Trump win offers window for EU privacy regime to go global

First published on MLex Digital Risk 18 November 2016. By Magnus Franklin.

The election of Donald Trump as US president has left the international trade community shaken, with landmark trade deals such as the Trans-Pacific Partnership and the Transatlantic Trade and Investment Partnership facing an uncertain future.

But the maverick businessman’s victory may offer EU privacy advocates a window of opportunity, which they could use to restart their campaign to make the European privacy approach the global gold standard.

As recently as October, American trade officials toured the Pacific Rim to build support for a more hands-off approach to privacy, which is being promoted worldwide by the US. Their secret weapon in the campaign was the TPP, of which the the APEC Cross Border Privacy Rules system was an integral part. US data privacy and TPP went hand in hand.

The CBPR was the US government’s bid to push countries to sign up to its privacy approach, which is rooted in the belief that privacy is a consumer right. But only the US, Mexico, Canada and Japan had adopted it. Singapore, Korea and the Philippines have expressed support for the plan, and US officials hoped their October tour of Japan and Vietnam would draw more countries into the deal.

But now, with no TPP for the US to offer trading partners around the Pacific, the Asian countries’ willingness to following the US lead on privacy is in doubt.

In short: With the US no longer a force for liberalizing world trade, the US mission to export its privacy rules has suffered a body blow.

EU privacy advocates will be relieved. The European privacy philosophy is rooted not in consumer rights, but in basic human rights, which rose from the ashes of World War II and as a rejection of the totalitarian regimes east of the Iron Curtain.

Consumer protection is an added bonus to the EU’s outlook, but the right to privacy is seen here as sacred — akin to the right to own property or to hold religious beliefs.

These differences led to low-level diplomatic warfare between the EU and the US, fought around roundtables and privacy conferences across the globe. The prize was the right to set the global standard for how privacy is treated as the world moves toward the digital economy, in which data has become the new oil.

Until Trump’s electoral victory, the US had the upper hand. Department of Commerce and Federal Trade Commission officials toured the world making an eloquent case for how well the US privacy model was working.

The campaign was boosted by Silicon Valley’s digital giants, which were busy setting the de-facto standard for how privacy should work in practice. Although EU privacy watchdogs have been busy slapping down what they considered the most egregious US excesses in harvesting and processing personal data, they couldn’t stop the US digital juggernauts.

That has now changed. If a Trump presidency steps away from regional free trade initiatives, it will lose the vehicle it had relied upon in its global privacy campaign.

Tricks of trade

Lawyers for a Swedish law firm commissioned by telecom-equipment giant Ericsson took a leaf from the US privacy approach, arguing in a recent report that the best way for Europe to export its privacy model is precisely via the kind of trade deals from which the US has now turned away.

According to Mannheimer Swartling’s experts, the trick of using trade deals as a Trojan horse through which to sign countries up to the European approach is more than just a clever trick — it is a necessary defense against Europe getting its rules watered down through the back door.

If the EU fails to safeguard its privacy approach via trade deals, the report says, countries would be able to bring the EU before the World Trade Organization, on the grounds that the privacy rules are an illegal barrier to doing business in Europe. If upheld, Europe would be under pressure to weaken its privacy regime.

So far, so good. But the promoting of anything through a trade agreement — no matter how worthy — can be expected to be met with deep skepticism in the EU from political forces who have been fighting the EU’s trade deals, be they TTIP or the EU-Canada Comprehensive Economic and Trade Agreement.

EU consumer rights lobby BEUC published a concise summary of why including privacy in trade deals is a bad idea, around the same time Mannheimer Swartling made its pitch for the opposing view.

BEUC cited a study by the Ivir Institute of the University of Amsterdam on whether the EU’s privacy rules would be safe in a trade deal. The report is “unequivocal,” BEUC says. “The safeguards are not solid enough, the EU needs to reinforce them.”

By excluding privacy from trade deals, BEUC and a cohort of like-minded organizations say, “the EU would remain able to protect the privacy of its citizens regardless of commitments made in trade agreements.”

The organization fears that including rules on data flows in trade deals — however well-intentioned — opens the door to provisions that “allow data to be transferred more easily outside of the EU” — code for weakening the strong statutory rights in the bloc.

This is where the Mannheimer Swartling approach offers a twist. By arguing that trade deals would enshrine the integrity of EU privacy rules, rather than simplifying data transfers, the paper appears to be on the same side as the civil society groups.

And there is evidence that the political mood is shifting. Yesterday, a Dutch liberal member of the European Parliament, Marietje Schaake, said the “change of government in the US presents opportunities for the EU.”

“More and more we see the EU de-facto setting global norms on policies that have a big influence on cyberspace,” Schaake said, adding that “we see a lot of recent examples where EU has taken the lead and I hope we see more of that.”

EU privacy’s time to shine

Europe’s privacy advocates had always seen the US approach to privacy as their nemesis. They feared — not without reason — that placing privacy on the negotiating table when dealing with a global economic superpower determined to water down privacy provisions was too risky.

But TTIP is now dead and the EU-US bilateral deal to ease data transfers, known as the Privacy Shield, is subject to two separate legal challenges. What’s more, the Privacy Shield has only signed up a fraction of the companies that had used its predecessor, Safe Harbor.

What this means is that the high tide mark for US threats to EU privacy rules appears to have been reached.

With the threat of US encroachment receding, it now remains to be seen whether EU trade negotiators will seize the opportunity to fill the void and foist Europe’s fundamental-rights approach to privacy onto its trading partners.

There is more at stake than a conceptual battle on the meaning of privacy. Gaining the critical mass needed to impose a global model is part of the equation.

This means that if Europe were to win the global battle on privacy, the center of gravity in the digital world would shift toward it, at the expense of the San Francisco Bay area, New York or Austin.

Whether Europe will know how to capitalize on a victory on the data protection battlefield is another matter.

* Additional reporting by Mike Swift, Ira Teinowitz and Phoebe Seers