A survey by GMX last year revealed that 73 percent of British Internet users mistrust US companies over data protection concerns, which is more than double that of a similar survey in 2015 which showed that only 35 percent had such concerns. Eight percent of UK internet users have even left a US online service due to privacy concerns within the last twelve months, while 11 percent are planning to do so. The British public clearly mistrust US internet companies, a trend which may have its roots in the Snowden revelations of 2013 that showed the extent to which US intelligence agencies routinely accessed petabytes of private or company data without any good reason.
With the recent death of Privacy Shield – the most widely used mechanism for US commercial companies to transfer and store personal data from Europe in the US – following a ruling by the European Court of Justice (ECJ) in July, the inevitable question is “What happens next?” And with the UK scheduled to finish its transition out of the EU by the end of this year, how likely is a convergence in data protection policies between the UK and EU? Will the dilution of the EU’s data privacy standards that are currently signed into UK law be used as a bargaining chip to secure a trade deal with the US? The National Data Strategy recently published by the UK government leaves open the question of where it sees its priority.
The premise: Privacy Shield is no more
Privacy Shield’s days were numbered due to the GDPR (General Data Protection Regulation) stipulating that the data of European citizens must be protected regardless of its location and prohibiting European firms from transferring personal data to overseas jurisdictions with weaker privacy laws. The US does not have its own direct equivalent of the GDPR, and its data protection standards are regarded as lower than those set by the GDPR. Further adding to the concerns is the US CLOUD (Clarifying Lawful Overseas Use of Data) Act (H.R. 4943) which effectively erodes all data protection by allowing US federal law enforcement agencies to compel US-based technology companies to provide requested data stored on their servers, irrespective of whether the data resides within the US or not. In other words, even if you choose to store your data on GDPR-compliant servers in Europe, if the data is stored by a US company, it can still be handed over to US authorities.
How can European citizens feel comfortable giving their data to US companies in Europe, knowing the CLOUD law exists? The European Court of Justice had a clear answer and confirmed by its July ruling the discomfort that 73 percent of Great Britain’s internet users already felt.
Why Europe can still catch up in the digital competition
Europe may have a thriving technology sector, but none of its homegrown successes has yet reached the global scale where the standards of the global digital economy are being set. Instead of wasting time trying to find a solution for irreconcilable differences with the US regulation standards, Europe should use its data privacy leadership to its advantage. It must become a relevant technology player before it can be the bearer of better standards for the world. But there is a lot of catching up to do.
As a first step, Europe must make a level playing field. As the digital infrastructure is in the hands of dominant US players, Europe has to make sure that components such as operating systems, app stores, browsers, etc. are acting hundred percent neutrally and not abusing their position nor setting their own rules of play. Especially post Brexit, the UK will rely heavily on its service and knowledge based economy to stand up against the global competition. A level playing field like this is vital to allow the undisputedly strong British tech start-up community to flourish and break through to meaningful levels. The attempts to regulate players like Google took such a long time, and in any case fines of a couple of billion Euros did not have any effect on the market. Europe urgently needs a legal basis to secure access to digital platforms, especially those that have infrastructural character.
As that alone does not generate European alternatives, the question is how one could build relevant competition. This will be achieved by pushing open standards to generate synergies within and across industries, and investing heavily to build up competitors that differentiate themselves in the European B2C and B2B markets by keeping European data in Europe.
But what about Brexit?
Is this talk of building up European tech strengths irrelevant if the UK is outside of the EU, as it will be once the transition period ends on the 31st December? Not at all. The question remains open, whether the UK will continue to uphold GDPR data protection standards enshrined in UK law (via the Data Protection Act 2018). The scope for changes will remain a possibility after Brexit, especially if they become a critical part of trade negotiations with the US. The UK has proven to be possibly the most stringent enforcer of fines for breaches in data protection. Its clear commitment to the principles of consumer protection and empowerment as well as the willingness not to just introduce standards but also to apply them is perhaps one of the most promising areas of common interest between the EU and the UK..
Time to act
Europe’s digital companies will need to work fast to agree on the necessary open standards to foster competition. At the same time, politicians will need to act just as quickly to ensure these new legal frameworks are presented as a viable alternative to those dictated by US and in the future Chinese companies. Even while acting outside of the EU post-Brexit, the UK will benefit from working with its EU neighbours on the same goals. Only by investing in Europe’s own digital industry and promoting open standards would European digital companies have a chance.