Press play to listen to this article
Washington’s deadlocked Congress isn’t going to pass federal privacy rules any time soon. But on the global stage, the United States wants to show its allies that it means business — even if that means butting heads with the European Union.
Central to the United States’ pitch is the newly created Global Cross-Border Privacy Rules Forum, an international group of countries including the U.S., Singapore, Japan and others from the Asia Pacific Economic Cooperation, a regional trade group. Officials from 20 jurisdictions — and not just from APEC — gathered in Hawaii last week to hammer out details on potential worldwide data protection rules that would allow people’s personal information like search queries and payroll information to flow seamlessly across borders.
The group hopes to bring the likes of the United Kingdom and Brazil on board to help update the global privacy rulebook by the end of the year. They also aim to start accepting new members like Bermuda and Chile, which have shown a willingness to join the new data pact, by early 2023, according to four officials from participating countries, who spoke on the condition of anonymity to discuss the forum’s internal discussions.
The goal, according to Shannon Coe, director of global data policy at the U.S Commerce Department’s International Trade Administration, who is involved in the discussions, is to open up trade between participating countries while giving people assurances their data won’t be mishandled once it’s shipped outside their home countries. The new rules will be based on an existing APEC privacy framework, but are expected to replace that regional regime — with updated privacy standards — with a global system that’s open to all.
“It’s becoming increasingly complex for businesses to comply with all these different regulations. There isn’t a multilateral mechanism that exists,” Coe told POLITICO. “That’s what this global forum is meant to address. It’s meant to provide a sort of scalability, which is what regulators, governments and companies are hungry for.”
Yet the Washington-led privacy push — officials say other countries will have equal say on how the data protection structure evolves — is likely to cause friction with the EU, which has exported its separate privacy standards dating back to 1995 in ways that have made the 27-country bloc’s rules now the global de facto standard.
Brussels and Washington signed a political agreement in March to allow data to flow freely across the Atlantic, with the final deal expected by the end of 2022. Yet two EU officials, who spoke on the condition of anonymity because they were not authorized to speak publicly, warned that the new APEC-based system did not offer the same levels of protection granted under the bloc’s privacy rules.
In Europe’s 2019 international data deal with Japan, for instance, the bloc made it clear that APEC’s privacy standards — on which the new global agreement will be based — were not good enough to keep EU data safe. Japan is also a signatory to the new Global Cross-Border Privacy Rules Forum. Privacy experts also cautioned that APEC’s existing data protections often favored companies’ use of people’s data, and few restrictions are in place to check for possible abuses of how that information can be used.
“My answer has been, since Day One, [that] it does not exist,” said Graham Greenleaf, an Australian professor who wrote reviews of countries’ privacy agreements with the EU when asked about how effective APEC’s privacy regime has been since it was created in 2005. “It is a figment of the United States’ imagination.”
Privacy rules go global
For supporters of the new data protection push, that criticism misses the point.
Europe’s privacy rules, they argue, are too rigid and give Brussels almost complete control over deciding which countries have sufficient privacy protections in place to receive EU citizens’ data. Under the bloc’s so-called adequacy decisions, or legal rulings that grant others access to EU data, only 14 countries — including minnows like the Faroe Islands and the Isle of Man — have so far been granted that clearance.
“The whole world is inadequate under the GDPR,” said Josh Harris, a former Commerce official and current director of global privacy initiative BBB National Programs, an accountability agent under the APEC framework, in reference to Europe’s rules known as the General Data Protection Regulation. “There [have] to be mechanisms in place that can allow these jurisdictions to work together in a multilateral way. So it’s more a function of necessity than it is a rivalry.”
Some are more optimistic about the forum’s potential to rival the EU’s privacy powers.
One of the government officials present at the talks, who spoke anonymously because they were not authorized to speak publicly, said that if a country like Singapore — whose prospects of an EU deal are remote because of the bloc’s focus on other parts of the world — was able to get a sizeable number of its companies to sign up to the new framework, it would inevitably begin to offer an alternative for other countries looking to move away from the current cross-border system dominated by Brussels.
Coe, the Commerce official, said officials from seven APEC countries — alongside interested countries like Colombia and Vietnam — would spend the rest of the year working out the details of the new global privacy pact. For Washington, the goal would be to replace the existing APEC system, though all options were still on the table, she added.
The current system sets a baseline of data protection for all countries to sign up to and allows national regulators like the U.S. Federal Trade Commission to levy fines for wrongdoing. So-called accountability agents, or third-party private or public auditors, check whether companies are complying with the voluntary set of international privacy standards.
“We are fleshing out the sort of mechanics of, and further details of, how we are going to actually invite new members in,” Coe said. “But you can look at the foundational pieces of the [existing] system for necessary elements which are enforcement authorities; cooperation, and you have to have that enforceability of the program requirements.”
For Caitlin Fennessy, vice president of the International Association of Privacy Professionals, a nonprofit organization, and a former official at the International Trade Administration, the proposed global data pact would allow countries to approve each other’s differing legal regimes — via third-party auditors — and create a backstop for how people are protected globally at a time when almost all businesses rely on personal information.
“That scalability in the linkages and trust in your fellow regulators, and the backstop of enforcement in all jurisdictions, is really important,” she added.
Discover the Digital Bridge newsletter
I’m Mark Scott, POLITICO’s chief tech correspondent, and if you enjoyed this story, check out Digital Bridge, my weekly newsletter of EU-US digital politics.