The Schrems II Decision Necessitates a National Data Protection Law: U.S. Competitiveness Depends On It.

About the Author: Noah Levin is a first-year law student at American University Washington College of Law. Noah graduated from The George Washington University and hopes to work on international trade and national security law after graduating law school.

 

The world-wide-web revolutionized the global economy by allowing commerce, ideas, and trends to be disseminated to the world instantaneously. Innovation in this industry inevitably brings new issues that force regulators to either take a wait-and-see approach or act preemptively. The United States took some regulatory action with the advent of the internet, namely the implementation of the Digital Millennium Copyright Act (DMCA) in 1998, but an otherwise light-touch regulatory approach helped the U.S. become the preeminent place for technological innovation.[1]

Our everyday lives quickly became tied to the internet, and our data increasingly moved into an abyss. As global regulators are grappling with this issue, the U.S. has been caught flat-footed, putting at risk billions in revenue and our competitive advantage.[2] If the U.S. wants to define how data protection laws are formulated and implemented, its leaders must act sooner rather than later.

In 2018, the European Union instituted the General Data Protection Regulation (GDPR) which prescribes data protection rules within the E.U.[3] The U.S. economy is deeply intertwined with E.U. regulations due to the over $1 trillion trading relationship between the two economies.[4] U.S. companies large and small are affected by GDPR and must comply or face significant fines.[5] The U.S. and E.U. negotiated the Privacy Shield Framework which allowed for data transfers from the E.U. to the U.S.[6]

GDPR allows for data transfers to a third country if that country has laws offering “essentially equivalent” privacy protections.[7] The U.S. and E.U. felt that the Privacy Shield complied with GDPR, but the Court of Justice of the European Union (CJEU) struck down the Privacy Shield in the Schrems II decision. The CJEU held U.S. laws, primarily national security and surveillance laws, failed to give E.U. citizens “essentially equivalent” redress and protections.[8] With the invalidation of the Privacy Shield, data controllers and processors need to agree to Standard Contractual Clauses which govern how data can be used after leaving the E.U.[9]

In response to the ruling, E.U. and U.S. officials recognized the urgency to find a solution that addressed the CJEU concerns. Negotiations remain ongoing, but some members of Congress believe the solution is to pass a federal data protection law due to Schrems II and increasing amounts of state-level privacy laws.[10]

The SAFE DATA Act, introduced by Senator Wicker, would provide uniform data protection laws across the U.S. and empower the FTC to enforce them.[11] Similarly, Congresswoman DelBene’s Information Transparency and Data Control Act would empower the FTC to enforce a national data protection law that “avoids a patchwork of different privacy standards.”[12] Similarly, Senator Gillibrand’s Data Protection Act would also implement a national data protection law but would establish the Data Protection Agency to enforce the law, oversee big tech, and establish new regulations.[13]

Despite growing momentum for a uniformed data protection law, these bills are not progressing to committee and floor votes. An alternative to the lumbering congressional process would be for the Biden Administration to negotiate a treaty governing data privacy and transfers. This route may be wise given the U.K. is beginning to form its own data protection laws separate from GDPR and the solution to Schrems II remains in limbo.[14]

President Biden campaigned on the promise of reestablishing the U.S. leadership role on the world stage.[15] Gathering the E.U., U.K., and other major economies to agree on a standard for data protection and transfers would erase the headache created by Schrems II and future headaches resulting from a patchwork of data protection standards that changes depending on which state or country you’re in. The economic power of the U.S., E.U., and U.K. would de facto force other countries to comply with the treaty’s standards, even if they don’t join, as proven by GDPR forcing U.S. legislators to think about changing our data standards. Precedent exists for the treaty pathway. The DMCA itself was partially a product of the World Intellectual Property Organization (WIPO) Copyright Treaty and the WIPO Performances and Phonograms Treaty.[16]

While setting in stone a data protection and transfer law creates stability, a patchwork of laws allows for different ideas to be tested and adapted to changing circumstances. One way to make a federal law or treaty adaptable is by requiring it be reevaluated every few years to allow for adjustments, much like the U.S.-Mexico-Canada Agreement can be reevaluated.[17]

Schrems II highlights the need for U.S. leadership on data protection. The lack of a coherent law is threatening to shift data hubs to Europe instead of giving U.S. companies the ability to host and maintain data here. Uniform laws regarding data protection and transfers will allow the U.S. to continue competing on the international stage and empower U.S. businesses to continue driving global innovation.

 

[1] Digital Millennium Copyright Act of 1998, Pub. L. No. 105-304, 112 Stat. 2860 (codified as amended in scattered sections of 17 & 26 U.S.C.).

[2] Mike Woodward, 16 Countries with GDPR-like Data Privacy Laws, SecurityScorecard (Jul. 8, 2021) https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws.

[3] The History of the General Data Protection Regulation, Eur. Data Prot. Supervisor, https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en (last visited Sept. 29, 2021).

[4] The United States-European Union Trade and Technology Council, U.S. Dep’t of State (Sept. 28, 2021) https://www.state.gov/the-united-states-european-union-trade-and-technology-council/.

[5] Commission Regulation 2016/679 of April 27, 2016, on the protections of natural persons with regard to the processing of person data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 83.

[6] Privacy Shield Framework, Int’l Trade Admin., https://www.privacyshield.gov/eu-us-framework (last visited Oct. 4, 2021).

[7] Hendrik Mildebrath, The CJEU judgement in the Schrems II case, Eur. Parliamentary Rsch. Serv. (2020), https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.

[8] Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd., ECLI:EU:C:2020:559 ¶104 (July 16, 2020).

[9] Mallory Petroli, New Standard Contractual Clauses Under the GDPR, Nat’l L. Rev. (Aug. 9, 2021), https://www.natlawreview.com/article/new-standard-contractual-clauses-under-gdpr.

[10] Todd Feathers, Big Tech is Pushing States to Pass Privacy Laws, and Yes You Should Be Suspicious, The Markup (April 15, 2021, 8:00 AM), https://themarkup.org/privacy/2021/04/15/big-tech-is-pushing-states-to-pass-privacy-laws-and-yes-you-should-be-suspicious.

[11] Wicker, Blackburn Introduce Federal Data Privacy Legislation, U.S. Senate Comm. on Com., Sci., & Transp. (July 28, 2021), https://www.commerce.senate.gov/2021/7/wicker-blackburn-introduce-federal-data-privacy-legislation (allowing consumers to access, change and delete their data; prohibit data transfers without consumer consent; require businesses to transparently inform consumers how they use data and conduct privacy impact assessments; and allow the FTC and state attorney general to enforce the law and subsequently created FTC made regulations).

[12] DelBene Introduces National Consumer Data Privacy Legislation, U.S. Congresswoman Suzan DelBene, (March 10, 2021), https://delbene.house.gov/news/documentsingle.aspx?DocumentID=2740 (allowing consumers to opt-in to allowing companies to use and collect their data; requires companies to audit their privacy protections biannually; allows the FTC to create more specific rules and allow the FTC and state attorneys general to enforce the law and regulations).

[13] Gillibrand Introduces New and Improved Consumer Watchdog Agency To Give Americans Control Over Their Data, Senator Kristen Gillibrand (June 17, 2021), https://www.gillibrand.senate.gov/news/press/release/gillibrand-introduces-new-and-improved-consumer-watchdog-agency-to-give-americans-control-over-their-data (establishing the Data Protection Agency (DPA) to protect consumer data and ensure data practices are “fair and transparent;” the DPA would have enforcement powers; and the DPA would be tasked with forming a template data privacy for private business to use).

[14] Peter Swire, U.K.’s Post-Brexit Strategy on Cross-Border Data Flows, Lawfare (Sept. 1, 2021, 9:01 AM), https://www.lawfareblog.com/uks-post-brexit-strategy-cross-border-data-flows.

[15] Joseph R. Biden, Jr., Why America Must Lead Again, Foreign Affairs (Mar./Apr. 2020), https://www.foreignaffairs.com/articles/united-states/2020-01-23/why-america-must-lead-again.

[16] U.S. Copyright Office, The Digital Millennium Copyright Act of 1998 U.S. Copyright Office Summary 2 (Dec. 1998).

[17] U.S. Congressional Research Service, The United States-Mexico-Canada Agreement (USMCA) 39 (July 27, 2020) (the USMCA can be reevaluated after six years and every sixteen years thereafter).

Leave a Reply

Your email address will not be published. Required fields are marked *