On October 4, the Cross-Border Data Forum (CBDF) hosted an in-person and videotaped event on “Rationalizing U.S. Cross-Border Data Policy Across the EU, China, and Global CBPRs.” The event featured notable experts on cross-border data issues, many of whom have served in senior government positions on this topic. The event was co-hosted by Alston & Bird, LLP.
One reason for the event is that often discussions are held in silos, such as with China experts or experts in the European Union. In this event, the first of its kind, the focus instead was on how lessons from regional policy debates could inform an emerging consensus on how to proceed globally on cross-border flows of personal data, while protecting privacy and fundamental rights.
The author (Swire) moderated three panels, each kept strictly to 30 minutes.
The panel on U.S./China data policy featured two speakers. Samm Sacks is a noted China expert, a CBDF Senior Fellow, and also associated with New America and the Paul Tsai China Center at Yale. Peter Harrell until the end of 2022 was Senior Director for International Economics and Competitive in the White House National Security Council and National Economic Council. In that position, he played a key role in U.S./China data policy.
Sacks discussed the history of recent data policy from the Chinese side. China has passed multiple, strict data security and privacy laws limiting transfers of personal data abroad. Sacks highlighted that this fall there has been an apparent shift in China’s policy. Perhaps due to its economic downturn, new proposed guidance appears to authorize companies to make a greater range of data exports, without specific licenses that have been difficult to obtain.
Harrell provided what he called a “Washington perspective.” Based on his recent White House experience, Harrell described actions taken by the Trump and Biden administrations to set limits on transfers of personal information from the U.S. to China. He also discussed current Congressional proposals. For further background on these issues, see the 2023 articles by Sacks and Swire, published at CBDF (longer version) and Lawfare (shorter version).
The panel on U.S./EU data policy had two speakers. Alex Greenstein is the Director of the EU/U.S. Data Privacy Framework program at the U.S. Department of Commerce. Kenneth Propp is a Senior Fellow at the Cross-Border Data Forum and the Atlantic Council, and former legal counselor to the U.S. Mission to the European Union.
Greenstein explained recent U.S. government actions for data policy with respect to Europe. He discussed the negotiations that resulted in the EU/U.S. Data Privacy Framework (DPF), and noted ongoing efforts to conclude similar agreements with the United Kingdom and Switzerland. He also commented on the 2022 OECD Declaration on Government Access to Personal Data Held by Private Sector Entities.
Propp provided his insights about how key European actors, including the Court of Justice of the European Union, may respond to the Data Privacy Framework. Although Propp says the DPF is clearly a “good faith effort” to meet European law standards, especially concerning redress, he concludes the outcome of a legal challenge is “not without doubt.” Further detail on the redress issue is in multiple CBDF publications, including this article discussing the Data Privacy Framework as issued in October, 2022.
Joe Jones was the keynote speaker for the third panel, on global data flows and the Cross-Border Data Rules (CBPRs). Jones is now Director for Research and Insights for the International Association of Privacy Professionals. He previously was Deputy Director for International Data Transfers in the U.K. government. Recently Jones became Senior External Advisor for the Cross-Border Data Forum.
Jones examined the history of “adequacy” determinations, as the basis for lawful transfers of personal data across border. He documented the proliferation of adequacy-style determinations, so that today almost 80 countries in addition to the EU have the power to make adequacy decisions. (See his infographic on adequacy here.) Jones stated that the adequacy approach “does not scale up.” Jones next examined other candidates for organizing frameworks for cross-border flows, including Convention 108+. He mentioned that he previously had been skeptical of CBPRS; however, he now sees them as one promising path, if updated appropriately, for increasing global data flows while also protecting privacy.
In the group discussion, Greenstein noted U.S. government support for CBPRs, including as one avenue for data-related trade in Asia. Jones noted how impractical it is for 60 or 100 countries each to do adequacy determinations for the other 60 to 100 countries; thus, multilateral approaches are increasingly necessary. Multiple panelists agreed that a comprehensive U.S. privacy law would ease some of the current difficulties concerning cross-border transfers. Each panelist also offered overall comments on paths forward for international transfers.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.