As the United States (US) and European Union (EU) engage in sprawling trade negotiations impacting dozens of industries, the Transatlantic Trade and Investment Partnership (TTIP) presents both threats and opportunities to the survey, opinion and marketing research profession. Possible threats include the weakening or dissolution of the US-EU Safe Harbor for data transfer and the adoption of EU-style data privacy restrictions. Potential opportunities include increased ease of digital trade and “harmonization” of EU regulation to more effective U.S. norms.
What makes this potential trade deal so important?
The US-EU trade and investment relationship is probably the most important global economic relationship. Our economies combine to make up more than half of global gross domestic product and the TTIP could spawn the world’s biggest free trade area. Most importantly, the U.S. and EU are the two biggest centers of research in the world.
Unfortunately, as U.S. Trade Representative Michael Froman remarked at a September 30 event in Brussels, “Over decades, the differences in our regulatory and standards approaches have created unnecessary barriers — raising costs, deterring trade and investment and negatively impacting our competitiveness and our consumers.”
Marty Abrams, then-president of the Centre for Information Policy Leadership at the law firm Hunton & Williams, testified before the International Trade Commission in March that, “The differences between the privacy mosaic that exists in the United States and the more control oriented data protection laws in much of the rest of the world does act as an impediment to the free flow of digital goods between the United States and those countries. There is no question that those differences create costs for American business and impede the exploitation of innovations that are developed in the United States.”
Thus, reducing the barriers facing digital trade between the U.S. and EU could prove a boon to researchers and research users.
US-EU data transfers and current law
The 1998 European Commission’s Directive on Data Protection (“Data Directive”) prohibits the transfer of “personal data” to non-EU nations that do not meet the European “adequacy” standard for privacy protection. The EU Data Directive places significant restrictions on the collection, use and disclosure of personal data that prove taxing for many researchers. Despite some complaints that the U.S., unlike the EU, lacks an organized and comprehensive federal privacy law, EU privacy law is not perfectly organized either, fragmented across its many member states, with each implementing the Data Directive differently.
Intentionally or not, the EU wields the Data Directive and its “adequacy” standard as an anti-competitive trade measure, discriminating against U.S. companies in digital trade because they do not deem the U.S. to have “adequate” data privacy protections. Fortunately, in addition to adopting binding corporate rules, U.S. companies can self-certify to the US Department of Commerce that they comply with the seven principles of the U.S.-EU Safe Harbor (Notice, Choice, Onward Transfer (to Third Parties), Access, Security, Data Integrity and Enforcement) and at least have some mechanism for data transfer. While it is a self-certification, the Federal Trade Commission (FTC) enforces compliance with the Safe Harbor under its Section 5 authority to prosecute deceptive practices (not living up to one’s public claims).
As explained in a European Voice op-ed by Cameron Kerry, then-general counsel to the U.S. Department of Commerce, “Developed jointly by the U.S. Department of Commerce and the European Commission and launched in 2000, Safe Harbour provides US companies with a streamlined way to comply with the EU's data-protection directive. Its success was recognised in March when the US and the EU reaffirmed their commitment to it.”
EU threatens to revoke the Safe Harbor
At the same time as the trade deal is being negotiated, European officials have threatened to revoke the Safe Harbor. While such threats are ostensibly in response to NSA spying revelations this summer, some of these officials have wanted to weaken or remove the Safe Harbor for a long time.
European Commission Vice President Viviane Reding got the ball rolling in July, commenting that, “We do have the impression that the Safe Harbor Agreement might not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbour Agreement which we will present before the end of the year.”
Peter Schaar, Germany’s data protection commissioner, lamented in a blog post shortly thereafter the “insufficient level of data protection in the U.S.” The Conference of the German Data Protection Commissioners further called for the suspension of data transfers to the U.S. since there was “substantial likelihood” that binding contract clauses and the Safe Harbor principles are being violated. The EU Article 29 Data Protection Working Party, reacting similarly to the NSA spying revelations, seemed to agree that the Safe Harbor couldn’t continue to function if U.S. government entities might be accessing EU data transferred to the U.S..
US activist groups joined the pile-on, with Danny O’Brien, international director of the Electronic Frontier Foundation, telling Politico that, “the Europeans have a much better hand to play… It looks a lot worse to say we should let this data flow in and out of the US when everybody knows the government is tapping these ins and outs.”
Jeff Chester, executive director of the Center for Digital Democracy went further, declaring to Politico that, “We shouldn’t let US companies use the trade deal as a political backdoor to blow up the EU approach.”
Jason M. Weinstein, partner at the law firm Steptoe & Johnson, called out the complaining EU officials as hyperbolic hypocrites: “The inconvenient truth about data protection in the nations of the EU is that EU citizens’ data enjoys very little protection from the nations of the EU. In many EU countries, the government has significantly broader authority than the U.S. to obtain content and other data from providers in national security investigations, often without any court approval whatsoever.”
However, according to Damon Greer, who directed the EU-US and Swiss Safe Harbor frameworks from 2006 to 2011, “one fact remains salient to the debate over the future or past of Safe Harbor as a legitimate tool for cross-border data transfers to the United States. The framework is legally binding on all member states in the EU and the three EEA countries, Norway, Iceland and Lichtenstein. No individual body may opt out of the agreement.”
Complications: Rewriting the EU’s Data Protection Directive
In a speech in March, Commerce’s Kerry highlighted another backdrop to data privacy concerns between the EU and the US: the EU’s efforts to rewrite and expand their own Data Protection Directive. “We have expressed concerns about ways that their legislation may hinder efforts at interoperability by proposing things that are not technologically or commercially feasible… It’s critical that they not rush this process…that they understand the complexity and the broad impact it will have, the risk of unforeseen consequences to consumers as well as innovation and to growth.”
The EU rewrite has stalled for now due to various disagreements between Parliament, the European Commission and the European Council. EU parliamentary elections scheduled for 2014 present a deadline for the negotiators, since the rewrite will have to begin the process over again once elections happen. The closer that deadline gets, the more unpredictable the outcome will be.
Commerce’s Kerry, in his final speech, warned against making “regulation of privacy, regulation relating to the Internet, a new set of non-tariff barriers to trade.” He concluded that, “It would be a sad outcome of the surveillance disclosures if they led to an approach to Internet policy making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located… The digital world does not need another Great Firewall – in Europe or anywhere else.”
MRA believes it is essential that we maintain the Safe Harbor – our primary protection for the conduct of digital commerce and research.
Of course, defending our interests is good, but advancing our interests is better.
Comprehensive data privacy proposals have been advanced for the last few years by the FTC, the White House, and Members of Congress. All of them hope to better emulate the EU privacy regime in hopes that the US will be deemed “adequate” in its privacy protections by the EU. While MRA supports some form of baseline consumer data privacy law, the expansive measures envisioned by some parties go far beyond the baseline – with questionable promise of success. “Harmonization” of US law to an EU standard may not make the most sense economically.
As outlined by several large technology companies’ chief privacy officers at an Internet Association panel discussion on March 5, innovative data businesses generally develop and grow in the US, not in Europe, and our approach to data privacy may be a key factor in our competitive advantage. In retort to complaints from foreign governments about the patchwork of US privacy laws, Justin Weiss, director of international privacy for Yahoo, said that, “no other country has done more active enforcement of privacy protection” than the US, under the FTC. European businesses are subject to “pre-regulation,” according to Weiss, that requires prior authorization for any innovation and makes it much harder to achieve.
More importantly, over the course of many public and private engagements in the last year and a half, Members of the European Parliament and European Commission have indicated that none of the comprehensive data privacy proposals offered so far in the U.S. would, if enacted, win the U.S. the coveted “adequacy” designation by the EU for free trade in data. It is possible that nothing short of a complete substitution of EU law for US law would satisfy EU authorities.
As MRA previously asked of members of the House Subcommittee on Commerce, Manufacturing and Trade in June, the U.S. should consider the importance of “harmonization” of the US and EU privacy regimes as a part of the U.S.-EU trade negotiations, but not in the traditional way that the term is used. There may be great value to both sides of the Atlantic in bringing our privacy approaches closer together. However, the concept of harmonization should focus more on modeling EU law after the strong enforcement mechanisms and self-regulation of the U.S. than on forcing US law to adhere to EU standards.
In summary, MRA believes:
- U.S. authorities must aggressively defend the existing Safe Harbor inside and outside the TTIP negotiations;
- Representatives of the research profession should similarly defend the Safe Harbor to European Union policymakers as they rewrite their data protection regulations; and
- US authorities should pursue “harmonization” of EU privacy regulations with the more effective U.S. approach.