To recap: on July 7th, the EU announced that it had revoked the Privacy Shield, a transatlantic agreement that enabled the legal transfer of data between itself and the United States (U.S.). Remarkably, the invalidation of the Privacy Shield framework was made effective immediately, leaving no grace period for an estimated 5,400 companies that rely on the program’s protections to transfer data to and from the EU. Compounding the ambiguity of the moment is the flurry of complaints filed by European privacy groups against major companies with regional operators still relying on Google Analytics / Facebook Connect integrations (still reliant on Privacy Shield-adjacent arrangements).
The present moment might be ostensibly described as another dip on the regulatory rollercoaster at the heart of the EU’s mandate for individual privacy. The announcement a few days ago that the European Commission has begun initiating discussions to construct a new Privacy Shield seems to encapsulate such imagery. It mirrors how the same court responsible struck down a similar decades-long data agreement in 2015, the Safe Harbour agreement, propelling the European Commission to propose and enact the Privacy Shield in 2016.
However, we should recognize the past few years as indicative of the EU’s growing willingness to play privacy “bully-ball”, pressuring other countries — including close allies — to comply with stronger data privacy mandates as a basic requirement to conduct business in the region. Indeed, the EU is making a nationalist digital identity play, focused on addressing the control over identity’s building blocks at a regional level.
The EU’s prioritization of individual privacy is best understood as a cocktail of two countervailing forces – one part historical concerns that the union has had with overbroad government interests, and one part overbroad commercial interests. For the past three decades, the EU has always had a comprehensive, region-spanning privacy framework — first with the Data Protection Directive (DPD), transposed consequently by the General Data Protection Regulation in 2018 (GDPR). The two equally address protection against government and industry forces, applying to all organizations in the EU operating in the public and private sector. In contrast, the US has consistently been plagued by a patchwork approach. Its legal precedent has largely focused on governmental intrusions on individual privacy, and its commercial protections are industry-specific.
The EU also has had a vested interest in pushing back against Silicon Valley (SV) incumbents, reflecting its issues with the US regulatory approach to privacy. Moreover, this interest is couched in the historical and silent cooperation of SV corporations with US intelligence agencies. In fact, it was the 2013 revelations about the scope and breadth of the US National Surveillance Agency, laid bare by Snowden, which prompted the original scrutiny in the EU leading to the 2015 Safe Harbor agreement strikedown. Previous actions the EU has taken also reflect this, with the EU citing potential NSA involvement in 2018 as it applied antitrust pressure against Google.
Although the EU is focused primarily on individual privacy — whereas China has focused on national security as its guiding principle — its strong preference for data localization suggests a similar belief that strong government actions and regulations can also play a part in re-establishing the EU as a power in the digital identity space.
The EU’s commercial ambitions for digital identity are made chiefly evident by viewing its government initiatives in the context of anti-SV and anti-US regulatory trends. Its Data Strategy, announced in February 2020, will set into motion a €2 billion investment into EU specific data processing and sharing infrastructure. Moreover, in April 2020, the union announced plans to stand up a region-specific industrial database that could rival SV, aiming to capitalize on a EU-centric data economy worth roughly 400 billion euros and a data market worth roughly 75 billion euros.
It’s clear that, at least when it comes to digital identity, the EU has furthered its national interest and led the narrative around who controls and shapes it. And while the impact to its data economy has yet to be captured fully, the EU has succeeded in establishing itself as a regulatory leader for data privacy. It has pushed other countries (notably, Argentina and Japan) to achieve adequacy for data protection within the region.
In doing so, the EU has legitimized the phantom of cyber-nationalism sweeping the globe, and suggests its investment in leading and molding digital identity for both its citizens and — by proxy — the rest of the world. The EU Commission’s Data Strategy states this plainly, emphasizing that the moment to act against “sources of competitiveness for the next decades in the data economy” (i.e. SV incumbents) is now. Acting otherwise, it states, “reduces incentives” for data-driven businesses located in the region to emerge, to grow, and to compete.