue, said Olivier Proust, a data protection lawyer at Fieldfisher in Brussels, because countries around the world are looking to align their data protection policies with Europe.
“What we have seen happening is an acceleration and multiplication of data protection laws — and that’s a direct influence of Europe in the world,” Proust said.
But the old Continent hasn’t won over U.S. lawmakers yet.
While the U.S. is studying potential privacy legislation domestically, it has rebuffed Europe’s requests to import privacy protections into trade law. In recent trade texts, Washington has outlined a vision that supports a free flow of data for the benefit of cross-border e-commerce and digital business, but it is the privacy issue that is driving Washington and Brussels apart.
“The positions on each side seem almost of a religious character, in a sense … and it is preventing the two sides from coming together,” said Josh Kallmer, executive vice president at the Information Technology Industry Council, a lobby association with offices in Washington and Brussels representing large technology companies.
“We happen to believe the two sides are actually not that far apart,” Kallmer said. When it comes to pushing its global privacy claims, Europe is turning to a longtime ally: Japan.
Ahead of this year’s two-day G20 summit in Osaka on June 28, Shinzō Abe and his government are working with counterparts, including Europe, to draft a commitment to create a so-called data free-flow with trust.
The idea was presented by Abe in January, at the launch of the country’s G20 presidency, and would include an economic zone for the free flow of “medical, industrial, traffic and other most useful, non-personal, anonymous data.”
In his speech, Abe stressed that it would involve “non-personal data,” and personal data would still fall “under careful protection.” Japan’s idea of economic “data zones” complements the EU’s strategy of putting joint conditions on how data can be moved around between trading blocs, and tying some form of privacy commitments to data moving around for economic and trade purposes.
In its trade negotiations with other countries, the EU has insisted on parallel negotiations over so-called adequacy decision deals, or complex data protection agreements in which European regulators must approve another country’s privacy regime before companies can easily transfer data outside of Europe.
Only a handful of countries, including Japan, have been granted such access to EU data, and these adequacy decisions have become a carrot for EU trade negotiators to get partners to the table because other countries are eager to have access to the region’s 500 million consumers’ data, according to officials involved in those negotiations.
Despite Europe’s push to expand its privacy protections through trade law, the region also has run up against free-trade proponents and business lobbies that claim its heavy hand on privacy is an illegal barrier to trade. At the top of their list of complaints are the stringent limitations that Europe wants to impose on trading partners that do not fall in line with its views on how data should be protected worldwide. Opponents claim that such restrictions go against long-standing international trade rules.
Cloud services, e-commerce platforms like Amazon and other industry players, for example, fret about having to set up more data centers across the world to minimize their data flows because of potential trade barriers resulting from Europe’s exporting of its privacy protection worldwide.
The idea of reducing data flows has caused these groups to speak up, warning of a breakup or “Balkanization” of the internet and arguing this would hurt the global digital economy.
“The language the Commission proposed [at the WTO] seeks only one objective: To not have GDPR challenged before international courts,” said Thomas Boué, chief European lobbyist of BSA | The Software Alliance, an association that counts Apple, Microsoft, Salesforce and others as members.
“Protecting GDPR is fine, but it shouldn’t hurt you in other ways,” Boué said.