Published by The Lawfare Institute
in Cooperation With
Data is a "magic material" that "is becoming the fuel for innovation,” says former European Commission Vice President Neelie Kroes. But getting this “magic material” out of the EU is a complicated business. Under the EU Data Protection Directive (DPD or Directive 95/46/EC), a firm can move data out of the EU only if some EU legal mechanism authorizes it. One mechanism is an EU determination that the country to which the data is traveling offers an “adequate” level of privacy protections for EU citizens, either “by reason of its domestic law” or through “an international commitment it has entered into.” Such an “adequacy determination” allows firms to transfer data to the country in question without “any further safeguard being necessary.” Since those “further safeguards” can be quite cumbersome, an adequacy determination makes it relatively easy for a country’s firms to transfer data out of the EU.
The list of countries that have received adequacy determinations reads like a game of “one of these things is not like the other:” Andorra, Argentina, Canada, the Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, the United States (who has not received a “blanket” adequacy determination, but rather has entered into agreements governing data transfers—transfers through those agreements have been deemed adequate) and Uruguay. Australia, Canada, and the US have also entered into bilateral agreements with the EU regulating the transfer of Air Passenger Name Record (PNR) data for law enforcement purposes.
But the adequacy determination list is more notable for the nations it doesn’t include than those it does. The United States is an obvious data haven, but where are the other nations whose firms must transfer data out of the EU to conduct their business? In 2016, for instance, Forbes ranked the Industrial and Commercial Bank of China (ICBC) as the world’s largest company. With its network of 331 affiliated institutions across forty countries (including some in Europe), ICBC relies on cross-border data flows to conduct data analytics and to provide and improve services. China’s Huawei is a large and global telecoms equipment maker; it also does significant business in the EU. India’s HCL technologies, meanwhile, provides IT services to 18 countries in Europe. These and many other firms from these and other industrial countries all rely on cross-border data transfers as a key part of their businesses. But somehow, they do so without an adequacy determination.
As the history of Safe Harbor and Privacy Shield shows, the EU has spent the past two decades applying the adequacy principle to the US with apparent haste. But even though few other countries have received similar attention, there is no indication that the EU is stopping data transfers to countries without adequacy determinations. This raises a key question: why? It’s not like China, for example, has robust privacy protections. How are the firms from nations not on the list still conducting business with the EU?
From Safe Harbor to Privacy Shield: the US and the Adequacy Principle
Privacy squabbles between the United States and EU date back to the late 90s, when regulators struggled to negotiate a way for the US to comply with the requirements of the then-new Data Protection Directive. After months of tense discussions (in which, at one point, a Clinton administration official threatened action in the WTO against the EU), regulators finally came through with the Safe Harbor Agreement. Under it, American firms that certified to the Department of Commerce that they had complied with the agreement’s privacy requirements could transfer data out of Europe without jumping through extra hoops.
In October of 2015, the European Court of Justice (ECJ) sent shockwaves through the tech industry when, in the Schrems case, it struck down the Agreement. The ECJ, quibbling primarily with US surveillance laws that allowed the government “generalised [access] to the content of electronic communications” (Schrems para. 94), struck down Safe Harbor as not assuring adequate privacy protections. That led US and EU officials to scramble to negotiate a new agreement, Privacy Shield, that would allow companies to transfer data freely. Privacy Shield, like its predecessor, operates on a self-certification system, requiring companies to register and self-certify their compliance with its requirements to the Department of Commerce on an annual basis.
Over the past two decades, then, the EU has issued adequacy determinations for the US not once but twice, overcoming significant obstacles in negotiating to come to an agreement on an adequacy mechanism. And indeed, because an adequacy determination allows a country’s firms to send data out of EU without the use of an alternate mechanism, one would think that the EC would want to help both member states and companies forego red tape to move that “magic material” and add more countries to the white list (through approving more adequacy decisions). Surprisingly, it hasn’t. The US has curiously found itself alone as a major world power on a list that includes the Faeroe Islands and its 49,188 people but is missing the likes of China, India, and Brazil. Why is the US receiving so much attention when other global powers seemingly are not?
What About Other Industrial Nations?
European regulators may be focusing on US privacy protections to the exclusion of other nations simply because American firms are so dominant in the market. Of the ten largest technology companies in the world, seven are American firms. It may therefore make sense for the EU to focus its resources on establishing a privacy framework for American companies, given their obvious need to send data out of the EU.
But that explanation is not entirely satisfying, because, as we saw, American firms are not the only firms likely to need to rely on data transfers out of the EU in order to conduct business with the EU. While Huawei or ZTE might not be Apple or Google, they are major firms who conduct business on a global scale. And they are firms that must use personal data transfers in order to function normally—for instance, it would be impossible for ICBC to conduct data analytics on a global scale if it were required to retain the data for each nation it serves locally.
One possible answer to this puzzle is that these firms are conducting business with the EU using special safeguards in lieu of an adequacy determination. Article 26(2) gives EU member states some wiggle room to allow data transfers to nations without an adequacy determination, and under Article 26(4), the Commission has the power to create a set of model contracts that provide sufficient protections for companies seeking to transfer data out of the EU. But though these model contracts are the most popular option for such companies, the reality is that they are very difficult to do right in practice.
For one thing, model clauses are quite difficult to enforce, as it could be difficult for an EU data protection authority (DPA) to know whether a clause is being complied with. One practitioner recently observed that, to his knowledge, authorities had not asserted or enforced any model contractual clauses between 2001 and 2011. Model clauses also impose burdens on companies, the most serious of which is that a separate contract is required for each export of data. Companies that export a lot of data would therefore need to negotiate “hundreds of contracts.” Moreover, companies cannot negotiate the contracts’ terms (though some do, this by definition makes it a non-model contract and thus takes it out of the approved process), and may face added liability as well as restrictions on subcontracting. Model contract clauses have thus been criticized for “not providing a practical solution for compliance,” but rather providing a way to comply only with the “need to use something.” Given the difficulty in execution, then, it seems doubtful that every company uses model contracts as their exclusive method of compliance.
Model contract clauses may also not be around for much longer. Recently, the Irish DPA referred the question of their legality to the Irish High Court after a challenge by apparent privacy super-plaintiff Max Schrems. If Schrems has as much luck with model clauses as he did with Safe Harbor, model clauses may also be in danger. The alternative to model clauses, binding corporate rules, also poses heavy administrative externalities and has been criticized for offering a practical compliance solution to only the largest corporate entities. And in fact, none of the corporations previously discussed are on the BCR list.
Simple administrative intransigence may also explain the low number of countries that have received adequacy determinations. For one, confusion over the very process of seeking an adequacy determination might lead fewer countries to attempt it. The EU claims it will only initiate a study on a third party’s request. But many countries believe that it is up to the third country to approach the EU about initiating a study. And indeed, there’s some evidence that whatever the process for kickstarting an adequacy determination, few countries have embarked on it. Graham Greenleaf notes that the number of countries receiving negative assessments is “unknown” but “not  very large.” Meanwhile, he reports, India and Australia have both been assessed twice, with no recommendations going forward to the Committee (though, as noted above, Australia has entered an agreement as to the transfer of passenger data). Greenleaf concludes that the EU has been tardy in applying the adequacy principle.
That tardiness may be because of the inherent difficulties in conducting the adequacy study. For instance, Christopher Kuner has attributed the tardiness in implementation to procedural, rather than substantive, obstacles. The first step to an adequacy determination, he explains, is a comprehensive study on the legal system of the country in question. Because the EC lacks the expertise to conduct the studies itself, it must turn to contractors, which further slows down the process. Moreover, for countries with obscure legal systems, it is difficult to find anyone with the relevant expertise. Political factors can also enter the equation; Kuner reports that many data protection authorities had misgivings about Argentina’s system, but the EC nonetheless approved the adequacy decision for political reasons.
Of course, the focus on US firms here could be simply another chapter in the larger story that is the growing rift between Brussels and Silicon Valley. The past several years have seen EU regulators crack down on SV firms on everything from labor practices to speech regulation; the focus on US firms, and the exclusion of other countries, could just be another manifestation of a wide-ranging struggle for power between EU regulators and American firms looking for new markets. But whatever the explanation may be, the status quo is becoming increasingly untenable. It’s unclear how many firms are currently not in compliance with the DPD’s mandates. But in 2018, when a new set of privacy rules goes into effect, firms will face a heavy financial penalty for non-compliance with the EU’s privacy rules. It remains to be seen if, when the penalty has some teeth in it, we may finally begin to see the EU begin to expand its implementation of the DPD to countries beyond the United States.