You are here

Transatlantic data flows: time for a sustainable framework

AmCham EU

24 May 2023
All Committees

Imagine if Europe had never been introduced to the TV show ‘Game of Thrones’ – or if Ed Sheeran was completely unknown to American audiences. This grim hypothetical world could very well have been the reality if data transfers between Europe and the United States did not exist. But data transfers do not only enable our entertainment: they are the lifeblood of our economy and a key pillar of the transatlantic partnership. Today, as we celebrate the fifth anniversary of the General Data Protection Regulation, we are reminded of the importance of stable and workable regulatory frameworks.

The weight of data flows

Globally, cross-data flows contribute more to growth than trade in goods, and their importance continues to rise. Between 2010 and 2019, global data flows rose by nearly 50% every year, a figure that spiked during the pandemic. The benefits of data transfers for consumers and companies across sectors feed this steady. From stabilising supply chain management to allowing us to work remotely, they are essential drivers of the prosperity and well-being of our societies.

Most of these data flows happen via transatlantic cables, which ensure 55% more transfers than transpacific routes. This accounts for more than half of Europe’s global data flows and for half of the US’ total. For businesses, data transfers are essential, so it is more important than ever that transatlantic partners establish a long-standing regulatory framework that enables secure personal data flows across the Atlantic.

Privacy Shield-less

In its Schrems II decision of 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, a framework that allowed thousands of companies to enable personal data transfers. Given the urgent need for a regulatory system to replace it, the transatlantic partners have been engaging in discussions to create the EU-US Data Privacy Framework.

In March 2022, an agreement in principle was reached between the European Commission and the United States. Several months later, President Biden signed Executive Order 14086 (EO) and the US Attorney General issued a Regulation (AGR) to implement the EU-US Data Privacy Framework. These two documents significantly improve the Privacy Shield, as they address the issues on signals intelligence activities identified by the CJEU. It also highlights the importance of safeguarding the principles of legality, proportionality and necessity, as well as the intention to set up an independent and binding redress mechanism that ensures the protection of EU-based citizens.

The European Commission reviewed the EO and the AGR, and it adopted a draft adequacy decision in December 2022. The draft was then reviewed by the European Data Protection Board, who released an opinion in February highlighting the substantial improvements and inviting the European Commission to provide clarifications and ensure the implementation of this new scheme.

Meanwhile, Members of the European Parliament have adopted a resolution that raises a number of objections to the new framework. Even though this motion is not binding for the Commission, it will likely slow down the Framework’s implementation – a delay that will be highly detrimental for transatlantic businesses.

Enabling a necessary part of global trade

Without an effective data transfer framework, transatlantic businesses are facing significant hurdles to ensure compliant data transfers. It is absolutely crucial that the EU and the US cooperate to set up the EU-US Data Privacy Framework as soon as possible and provide businesses the legal certainty they need. In the meantime, they will indeed continue to transfer data. How could we expect business not to do so, given that 90% of EU-based companies rely on transatlantic data flows?

The proposed EU-US Data Privacy Framework is a significant step in the right direction, particularly because it does not require the United States to adopt the exact same regime as the EU, and rather recognises an essentially equivalent framework. It is now time for policymakers to prioritise the implementation of the Framework so that transatlantic businesses can continue to strengthen our digitally-enabled economy while protecting the privacy of individuals.