Largely unnoticed by technology and Brussels wonks, the European Commission’s Communication on adequacy for international data flows was released in early January. The primary aim of this document is to promote the EU’s data protection regime as the global gold standard, to which other countries should aspire. In so doing, the Commission wants to remove data protection as a bargaining chip in free trade negotiations, insisting this should instead be dealt with separately, by opening adequacy negotiations with the Commission.
Amongst lofty language on the EU’s approach to data protection lies a clear economic motive. The Communication acts as a sales piece for the General Data Protection Regulation, extoling its virtues in protecting citizens and harmonising the patchwork of national laws under the 1995 Directive. The Commission has evidently realised that if it can guide other countries towards the EU model, not only will doing business with those countries become easier, but the EU will be able to leverage higher data protection standards as a competitive advantage and become “a hub for data services which require both free [data] flows and trust”.
Those in tech companies losing sleep over Brexit – and more specifically over the UK failing to secure an adequacy agreement with the EU once it leaves – will take heart from the fact that the Commission is still open to alternatives to their regime, such as codes of conduct and certification mechanisms. The Commission also advises that such instruments could be struck at the sectoral as well as national level – a model which the UK will probably try and adopt for its hefty financial services sector post-Brexit.
In parts, this is a surprisingly political document. The suggestions for normative criteria before opening adequacy negotiations with third parties include the extent of the EU’s commercial/political relations with a given third country, geographical and/or cultural ties and the role of the third country in promoting and upholding privacy and data protection. Based on these, the Commission will “actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea in 2017, and, depending on progress towards the modernisation of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur, and the European neighbourhood”; a clear shot over the bows of the Trump administration.
The EU’s pivot to East Asia and overtures to Latin America are a clear attempt to position the EU as the de facto champion of global free trade. The incoming Trump administration leaves the Privacy Shield agreement resting on the fragile foundations of Obama-era assurances, something easily overturned in Trump’s push to bolster US surveillance. It would not be surprising to see the first annual review of Privacy Shield take a critical view on any actions by the Trump administration to bolster US surveillance. At the same time, the Brexit-focused British government’s sweeping surveillance powers granted by the Investigatory Powers Act threaten to scuttle any attempt to demonstrate equivalence with EU data protection rules and thereby gain an adequacy decision.
Should the Commission succeed in persuading other regions to adopt their model and quickly enact adequacy agreements with major economic powers, we will see a divergence in global data protection rules. The EU’s citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK, and trans-Atlantic companies may be forced into difficult choices about which regime best serves their interests.