In the span of just eight months, the shine has come off President Biden in Europe. Initially thrilled at his election, America’s allies on the continent have been left bruised and disappointed by Biden’s unexpectedly contemptuous diplomatic style. The president’s handling of the Nord Stream 2 gas pipeline angered some of our Eastern European friends, and his secrecy in establishing the AUKUS alliance has infuriated our French partners. In private, key European allies complain that the U.S. president ignored them in charting a new Afghan strategy that led, in the end, to an outright debacle.
Against this backdrop, the U.S. is seeking to win over Europe for the technological competition with China. This week, the U.S. and European Union (EU) are set to meet at the ministerial-cabinet level in Pittsburgh to inaugurate the much-heralded Trade and Technology Council (TTC), the product of President Biden’s June meeting with European Commission President Ursula von der Leyen. However, for the second time in three months, a crucial sticking point in the transatlantic economy will not make it onto the agenda: the status of transatlantic data flows. This poses a real danger to the health of both economies.
The story goes back over a year, when the European Court of Justice (ECJ) overturned the U.S.-EU Privacy Shield, a five-year old agreement that governed transatlantic data flows. Privacy Shield was itself a successor to the painstakingly negotiated Safe Harbor Agreement, which the ECJ invalidated in 2015. The legal uncertainty unleashed by the latest ruling has forced companies transferring data across the Atlantic to fall back onto standard contractual clauses, which the EU updated in June to reflect the stringent data protections in its General Data Protection Regulation (GDPR).
The nub of the matter is that EU authorities worry that the personal data of European citizens acquired by U.S. firms could be transferred to U.S. intelligence agencies.
This places an enormous burden on the 5,380 companies — 75 percent of which are small-to-medium enterprises — that relied on Privacy Shield and now face the prospect of legal limbo. In 2019, the U.S. exported more than $245 billion and imported over $133 billion in digitally-enabled services to and from Europe, for a surplus of $112 billion.
And last year, more than ever, the coronavirus pandemic highlighted the importance of U.S. technology companies for stabilizing economies on both sides of the Atlantic. It is no exaggeration to say that digital services constitute one of the most dynamic sectors in international trade today.
Although negotiations continue, hopes for a speedy resolution to this impasse have proven illusory. After failing to elevate the issue onto the agenda of the president’s summit with the EU in June, the U.S. again sought to raise it in the context of the TTC. The EU successfully resisted both efforts, however, adding that a deal could slip to next year despite the “enhanced” privacy solutions offered by American negotiators.
By all accounts, Brussels is feeling bullish after achieving many of its goals in the negotiations leading up to the TTC, and clearly does not wish to be embarrassed by yet another ECJ invalidation. But Europe would be wise to extract what it can from the Americans and strike a deal on data flows. By now it is clear that congressional action to bring U.S. law into explicit statutory alignment with the ECJ is unlikely to be forthcoming. For the foreseeable future, Congress will be preoccupied with other legislative priorities, most notably the president’s signature plans to remake the American economy.
Moreover, the U.S. has highlighted a glaring double-standard: Europeans are hugely reliant on U.S. data collection for their own anti-terror programs, with the U.S. sharing intelligence collected through the very program targeted by the ECJ to foil several terror attacks on European soil. While the European Data Protection Board has cited the GDPR’s “public interest” derogation to facilitate continued cooperation, this exemption is designed to be so restrictive and discrete as to diminish the effectiveness of counter-terrorism operations.
While the ECJ seeks to handcuff U.S. intelligence, European intelligence agencies are free to use similar data collection methods to target American citizens. To add insult to injury, U.S. officials have noted that digital companies active in Europe but headquartered in authoritarian nations (China) have received far less scrutiny than warranted while the vast majority of U.S. companies have never received an order to disclose data to the U.S. government.
If a durable transatlantic pact isn’t reached soon, the uncertainty gripping businesses will have a deleterious effect on the transatlantic economy, just as they are looking to recover from the coronavirus pandemic. Facebook has signaled it may pull its business from Europe if no solution is found, and a number of European regulators from Portugal to Germany have begun ordering their officials to stop using select American systems and platforms. This could lead to data localization, with its attendant economic costs and cybersecurity risks.
The Biden administration’s standing in Europe is anything but sturdy. With attention now focused on the broader TTC as a means of relaunching the relationship, Washington and Brussels must not lose sight of an economic goal in the making. In reality, an agreement on the transatlantic flow of personal data would inject momentum into a broader technology alliance — a partnership that sets the rules of the road for the 21st century. Forging a data pact after the TTC would be a good place to start.
Peter Rough is a senior fellow at Hudson Institute in Washington, D.C.