Press play to listen to this article
U.S. President Joe Biden and European Commission President Ursula von der Leyen just secured a political agreement to keep data flowing between the European Union and the United States.
But with EU and U.S. negotiators still hammering out details on the new transatlantic data pact — and legal challenges expected once the deal is completed — policymakers are already scrambling to shore up the free flow of data across the Western world.
The Organization for Economic Cooperation and Development, a Paris-based group of mostly rich countries, may have an answer.
In lengthy talks dating back to late 2020, policymakers from the EU, U.S., United Kingdom and other like-minded nations are edging closer to creating an international pact under the OECD’s mandate that would set the ground rules for how national security agencies access people’s information — all while upholding high privacy standards to avoid overreach by national spies.
Tensions over what legal checks there should be for national security purposes have resurfaced in negotiations, according to eight people directly involved in the talks who spoke to POLITICO on the condition of anonymity because they were not authorized to speak publicly about the closed-door talks.
On one side stand the so-called Five Eyes countries — the U.S., the U.K., Canada, Australia and New Zealand — that want such a deal to focus solely on national security and law enforcement concerns. On the other are those within the EU who say that to really restore trust in data flows, any OECD-led agreement should encompass all types of government access to people’s information, including for purposes like tracking tax avoidance, added the individuals, who include officials, company executives and legal experts.
But as negotiators ramp up talks to draft a potential pact via the OECD over the coming months, officials, privacy experts and others stress that the need to revamp how data is moved between countries is more important than ever as the global economy becomes increasingly reliant on digital trade. And the recent political agreement between the EU and U.S. highlights how Brussels, whose privacy rules are now the de facto global standard, wields almost complete control over which countries can access its citizens’ data anywhere in the Western world.
“It’s not sustainable,” said J. Trevor Hughes, head of the International Association of Privacy Professionals, an industry group. “Now, we have these massive structures with interlacing data transfer agreements that are largely politically driven at this point.”
Privacy Shield challenges
The ink is barely dry on the data agreement between Washington and Brussels. But already there are doubts that it will survive legal scrutiny from the EU’s top judges.
Max Schrems, the Austrian activist responsible for invalidating two previous transatlantic data transfer deals, warned the political agreement amounted to little more than “lipstick on a pig.” Without new privacy legislation in Washington, he warned, the new agreement did not offer the right protections for EU citizens.
“There’s a question of whether the EU will ever be able to negotiate a sustainable deal with the U.S.,” said Estelle Massé, a global data protection lead at digital rights NGO Access Now. “But that doesn’t mean the whole EU adequacy system is done … none of the other deals have been called into question yet.”
This standoff highlights the power that Brussels wields via its so-called adequacy decisions, or legal rulings deeming that certain countries have the same level of data protection standards as those of the 27-country bloc.
The EU currently has just over a dozen of these agreements with countries ranging from Argentina to Israel, and the model of bilateral assessments of data protection regimes has been copied around the world, including in countries like the U.K.
For years, the U.S. has grumbled that the EU’s system is outdated because it gives one region overwhelming power over data transfers. Washington has been keen to promote a rival global data flows framework developed by the Asia-Pacific Economic Cooperation, which is a regional trading bloc.
That model allows companies to shuttle information between countries that have signed up to basic privacy principles and protections from government access that are checked by independent auditors. But even observers sympathetic to the U.S. think that its cheerleading of the APEC framework is more wishful thinking than anything else.
“I think the United States has been trying to evangelize [the APEC framework] as a counterweight to the European model,” said Omer Tene, a U.S. privacy lawyer at Goodwin, a law firm, who has long advocated for a more multilateral model for global data flows. “But it hasn’t gone very far, to put it generously.”
So far, just a handful of companies have signed up to the APEC scheme, and three EU officials, who spoke on the condition of anonymity, dismissed the regime as not upholding the bloc’s privacy standards.
Faced with this deadlock, the OECD seems the surest path forward to a truly global data agreement.
Since 2020, countries have been working on a set of nonbinding principles to govern government access to personal data, an issue that has become a key impediment to global data flows.
“Government access to data is the foundation,” said Nigel Cory, associate director covering trade policy at the Information Technology and Innovation Foundation, an industry-linked think tank. “It’s the basis for a data free flow of trust.”
These global talks stumbled last summer, however, after a split arose over how governments wanted to frame a potential deal.
The U.S. and its Five Eyes partners believed focusing solely on national security agencies’ access to data would move the negotiations along quickly, in contrast to the broader scope sought by some within the EU.
Complicating matters, there was a split between EU countries on where to focus attention, according to three officials involved in the talks. While several Scandinavian countries saw merit in focusing on national security issues, others within the 27-country bloc viewed that narrow focus as giving Washington and London a victory on data transfers without securing the necessary checks on how EU data may be used by those countries’ intelligence agencies.
Despite the impasse, those involved in the talks are confident that a breakthrough can be reached, especially in light of last week’s EU-U.S. agreement. They eye a December timeline for the OECD’s initiative to be up and running, though that deal would not override the transatlantic pact, but would instead operate in parallel to the deal done between Washington and Brussels.
“The Privacy Shield negotiations are legally and structurally separate from the OECD process,” said Audrey Plonk, who is leading the initiative at the OECD. “But I hope the agreement brings a breath of fresh air to the OECD negotiations.”