But recently, the push toward EU data localization has grown more urgent. The UK is exiting the EU without having reached an adequacy decision, creating new risks for companies transferring data from the EU to the UK. EU internal market commissioner Thierry Breton claims he wants to make Europe “the most data-empowered continent in the world” in part by cutting its data off from the rest of the world. Breton has said EU rules need to state “European highly sensitive data should be able to be stored and processed in the EU.” Breton told a French newspaper that the EU should use privacy regulation as a weapon against U.S. tech companies, requiring data to be physically stored and processed in Europe. He called an open internet “naïve.”
In this interview Breton said, “We must go further and demand that European data be stored and processed in Europe, in accordance with procedures that Europe will have set. In other words: it is necessary to structure the information space, as we have organized in the past the territorial space, the maritime space, and the air space. The GAFA [Google, Amazon, Facebook, and Apple] tried to make digital a “no man’s land” whose law they would write. It’s over. It is time to relocate this information space by opting for processing our data on European soil.” So he has re-characterized an open internet – which has been an aspiration for democracies and free societies around the world – as a digital no man’s land that must be divided into protectionist chunks.
Breton, France’s former Finance Minister, wants laws to help European businesses resist subpoenas from the U.S. and elsewhere. According to TechCrunch his governance proposals “will include a shielding provision — meaning data actors will be required to take steps to avoid having to comply with what he called ‘abusive and unlawful’ data access requests for data held in Europe from third countries.” According to Politico, “leaked documents outlining Europe’s grand digital strategy include talk about fostering an environment that will “lead to more data being stored and processed in the EU,” as well as an “assertive approach to international data flows. Not only would [EU data localization] undermine the EU’s own insistence on free data flows in negotiations with trade partners, it would also put the bloc in a league with authoritarian regimes in Russia and China, which use localization rules to clamp down on the circulation of information — splintering the notional worldwide web into country-sized shards.”
To this end, the EU in recent months proposed new rules on data governance to benefit EU companies. The new rules create nine “data spaces” including industry, energy, and health care. The official press release from the EU makes clear that the EU plans to use these rules to cripple American tech companies by forcing EU data into government-operated data pools to benefit European businesses.
The recent Schrems II decision from the European Court of Justice eliminated the U.S./EU Privacy Shield that encouraged and allowed data to flow from the EU to the U.S. This decision placed into question whether any of the current agreed methods of data protection and transfer would allow information to be moved from the EU to the U.S.
Citing Schrems II, the Data Commissioner in Berlin suggests that local companies storing personal data in the US immediately transfer the data to Europe and stop sending EU personal data to the U.S. under current US law. The Hamburg data authority welcomed Schrems II castigation of the U.S. and wrote that the EU-drafted Standard Contract Terms under which many businesses transfer data across the Atlantic are equally unsuitable to the Privacy Shield. The Dutch privacy authority states that the clauses were ruled valid, but also notes they are only valid in places that adequately protect data under EU standards and the U.S. is not such a place. Even Ireland, where many U.S. tech companies are headquartered or have a significant corporate presence, saw its data protection commissioner question whether the Standard Contract Terms or other transfer mechanisms were still available for transfers to the U.S. OneTrust publishes a chart of EU Data Protection Authority reactions to Schrems II, complete with links, as does the IAPP.
Many of the various data protection authorities wrote in a more business-friendly and conciliatory tone, including the UK, which at the time stood in a legal data limbo regarding EU policy after Brexit. But the logic of Schrems II is unavoidable: The U.S. government is willing and able to access private data, so EU data should not be placed within the U.S. government’s reach. Under this logic, there could be nothing that a U.S. company could do to adequately protect personal data collected in the EU because that data will always be subject to U.S. government intrusion.
For any business wanting to avail itself of the EU marketplace, data localization will be like another tax – there may be specific data-focused taxes as well. But this will be an extra set of costs in organizing technology infrastructure and meeting new regulations that will drain profitability from any such venture. In addition, EU Commissioner Briton has pushed forward a plan for companies collecting information in the EU to share with the European governments and with competitors. The EU rules already stand for the proposition that the data you collect on your own transactions does not belong to you, and may soon stand for the proposition that your valuable business data should be shared with people who want to hurt your company.
Importantly, if the EU moves toward data localization, other countries and regions would be empowered to do the same. The U.S. and the EU have been discouraging trading partners from closing off, and the concept that a free and fair internet helps everyone is one of their best arguments for openness. Closing down significant data movement from the EU would ruin this point, and others would react. At the moment, primarily those companies aspiring to iron political control over all information are completely localizing their data. But if Brazil, Japan, or even Australia thought that it could broadly localize its internet to protect its own local companies, then the business internet would quickly be closed off into discrete rooms encouraging local business. U.S. companies looking to expand into other markets would suffer through additional regulation, costs, and in some cases, partial or complete restriction from competing in these markets.
The U.S. government understands that data localization is a threat to American businesses, and it has begun building safeguards against data localization into its treaties like the U.S.-Japan trade deal, the Trans Pacific Partnership and the United States-Mexico-Canada Agreement (USMCA), which renegotiated and updated NAFTA. According to the U.S. International Trade Commission, “protection from localization laws is essential for U.S. carriers seeking to manage data processing and network management functions from a centralized location.” In estimating USMCA’s economic impact on the United States, the same commission notes that “USMCA’s Digital Trade chapter, along with provisions related to investment and e-commerce, contribute significantly to the model’s estimated 0.17 percent increase in U.S. services sector output and 1.2 percent increase in services exports to the world.”