A shorter version of this report was published in the Privacy Perspectives of the International Association of Privacy Professionals, on April 29, 2021.
Data localization was a prominent theme among the nearly 200 comments submitted to the European Data Protection Board (EDPB) in response to its November, 2020 draft Guidance (the “Guidance”) about transferring personal data from the EU to third countries.[1]
Based on a review of all the comments,[2] approximately 25% of the nearly 200 comments submitted to the EDPB expressed concern that the Draft Guidance would result, in practice, in data localization. Slightly more than 10% of the comments spoke explicitly to the concern that the application of the EDPB Draft Guidance released in 2020 would result in data localization, in law, in practice, or both. Nearly an additional 15% of the submissions include language describing similar concepts without using the term data localization – such as return the EU commerce and society to a “pre-internet era,” [3] transform the EU into a “digital island,” [4] and “balkanize global data flows.”[5]
Reflecting these comments, this article highlights five themes:
- Many of the effects of the Guidance would have adverse impacts specifically on the EU and its economy.
- Although not a stated goal, implementation of the Guidance would result in widespread data localization.
- The Guidance would have negative sector-specific effects.
- Across sectors, the Guidance would have pervasive, negative effects on current business operations.
- The Guidance would have broad effects on EU cross-border data flows, entirely apart from the much-discussed data flows between the EU and the US.
This article provides a brief background of the Schrems II decision issued by the Court of Justice of the European Union (CJEU) in July, 2020, which was followed by the November EDPB Guidance. It then provides the first description, so far as we are aware, of the public comments and their statements concerning data localization. The discussion here is part of our larger project on data localization, including the comments we submitted to the EDPB in December, and published by the IAPP in January.[6]
As we completed this study, the Portuguese data protection authority ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States.[7] According to the April 27 order, Statistics Portugal had not conducted a sufficient Data Protection Impact Assessment, or provided for adequate additional safeguards in use of standard contractual clauses. Statistics Portugal was therefore ordered to suspend processing by its service provider, Cloudflare, within 12 hours of the decision.
The Portuguese decision lends new urgency to concerns that the European Union is moving towards data localization, with the decision noting that other countries in the Cloudflare network included China, India, Mexico, and Russia.
Background: The Schrems II decision and data localization
The CJEU decision in Schrems II is the latest milestone in a long-running debate about the extent to which European data protection does or should prohibit flows of personal data to most third countries (countries outside of the EU). A limited number of countries, including some smaller countries as well as Argentina, Israel, Japan, New Zealand, Switzerland, and Uruguay, have received a formal “adequacy” decision enabling generally the transfer of personal data from the EU.[8]
In its comment to the EDPB, the privacy organization noyb.com explained that the “default position” under EU law for the last 25 years – beginning with the 1995 European Data Protection Directive and continuing with the strengthened General Data Protection Regulation (GDPR) – has been a “de facto” “export ban for personal data” leaving the EU unless certain protections of fundamental rights under European law are met.[9]
In contrast to a general export ban, EU law and practice have also allowed cross-border commerce to continue, including the EU/US bilateral trade and investment partnership valued at about 6 trillion Euros.[10] Swire – one of the authors of this article – discussed these ongoing transfers in his 1998 book entitled “None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive.” Swire and his co-author wrote then: “common sense suggests that these organizations [in countries without an adequacy decision] should have a way to share information between their European and other operations when good privacy protections are in place. The opposite approach, a ban on transfers, would create economic harm in Europe and elsewhere and would lend credence to fears that the privacy laws are being used in a protectionist way to keep out non-European business.”[11]
The Schrems II decision struck down the EU Commission’s finding that the EU/US Privacy Shield offered adequate protection. It also cast significant doubt on the feasibility of transferring personal data based on Standard Contractual Clauses (SCCs), unless “supplemental measures” were in place to protect the data. The EDPB Guidance addressed specifically its understanding of what supplemental measures would provide the required level of protection. Without an adequacy decision in place, the EU and the U.S. have recently announced that they are “intensifying” efforts to reach a new accord.[12] Because the Schrems II decision applies generally to third countries, the potential impacts of the Schrems II decision are global in nature, except for the limited number of countries that have an EU “adequacy” decision.[13]
- Many of the effects of the Guidance would have adverse impacts specifically on the EU and its economy.
Commenters stated that data localization would have both specific and more general adverse impacts on the EU and its economy.
More specifically, Allied for Startups, Dutch Confederation of Dutch Industries and Employees, Federation of European Direct and Interactive Marketing (FEDMA), and Vodaphone expressed concerns that data localization will have overall consequences for the EU, including how the Guidance could: adversely impact competitiveness of the EU; sever the EU from expertise and technology; negatively affect growth of the EU start-ups and SMEs; and isolate the EU related to international cooperation.
– Detrimentally impact competitiveness of the EU – “We remain united by our vision and commitment for a strong and competitive Europe and we fear Europe cannot remain competitive if localisation of data becomes a widespread practice.”[14]
– Negatively affect growth of the EU start-ups and SMEs – “Digital development and globalisation should not suddenly be scaled back in the name of localisation. This will only deprive startups and SMEs of the best possibilities for onboarding efficient services, increase competitiveness, scale up and grow.”[15]
–Raise data hosting costs – British American Business estimated that “[l]ocalization requirements … increase data hosting costs by 30 to 60%.”[16]
-Sever the EU from expertise and technology – “Data localisation will sever European companies from the expertise and technology underlying the resilience, reliability and security of global supply chains with additional negative impacts to the global digital agenda across all European companies.” [17]
– Isolate the EU related to international cooperation – “These recommendations will isolate the EU in terms of data transfers, trade, research and international cooperation. They send a general message of distrust and will encourage data localization.”[18]
More generally, TechUK cautioned: “If implemented, the Recommendations will threaten the perception of the EU as open digital economy by introducing de facto data localisation through strict regulatory recommendations.”[19] The Centre for Information Policy Leadership (CIPL) added that data localization “would, in turn, trigger substantial economic and social disruption, in particular in the EU, and would be seen as incompatible with the GDPR objectives.”[20] CIPL noted that “while a limited number of the services … might, in principle, continue with some form of data localisation, such services likely will be degraded and/or would become economically prohibitive or non-viable without effective cross-border data flows.”[21]
- Although not a stated goal, implementation of the Guidance would result in widespread data localization.
As mentioned above, approximately 25% of the comments submitted to the EDPB expressed concern that the Draft Guidance would result, in practice, in data localization. Many of these comments focused on use cases 6 and 7 in the Guidance. The first five use cases, authorizing transfers, all involved situations where effective encryption or similar technical measures are in place. By contrast, a very wide range of actual transfers involve situations where a person in the third country can access personal data. Use case 6 covers “Transfer to cloud service providers or other processors that require access to data in the clear.” As CIPL stated in its comment, use case 6 “covers the situation where an exporter uses a cloud service provider to have data processed according to its instructions in a third country.”[22] Use case 7 covers “Remote access to data for business purposes,” which the same commenter said “covers the situation where an exporter makes data available to entities in a third country to be used for shared business purposes by the same group of undertakings.”[23]
The EDPB concluded that use cases 6 and 7 are “scenarios in which no effective measures could be found.” French legal scholar Théodore Christakis thus concluded that the “EDPB Guidance seems nonetheless to prohibit almost all such transfers when the personal data is readable in the third country.” In other words, under the Guidance, personal data must generally be localized, for situations where a person in the third country could actually understand the data.
- The Guidance would have negative sector-specific effects.
To date, much of the commentary within the EU has focused on data flows concerning the largest digital platforms. Based on use case 6 and the comments, cloud providers and digital platforms would indeed be affected, but so would numerous other sectors. The submissions of BritishAmerican Business, CIPL, and the authors of this blog detail specific sectors other than digital platforms impacted by the Guidance. These sectors with significant cross-border data flows include;
– Financial Services – Examples include:
– “users paying foreign merchants or transferring funds outside of their region.”[24]
– “Travel agents or other companies in the EU may receive payment, in whole or in part, and then communicate payment status to the U.S. hotel. … Alice may have a credit card or other method of payment on file in the EU, and wish to use it easily in the U.S. … Alice may have a branded credit card, such as an airline miles card, so personal data about her trip goes to the airline as well as the credit card company.”[25]
– Nonprofit organizations – Examples include:
– “international NGOs and charities collaborating on crossborder initiatives on a daily basis to prepare the channels that enable international response, conducting of research in their areas and understanding of global trends.”[26]
– International educational institutions – Examples include:
– “users enrolling in distance online learning courses with international universities and educational institutions.”[27]
– “EU-based universities and other research institutions engaging in collaborative research with institutions and organisations around the world.[28]
– International conferences – Examples include:
– “users registering for global online webinars/events.”[29]
– “users recording conferences and other online meetings.”[30]
– Research for pharmaceuticals and medical devices – Examples include:
– “limit vital activities such as communications between colleagues across borders, researchers and public health officials sharing data to fight COVID-19 …”[31]
– “global healthcare research relies on global data sets and international clinical medical trials are necessary to advance medicine and monitor the safety and effectiveness of existing medicine.”[32]
– Business and leisure travel – Examples include:
– “users booking vacations through domestic agents who send customer information to foreign hotels and airlines to secure bookings.”[33]
– “Consider an individual in the EU booking a hotel room in the U.S., an example provided by the prominent privacy organisation noyb. … Along with this direct booking request for a hotel room, there likely would be a number of other data flows, occurring in the background and often not visible to Alice”, such as “existing customer records” “payment information;” and “accounting and anti-fraud.”[34]
- Across sectors, the Guidance would have pervasive, negative effects on current business operations.
The pervasive effects on current business operations were included in comments from entities including BritishAmerican Business, CIPL, Danish Entrepreneurs, DigitalEurope, European Games Developer Federation (EGDF), French Insurance Federation (FFA), and TrustArc , as well as our own submission. Important categories of effects include: 1) core business functions, 2) technical support; 3) background processing; and 4) ability to provide cybersecurity and fraud detection.
– Core Business Functions – Examples of core business functions that could be impacted include: HR records, remote working, paying salaries, communications between employees.
– “a simple scenario whereby a French parent company uses a centralised HR service based in France that is shared with its US and Asian subsidiaries.” [35]
– “working from home (which can be located anywhere in the world) has become the new normal under COVID-19 and is likely to remain so after the crisis.”[36]
– “payment of salaries for remote employees.”[37]
– “sending intra-company emails or other messages.”[38]
– “employees sharing e-mails containing personal data – a copy of these e-mails will likely be resident on the recipients server. ”[39]
– “the branch of a EU company in the U.S. requiring access to the agenda or customer file of its EU employees in order to communicate and share information with people globally.”[40]
– “rely[ing] on central systems infrastructure and services procured by the parent company/head office and managed and supported by specialised teams, which might be located at the parent company/head office (e.g. HR, Centralised Information Security systems, IT systems, privacy management systems that are hosted, supported, managed and accessed by a specialist team) using SaaS vendor.”[41]
– “relying on many global service providers that provide communication services (email, videoconferencing, etc.) or money transfers that must access personal data to deliver these services.”[42]
– “employees using certain company tools or infrastructure, such as accessing company training programs.”[43]
– Technical support – The impacts to technical support include: inability to outsource services; difficulties providing 24-hour customer service; and lack of back-up services.
– “outsourcing customer service functions throughout their global offices with ‘follow the sun’ service … EU HR, accounting, customer support, IT maintenance.”[44]
– “offering around the clock customer service.”[45]
– “protecting users from service interruptions through distributed networks in other regions that enable back-up services; enhancing users’ troubleshooting options by providing technical support services from outside the users’ region.”[46]
– “the growing diversity of data uses and emergence of new business models trigger more complex and dynamic relationships between organisations across different regions.”[47]
– “make 24/7 customer support models difficult as assistance could not be anymore provided by
teams based on different time zones.”[48]
- “[m]aintenance services for many essential IT tools, both hardware and software, usually have several levels of intervention, some of which, the most critical, are carried out from the United States.”[49]
– Background Processing – In connection with specific purchases or other data processing, the following background processing could be disrupted: cloud services; money transfers; booking travel; shopping online; gaming online, communicating online, and health-related wearables.
– “money transfers that must access personal data to deliver these services.”[50]
– “users booking vacations through domestic agents who send customer information to foreign hotels and airlines to secure bookings.”[51]
– “organisations connecting with customers and suppliers, providing information, taking and placing orders, and facilitating the delivery of products and services.”[52]
– “users participating in online multiplayer gaming and gaming chatrooms.”[53]
– “data flows enabling users to communicate, see or share posts across their global network of connections.”[54]
– “users using wearables connected with health and wellness apps to connect with other users, share health statistics and participate in fitness challenges.[55]
– Cybersecurity and Fraud Prevention – The ability to ensure effective cybersecurity and fraud prevention could be impacted:
– “users benefiting from greater security because data is spread out over servers in different parts of the world to keep data secure, and personal data is shared for fraud detection purposes.”[56]
– “implies economic costs, risks of cybersecurity and inconsistencies between policies.”[57]
– “limit vital activities such as … financial services firms leveraging global platforms to detect and combat fraud and money laundering.”[58]
– “Restricting the global free-flow of data is thus tantamount to unilateral disarmament in data security by the good side.”[59]
– “information can be an important component of defending against and responding to cyber-attacks. The respected Internet Society has stated, for instance, that ‘Cybersecurity may suffer as organisations are less able to store data outside borders with the aim of increasing reliability and mitigating a wide variety of risks including cyber-attacks and national disasters.’”[60]
- The Guidance would have broad effects on EU cross-border data flows, entirely apart from the much-discussed data flows between the EU and the US.
Much of the public debate post-Schrems II has focused on data flows between the EU and US. The case, however, explicitly applies to all “third countries” that lack an adequacy decision, thus including China, India, and other major EU trading partners. Concerning these effects on China and other third countries, noyb and our own writing reach similar conclusions. Noyb stated: “In certain cases technical measures may be able to overcome surveillance. …Without such approaches, international data transfers would in many situations become illegal, as third countries that do not adhere to minimum standards of rule of law, democracy, or human rights, would be able to undermine transfers between even the most well-intentioned third countries and the EEA.” [61] Based on a 2019 study by the authors here, China does not adhere to the European standards of rule of law, democracy, or human rights.[62]
The effects on EU-China trade alone are large. As of 2021, China is the EU’s largest trading partner: “Trade between China and the EU was worth $709bn (€586bn, £511bn) last year, compared with $671bn worth of imports and exports from the US.”[63] During the pandemic, China signed a major trade agreement with EU, under which “European firms will gain permission to operate in China in electric cars, telecom cloud services and certain activities linked to air and maritime transport, such as ground handling.” [64] As illustrated further in examples below, the Guidance would appear to put at risk much cross-border economic activity with China. PrivacyRules’ comments highlighted similar risks for EU trade with India.[65]
The comments from TechUK highlighted the risk that EU data localization could lead to retaliation against the EU by third countries: “With these Recommendations, the EU risks retaliation from other jurisdictions while also potentially incentivising further data localisation and restrictions on internet access in other parts of the world. This would be a negative outcome for the global digital economy, while also undermining the wider public policy goals of the EU and potentially leading to a number of concerning human rights and privacy consequences.”[66]
DigitalEurope’s comments provided specific case studies about impacts on EU businesses that wanted to engage in business ventures with entities located in third countries:
– Use of cloud service provider by European manufacturing company with factory for industrial parts in Mexico with market for parts in the U.S. – “A European manufacturing company has a factory in Mexico which manufactures parts for the US industrial market. In an effort to improve production, working with the chief technology officer’s team in the European headquarters, the company deploys an IoT operating system (OS) using a US cloud service provider, which it has selected because it allows quick and scalable deployment. The company’s customers and partners – which may be based in Europe, Mexico or the US – can access the OS through an application programming interface (API) in order to develop applications based on it; to this end, they also have direct access to the cloud provider’s collaboration tools. These operations involve access to data in the clear on the part both of the company’s customers and partners and of the cloud service provider. Because such data includes, among others, the personal data of the company’s European employees, customers and partners, under use case 6, the company concludes that no effective technical measures exist and is forced to stop deployment of the solution, resulting in immediate loss of business for the coming year. The company is unsure whether it will be able to select another cloud provider that meets its business requirements during the following years, and may have to abandon the project and associated revenue indefinitely.” [67]
– Remote access to data for joint venture between China and Germany businesses to build a car – “A major European carmaker has set up a joint venture in China, which is by far the main market for the company. The Chinese plant manufactures cars for the entire Asia-Pacific market. A Sino-German team must work together throughout the manufacturing design process. Vehicle designs, models and specifications need to flow from Europe to the Chinese entity, along with the HR information of the European employees. Under use case 7, in light of concerns about Chinese state and public security laws and the fact that the data must be available to the Chinese entity in the clear, the European company concludes that no effective technical measures exist and is forced to stop the Chinese manufacturing process. This costs the company close to €15 billion in revenue the first year alone.” [68]
– HR records remotely shared between French parent company and its subsidiaries outside the EU – “As the draft Recommendations explain, remote access from a third country is also considered a data transfer. This situation could involve a simple scenario whereby a French parent company uses a centralised HR service based in France that is shared with its US and Asian subsidiaries. Although the data is only stored in servers in France, these are still transfers under the GDPR. The French company and its subsidiaries each act as controllers for the independent purposes they pursue and the French HR service acts as processor for all of them.”[69]
Conclusion
This article has summarized the discussion of data localization, in practice, by approximately 25% of all the comments to the EDPB on its draft Guidance. For many current practices, the comments indicate that organizations are concerned that implementation of the Guidance would require data localization. In addition, the effect of legal requirements similar to the Guidance will be a reason for organizations to reduce legal risk by adopting localization even where localization is not necessarily required. The decision in Portugal on April 27 means that regulators and organizations that process personal data will be considering data localization issues with new urgency.
The purpose of this article, instead of proposing specific legal changes, is to make the contents of the comments accessible to a broader range of readers. With that said, we close with two observations based on the comments.
First, data localization in the EU would quite possibly promote data localization elsewhere in the world that would ultimately undermine data protection rights outside the EU. EU statements historically have often promoted an open digital economy, but other countries would see these current EU actions as supporting localization. In particular, data localization has long been touted as a means for law enforcement authorities to ensure speedy, direct, and unrestricted access to personal data – data that today is often stored in a different country, under more stringent data protection laws that restrict government access to data. In this context, data localization carries the inherent risk of creating “national” Internets. In countries that lack minimum standards of rule of law, democratic processes, and protections for human rights, these “national” internets would have the possibility to act as a tool to suppress fundamental rights and civil liberties, including privacy. An unintended effect of the Guidance may thus be to worsen data protection globally.
Second, although we do not track precise statistics, a recurring recommendation from the overall comments is to adopt a “risk-based” approach when assessing transfers to third countries.[70] For example, many organizations have never received a foreign intelligence request, and many types of personal data are of little or no interest to national security agencies.[71] Organizations thus could conduct transfer impact assessments, adapting supplemental safeguards and use of derogations to the particular data transfer.
In closing, whether or not there has been any intention to promote data localization in the EU, the public comments indicate a widely-shared and well-documented concern that implementing the Guidance would indeed result in widespread data localization.
[1] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, European Data Protection Board, https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/recommendations-012020-measures-supplement_en The comment period opened on November 11, 2020 and closed on December 21, 2020.
[2] One author, DeBrae Kennedy-Mayo, personally reviewed approximately 175 of the 195 comments submitted to the EDPB for Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Our thanks to colleague Michael Young who initially reviewed the roughly 20 comments submitted by entities in the financial sector. Kennedy-Mayo and Swire collaborated in drafting this document. We note that Kennedy-Mayo’s review of approximately 5 comments was simply to note that the document was submitted in a language other than English. We apologize that the details of those comments are beyond the resources of our project.
[3] AMETIC (Spain), Employers of Poland (Poland), and Polish Confederation Lewiatan (Poland) express concern that adoption of the Recommendations as written would revert both the European economy and its society to a pre-internet era.
-AMETIC (Spain): “The Recommendations will make it highly risky for EU companies to engage in commerce with non-EU customers or partners, for researchers to share information with foreign colleagues, for companies with non-EU offices or personnel to communicate with them online, or to engage in countless other routine and necessary operational tasks. If adopted, they will force many aspects of EU commerce and society into a pre-Internet era, and/or isolate Europe from the global economy. The potential negative effects on EU competitiveness, innovation, and society are enormous.” Comment 12, P. 2.
-Employers of Poland (Poland): “As a result, the Recommendations will make it highly risky for EU companies to engage in commerce with non-EU customers or partners, for researchers to share information with foreign colleagues, for companies with non-EU offices or personnel to communicate with them online, or to engage in countless other routine and necessary operational tasks. If adopted, they will force many aspects of EU commerce and society into a pre-Internet era, and/or isolate Europe from the global economy. The potential negative effects on EU competitiveness, innovation, and society are unprecedented.” Comment 11, P. 2.
– Polish Confederation Lewiatan (Poland): “Today, practically no organisation, irrespective of sector, would be able to do business, let alone take part in international trade, without the ability to transfer data crossborders. Data flows play an invisible but structural role in the delivery of products and services that EU citizens rely upon in day-to-day life. The Recommendations, if adopted, will force many aspects of EU commerce and society into a pre-internet era, and isolate Europe from the global economy and have potential negative effects on EU competitiveness, innovation, and society are enormous.” Comment 105, P. 1.
[4] U.S. Chamber of Commerce (U.S.): “In transforming the EU into a ‘digital island,’ the Recommendations would cause significant disruptions to international commerce and to the goods, services, and research that Europeans rely on. They may also disincentivize foreign firms from employing EU citizens or investing in Europe, as companies may be unable to transfer EU employee data in a personally identifiable form to their headquarters or global services centers outside of Europe. Furthermore, the EDPB’s measures would undermine the ability of EU institutions and member states to pursue a range of other legitimate public policy objectives, such as transatlantic law enforcement and security cooperation, which often benefits from the ability of companies to identify bad actors and notify authorities, resulting in prosecutions.” Comment 63, P. 2-3.
[5] City of London Law Society (U.K.): “The Recommendations may therefore be read as implementing a broader data localisation agenda by having such onerous expectations in place. We would note that this is not the intention of the GDPR and threatens to ‘Balkanise’ global data flows.” Comment 155, P. 6.
[6] Peter Swire & DeBrae Kennedy-Mayo, “Hard Data Localization May be Coming to the EU – Here are 5 Concerns,” IAPP (Jan. 26, 2021), https://iapp.org/news/a/hard-data-localization-may-be-coming-to-the-eu-here-are-five-concerns/
[7] “2021 Census: CNDP Suspends Flows to the U.S.A.,” CNDP (Apr. 27, 2021), https://www.cnpd.pt/comunicacao-publica/noticias/censos-2021-cnpd-suspende-fluxos-para-os-eua/ (with link to order in Portuguese). For an English translation of the order as well as an English summary of the order, see CNPD – Deliberacão/2021/533, GDPRHub, https://gdprhub.eu/index.php?title=CNPD_-_Delibera%C3%A7%C3%A3o/2021/533
[8] Current countries with adequacy decisions: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Adequacy talks concluded with South Korea in March 2021; the European Commission will now launch the decision-making procedure. Adequacy Decisions, European Commissions, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
[9] noyb (Austria): “It may be useful to recall at the outset that for 25 years, the default position under EU law (first Directive 95/46 and now the GDPR) has been that personal data cannot be transferred to third countries. The European Legislator has de facto established an export ban for personal data – with various exceptions to that default rule. Obviously this position may be criticized and is largely ignored in relation to certain third countries, but is nevertheless the current state of the law. Its rationale is not one of protectionism, but one of necessary protection of the Unions’ Fundamental Right to Data Protection, which would be instantly undermined when data leaves the EU/EEA to jurisdictions without proper protections.” Comment 169, P. 2.
[10] “Cross-border data flows between the United States and the European Union are the largest in the world and underpin a 5.9 € ($7.1) trillion bilateral trade and investment partnership.” The App Association (ACT) (Belgium), Comment 13, P. 4 (citing U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows, July 16, 2020, https://useu.usmission.gov/u-s-secretary-of-commerce-wilbur-ross-statement-on-schrems-ii-ruling-and-the-importance-of-eu-u-s-data-flows/ )
[11] Peter Swire and Robert Litan, “None of Your Business: World Data Flows, Electronic Commerce, and the European Directive,” P. 17, Brookings Institute (1998), https://www.brookings.edu/wp-content/uploads/2013/01/None-of-Your-Business.pdf. Chapter 8 of the book examined the interaction of data protection law and the global trading regime. In comments to the EDPB, numerous companies raised concerns that the EDPB recommendations created trade issues. Association of Commercial Television in Europe (ACT) (Belgium), Comment 132, P. 2; Confederation of Industry in the Czech Republic (Czech Republic), Comment 94, P. 5; European Association of Television and Radio Sales Houses, Comment 104, P. 3; Federation of European Direct and Interactive Marketing (FEDMA) (Belgium), Comment 46, P. 1; National Retail Federation (NRF) (U.S.), Comment 48, P. 3; Software and Information Industry Association (SIIA) (U.S.), Comment 124, P. 3; techUK (UK), Comment 130, P. 4; U.S. Chamber of Commerce (U.S.), Comment 63, P. 2.
[12] Intensifying Negotiations on Transatlantic Data Privacy Flows: A Joint Press Statement by European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Gina Raimondo, European Commission (Mar. 25, 2021), https://ec.europa.eu/commission/presscorner/detail/en/statement_21_1443
[13] In 1998, Swire and his co-author wrote, “The Directive could have far-reaching effects on business practices within the United States and other ‘third countries” (countries that are not part of the European Union). Mainframes and Web sites in the United States might be cut off from data from Europe. Marketing and management practices that are routine in the United States might be disrupted.” Peter Swire and Robert Litan, “None of Your Business: World Data Flows, Electronic Commerce, and the European Directive,” P. 3, Brookings Institute (1998), https://www.brookings.edu/wp-content/uploads/2013/01/None-of-Your-Business.pdf
[14] Dutch Confederation of Dutch Industries and Employees (Netherlands), Comment 92, P. 4.
[15] Allied for Startups (Belgium), Comment 28, P. 1 (linking to “Open Letter: Commit to Data Flows & Back it Up with Action, Allied for Startups,” P. 1, https://alliedforstartups.org/2020/10/08/open-letter-commit-to-data-flows-back-it-up-with-action/).
[16] BritishAmerican Business (UK), Comment 103, P. 2-3.
[17] Vodaphone (UK), Comment 117, P. 1.
[18] Federation of European Direct and Interactive Marketing (FEDMA) (Belgium), Comment 46, P. 1.
[19] TechUK (UK), Comment 130, P. 9.
[20] CIPL (Belgium), Comment 128, P. 6.
[21] CIPL (Belgium), Comment 128, P. 6.
[22] CIPL (Belgium), Comment 128, P. 29.
[23] CIPL (Belgium), Comment 128, P. 30.
[24] CIPL (Belgium), Comment 128, P. 7.
[25] Swire and Kennedy-Mayo (U.S.), Comment 170, P. 5.
[26] CIPL (Belgium), Comment 128, P. 8.
[27] CIPL (Belgium), Comment 128, P. 7.
[28] CIPL (Belgium), Comment 128, P. 7.
[29] CIPL (Belgium), Comment 128, P. 7.
[30] CIPL (Belgium), Comment 128, P. 7.
[31] BritishAmerican Business (UK), Comment 103, P. 2-3.
[32] CIPL (Belgium), Comment 128, P. 7.
[33] CIPL (Belgium), Comment 128, P. 8.
[34] Swire and Kennedy-Mayo (U.S.), Comment 170, P. 4-5.
[35] DigitalEurope (Belgium), Comment 158, P. 8.
[36] CIPL (Belgium), Comment 128, P. 7.
[37] TrustArc (Netherlands): “Given the Schrems-II decision and various statements by data protection authorities with regard to U.S. surveillance laws, this would for example mean that data flows between the EEA and the U.S. would become almost, if not completely, impossible. In our view, that position is unwarranted, since it would be detrimental to even the most basic needs of the global digital economy, like the payment of salaries for remote employees …” Comment 145, P. 2.
[38] BritishAmerican Business (UK), Comment 103, P. 2.
[39] CIPL (Belgium), Comment 128, P. 7.
[40] CIPL (Belgium), Comment 128, P. 7.
[41] European Games Developer Federation (EGDF) (Sweden), Comment 179, P. 5.
[42] Danish Entrepreneurs (Denmark), Comment 30, P. 1.
[43] CIPL (Belgium), Comment 128, P. 7.
[44] CIPL (Belgium), Comment 128, P. 8.
[45] TrustArc (Netherlands): “Given the Schrems II decision and various statements by data protection authorities with regard to U.S. surveillance laws, this would for example mean that data flows between the EEA and the U.S. would become almost, if not completely, impossible. In our view, that position is unwarranted, since it would be detrimental to even the most basic needs of the global digital economy, like … offering round-the-clock customer service.” Comment 145, P. 2.
[46] CIPL (Belgium), Comment 128, P. 8.
[47] CIPL (Belgium), Comment 128, P. 8.
[48] European Games Developer Federation (EGDF) (Sweden), Comment 179, P. 5.
[49] French Insurance Federation (FFA) (France), Comment 37, P. 1.
[50] Danish Entrepreneurs (Denmark), Comment 30, P. 1.
[51] CIPL (Belgium), Comment 128, P. 8.
[52] CIPL (Belgium), Comment 128, P. 7.
[53] CIPL (Belgium), Comment 128, P. 7.
[54] CIPL (Belgium), Comment 128, P. 7.
[55] CIPL (Belgium), Comment 128, P. 8.
[56] CIPL (Belgium), Comment 128, P. 8.
[57] MyData-TRUST (Belgium), Comment 45, P. 2.
[58] BritishAmerican Business (UK), Comment 103, P. 2-3.
[59] CIPL (Belgium), Comment 128, P. 25.
[60] Swire and Kennedy-Mayo (U.S.), Comment 170, P. 6, citing “Internet Way of Networking Use Case: Data Localisation,” Internet Society (Sep. 30, 2020), https://www.internetsociety.org/resources/doc/2020/internet-impact-assessment-toolkit/use-case-data-localization/
[61] “We have therefore always highlight that in certain cases technical measures may be able to overcome surveillance. These are indeed required under Article 32 GDPR as a bare minimum, in particular when data is transmitted on the internet – an inherently open and unsecure system. Without such approaches, international data transfers would in many situations become illegal, as third countries that do not adhere to minimum standards of rule of law, democracy, or human rights, would be able to undermine transfers between even the most well-intentioned third countries and the EEA.” P. 1.
[62] Peter Swire, “The U.S., China, and Case 311/18 on Standard Contract Clauses,” European Law Blog (July 15, 2019), https://europeanlawblog.eu/2019/07/15/the-us-china-and-case-311-18-on-standard-contractual-clauses/; Annotated Bibliography on Chinese Surveillance and European Union Data Privacy (2019), https://fpf.org/wp-content/uploads/2019/07/Peter-Swire-le-monde-annotated-bibliography.pdf
[63] “China Overtakes US as EU’s Biggest Trading Partner,” BBC News (Feb. 17, 2021), https://www.bbc.com/news/business-56093378#:~:text=China%20is%20now%20the%20EU’s,to%20the%20Covid%2D19%20pandemic
[64] Philip Blenkinsop, “EU Agrees Investment Deal with China to Rebalance Ties,” Reuters (Dec. 30, 2020), https://www.reuters.com/article/us-eu-china-trade/eu-agrees-investment-deal-with-china-to-rebalance-ties-idUSKBN2941AP
[65] PrivacyRules (U.S.), Comment 183, P. 5.
[66] TechUK (UK), Comment 130, P. 10.
[67] DigitalEurope (Belgium), Comment 158, P. 8.
[68] DigitalEurope (Belgium), Comment 158, P. 7.
[69] DigitalEurope (Belgium), Comment 158, P. 8.
[70] Here is a sampling of those comments that discussed a risk-based approach (regardless of whether data localization or a similar concept was mentioned): Avast s.r.o. (Czech Republic), Comment 66, P. 1-4; CGI Inc (Canada), Comment 62, P. 3-4; Confederation of Swedish Enterprise (Sweden), Comment 56, P. 1-3; European Broadcasting Union (Switzerland), Comment 40, P. 1-2; Federation of European Direct and Interactive Marketing (FEDMA) (Belgium), Comment 46, P. 1-2; Interactive Advertising Bureau Poland (IAB Poland) (Poland), Comment 53, P. 1-2; Interactive Software Federation of Europe (ISFE) (Belgium), Comment 54, P. 3; MEDEF (France), Comment 39, P. 3; Telefonica (Spain), Comment 57, P. 2-3; U.S. Chamber of Commerce (U.S.), Comment 63, P. 1-2.
[71] See MyData-TRUST (Belgium), Comment 45, P. 1-2, 6; National Retail Federation (NRF) (U.S.), Comment 48, P. 2; EuroCommerce (Belgium), Comment 192; P. 2.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.