The EU doesn’t trust its citizens’ data in the hands of the U.S.
With all the crises facing America, it’s surprising to find privacy so high on President Joe Biden’s agenda. But in his first week in office, he already appointed someone to negotiate with the European Union how personal information is moved between Europe and the U.S. Last summer, the EU said the way data was being sent to the U.S. was insecure. In August, regulators in Ireland told Facebook to stop transferring its citizens’ data out of Europe.
The issue is with the Irish High Court. In December, Facebook argued to that court that stopping data transfers would have “devastating and irreversible consequences” for its business. But this rule would obviously impact all kinds of commercial data and companies. And obviously, it’s a big deal for the new administration. I spoke with Jessica Lee, a partner with the law firm Loeb & Loeb. The following is an edited transcript of our conversation.
Jessica Lee: Prior to 2020, we had something called the Privacy Shield in effect, and that helped us transfer data from the EU to the U.S. And then, over the summer in July 2020, that was struck down. It was found that because of some of the surveillance operations of the U.S., certain executive orders and laws we have in place, that the data of EU individuals when it comes here essentially isn’t held to the same privacy standards as they are in the EU, and that the Privacy Shield wasn’t adequate enough to protect it. So that left a lot of us in the privacy community scrambling towards the second half of the year, trying to figure out how to keep data flowing across the border.
Molly Wood: And that was a big deal to American tech companies, right? I mean, they were saying, “OK. Well, look, if we can’t share data back and forth, we’re not going to be able to operate in some of these countries.”
Lee: Right, exactly. And so we’ve been looking for two things. So, one is standard contractual clauses. So a lot of companies have defaulted to that, but even those are on shaky ground and are being revised. So I think everyone was hoping that we’d find some solution, some post-Privacy Shield path forward with the EU. But that was difficult, I think, with the previous administration.
Wood: Well, now we actually have someone in this role early. What does that signal to the rest of the world about the position the U.S. might take on privacy?
Lee: I mean, I think it signals a couple of things. First, on privacy, I think it signals that the Biden administration understands the importance and the significance of the issue, and the need to have these cross-border cooperation in place. And so I think having someone [like] Christopher Hoff, who was appointed to this position, really signals that they’re going to take this seriously, and then take the steps that might be needed on the side of the U.S. to make the EU comfortable with these data transfers.
Wood: More broadly, what issues around privacy and surveillance do we expect the Biden administration to tackle? Is there a chance for federal privacy legislation, at long last?
Lee: I’ve said that I have moved from just mostly pessimistic to now moderately optimistic. And that was really pushed forward by what happened in Georgia. So now with one party controlling all houses, I think the path forward seems a little bit more clear. And we have to keep in mind that we have Biden and then we also have Kamala Harris, who formerly was the attorney general in California, where she pushed forward a lot of significant privacy legislation that still impacts a lot of us today. So between the two of them, I think this is an administration that has a background and understanding of the importance of privacy. And we have to deal with the pandemic first, but I anticipate privacy being a priority for them.
Wood: I mean, as you mentioned, Vice President Kamala Harris, as a presidential candidate, she said that her first priority with tech companies is to ensure that consumer privacy remains uncompromised. Is this an administration, do you think, that will try to find a better line between a business-friendly approach and a consumer-friendly approach, whereas now it seems to be all business?
Lee: I do. I think they’ll be really sensitive to the consumer issues. And if we think about it, when I look at what’s going on, in terms of trying to regulate privacy, and then more broadly, the tech companies, it feels like regulators are trying to chase a ball down a hill. It’s like, “Oh, do we do antitrust? Do we do Section 230 [of the Communications Decency Act]? Can we get some kind of federal privacy?” And I think that they’ll try to take a pragmatic approach that will bridge the gap between the business and the consumer advocates. And from where I sit, I think there are really two sticking issues with federal privacy that are left. Will there be a private right of action? Meaning, will individual consumers be able to sue companies directly? And then, will it be preemption? Meaning, will this federal bill preempt any state laws, which is really what business wants because business doesn’t want to have to comply with 50 different state privacy laws on top of federal privacy. So I think if we can get a path forward on those two, all the other points of privacy laws — should consumers get rights — a lot of companies are already complying with that because of [the EU’s General Data Protection Regulation and the California Consumer Privacy Act]. So we’re down to the final issues, hopefully.
Wood: The U.S. has not been in a leadership role with respect to privacy regulation. Do you think that what comes next will largely be based on what we’ve already seen in Europe and Australia? Or is this an opportunity for us to come up with new ideas and regulations that could be applicable globally?
Lee: You know, I think that for the federal privacy law there is a real push on the business side to get it moving, particularly the next two years before [the California Privacy Rights Act] goes into effect. And it might not be enough time to rip it up and start over, and I think there’s been a lot of work done. So I think a federal privacy bill will look somewhat similar to what we see around the world in terms of businesses will have certain obligations and consumers will have certain rights. Maybe the nuances of that are somewhat different, but I think that will be the structure. I imagine that there’ll be other, more sectoral approaches that the U.S. will try to take to make itself stand out. So when I was talking about the ball rolling down the hill for privacy, it’s because we let things go so far without a lot of regulation that it’s hard to catch up now. But we have AI and facial recognition and some other technologies that are taking off but haven’t fully taken off yet. And I think we have an opportunity here to step in and think about: Can we be more innovative in terms of how we regulate so that we can keep the innovation moving forward, but protect consumers? And if we’re going to do it, now’s the time, or else we’re going to get to the place where we’re too late again.
Related links: More insight from Molly Wood
So one thing I want to make clear is that the EU’s Privacy Shield ruling is less about what Facebook does with information on U.S. citizens and more about what U.S. intelligence agencies might do with it. This is a ruling that goes all the way back to the [Edward] Snowden revelations about the National Security [Agency] spying on U.S. citizens and companies and those who do business with them. And it puts billions of dollars in digital trade at risk, which is probably why it’s so high on the Biden agenda. It’s not so much cookies and targeted ads as it is huge international business deals and the reputation of the U.S. intelligence apparatus. It is complicated, but it’s also interesting.
Speaking of cookies — and not the good kind — in case you missed it, there were reports earlier this week that Google is working on new ad technology that would track users in a way that’s more private than the use of cookies, which now follow you across the web and track everything you do and report back to the Google or Facebook mothership. Google said last year that it would get rid of cookies by 2022 on its Chrome browser and is demonstrating some of its more privacy-friendly tracking tech this week. And Apple is also working on a system that would let people opt in to letting advertisers collect the unique ad IDs from their phones.
And weirdly, despite it seeming to be great news that companies are fighting to outdo each other with more privacy features, states, advertisers and the EU are afraid the moves are also anti-competitive because then Apple and Google could end up owning all the good stuff. I choose to see it as progress, if definitely not perfection.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.