Privacy debate too often focuses on the risks from data rather than the risks to trade that arise from the restrictions on cross-border data flows, between and within multinational organizations and companies, and between individuals and companies all around the world, according to an FTC Commissioner who spoke at a recent conference in Washington, DC.

Noah Phillips, a commissioner on the Federal Trade Commission (FTC), said that, “Commerce today involves far more than goods… including services, and the data upon which those services are based.” The Trump White House, he said, “does not get enough credit” for “protecting economic interests and American privacy through the international flow of data.”

Phillips and several other experts explored the topic of trans-Atlantic digital trade at an event hosted by George Mason University’s Law & Economic Center on December 4, 2019.

Data localization and GDPR

Data localization laws, Phillips continued, force big companies to either locate operations in a given country or not do business with them and their consumers. For smaller businesses, it usually prevents them from competing there at all. This helps to create a “balkanized world of data.” Of course, he pointed out, this “implicate more than trade.” Since many governments imposing such laws are far more focused on getting and keeping access to that data for themselves than they are on consumer privacy.

Unlike the European Union (EU), with its General Data Protection Regulation (GDPR), the U.S. has “more than 200 years of legal tradition… establishing the privacy rights of individuals vis-à-vis the government,” that are “among the strongest in the world,” Phillips said. Similarly, American “intelligence-gathering practices are among the most transparent in the world,” which is why Phillips said it should be “puzzling” and “perplexing” that the European Court of Justice (ECJ) did not follow up the striking down of the U.S.-EU Safe Harbor with any similar actions against data transfer to autocratic regimes that place no value on citizen privacy, like China or Russia.

Lydia Parnes, formerly director of the FTC's Bureau of Consumer Protection and now a partner at law firm Wilson Sonsini Goodrich & Rosati, discussed some of the complexities of GDPR, which she described as “an incredibly specific, proscriptive law.” Compliance, she said, can be “overwhelming” for any business, and “almost impossible” for a small to medium sized enterprise. She said that her firm encourages smaller companies to go the route of the U.S.-EU Privacy Shield, despite the risk that it may not survive.

Liad Wagman, Associate Professor of Economics at the Illinois Institute of Technology, presented research at the event indicating that while global venture funding is increasing, the EU has seen a decline in it since GDPR came into effect, especially for small businesses and startups, likely tied to GDPR compliance and avoidance. When pressed on what this would mean for the U.S. if it adopted similar kinds of regulation, Wagman suggested that the impact could be similar.

FTC Commissioner Phillips, looking at the various privacy bills introduced so far on Capitol Hill, worried that no one is learning the right lessons from current privacy debates. Not only would many of the bills negatively impact commerce, especially small businesses, but they would provide no “guarantee” of an “an adequacy ruling from the EU” for trans-Atlantic data transfers.

Those are some of the reasons that the Insights Association joined with Privacy for America in support of a new legislative framework for data privacy.

Phillips notes that many privacy concerns are “legitimate,” but we need to better recognize the “tangible tradeoffs” for innovation and commerce. “There is no such thing as a free lunch.”

Moreover, Congress “cannot just cut and paste a set of rules from one business culture into another and just expect it to work the same way.” For one thing, Phillips highlighted that the EU lack’s America’s robust trial bar, “another area of American leadership,” which would raise costs here dramatically higher than across the ocean. “GDPR is a big accomplishment for” the Europeans, but it is a fundamentally European project based on their traditions, societies and laws and would be unlikely to accommodate American interests.

Patrolling beneath the lampposts

James M. Sullivan, Deputy Assistant Secretary for Services at the Department of Commerce, expressed concern at the event about the “proliferating number of new and diverging privacy laws at the national level around the world creating a more fragmented marketplace.” He also warned that there won’t be a “single standard anytime soon.”

After discussing the second Schrems case awaiting a ruling at the European Court of Justice (ECJ), Sullivan scoffed a bit at the European Union policymakers for believing that they provide “the gold standard with regards to privacy,” since “there have been zero enforcement actions against certain other countries.” Her compared the EU to a policeman that likes to “patrol the area beneath the lamppost” rather than fighting crime in the dark spots.