A new wave of enforcement actions by EU data-privacy authorities could endanger the internet as we know it.
In their zeal to intervene, regulators have lost all sense of proportion and context. They are willing to sacrifice the immense economic and social benefits from technological exchange on the altar of privacy absolutism, potentially denying Europeans access to online services offered by US businesses. However, there is still hope that the courts and public officials will act responsibly and undo the impending damage.
It all hinges on the Schrems II case back in 2020, when the European Court of Justice concluded that US law doesn’t provide sufficient procedural safeguards for Europeans. The national data-privacy authorities of EU member states are now engaged in what appears to be a co-ordinated enforcement action to use Schrems II judgment as justification for blocking transfers of personal data from the EU to the US.
More precisely, the authorities justify their actions based on a caricature of the Court’s jurisprudence and EU law, using the Schrems II judgment as a pretext to dispense with fundamental principles of proportionality and risk-based application of privacy law.
This new wave of enforcement actions has thus far been focused on Google Analytics, a popular service that provides website owners with usage statistics. Google Analytics does not collect what would intuitively be deemed personal data, such as names or email addresses. It is debatable whether it even collects personal data in the very broad sense defined by EU privacy law.
That’s why the focus on Google Analytics should be particularly alarming: if even this service violates EU privacy law, it will be very hard to find online services offered by US companies that process the data of Europeans lawfully. Both business and consumer-orientated services would be affected.
The scope of this ‘decoupling’ will be even wider if authorities ultimately interpret EU privacy law on the export of personal data to apply even when the data doesn’t leave the EU, but is merely processed by a subsidiary of a foreign company. This contentious and radical interpretation has been proposed in some quarters, on the grounds that the foreign company would have at least the theoretical capacity to access the data. Should this view prevail, even moving data centres to the EU may not be enough to satisfy the terms of the GDPR.
The reason given for this radical interpretation is that, under US law, domestic companies could be compelled to provide American intelligence agencies with access to consumer data.
Unfortunately, the EU privacy authorities involved in the new enforcement wave appear uninterested in changes to US law and practice since Schrems II, or in the near future. They similarly do not seem interested in case-specific assessments of the risk that data will be subject to compulsory access under US law. Those and other legal failings of the enforcement actions should (but may not) doom them before both national and EU courts.
It will probably take political action to find a lasting solution to the tension between the ambitions of some European privacy advocates and the interest of Europeans in continuing our close technological relationship with the United States. It has been reported that a new transatlantic deal to replace the one invalidated in Schrems II is imminent. This is welcome as the new wave of enforcement actions by national privacy authorities shows the urgency of finding a solution.
Ultimately, however, those urging a radical interpretation of GDPR are unlikely to be satisfied with any agreement that emerges. It will be incumbent on courts and elected officials to demarcate the boundaries of reasonable interpretations of GDPR that both protect Europeans’ data, while also allowing transatlantic commerce to proceed.
Click here to subscribe to our daily briefing – the best pieces from CapX and across the web.
CapX depends on the generosity of its readers. If you value what we do, please consider making a donation.