In Lewis Carroll's classic Alice in Wonderland sequel "Through the Looking-Glass," Alice enters a fantastical world by climbing through a mirror. Alice discovers that, like a mirror, everything is reversed in this other world. For observers of global data privacy issues over the past few decades, "Through the Looking Glass" is an apt metaphor for recent twists and turns in the world of cross-border data transfer restrictions.
Among other developments, we have seen the emergence of new outbound data transfer restrictions from the U.S. to certain non-U.S. countries of concern for national security purposes, whereas historically, the dominant cross-border data transfer restrictions applied to transfers into the U.S. from places like Europe for data privacy purposes.
Perhaps even more surprisingly, the current landscape suggests U.S. national security interests might ultimately serve as a driver for a global treaty on privacy and government access to data. In contrast, the U.S. national security activities have historically been cited as a key privacy reason for disrupting cross-border data flows. We are truly "Through the Looking Glass" at this point, where everything is reversed, e.g., running helps one remain stationary, walking away from something brings one towards it, nursery rhyme characters exist, etc. This article provides a brief overview of these developments, and some thoughts on the road ahead.
Cross-border data privacy restrictions
For many years, EU data privacy restrictions on cross-border transfers to third countries have dominated the landscape. The Court of Justice of the European Union has invalidated not one, but two, bilateral cross-border data privacy accords with the U.S. — Safe Harbor and Privacy Shield — on the basis of privacy concerns about U.S. government surveillance.
In response, the U.S. government has taken unprecedented steps to enhance the substantive and procedural privacy protections on U.S. government surveillance for EU residents. To support a third bilateral accord, entitled the EU-U.S. Data Privacy Framework, the U.S. government established a Data Protection Review Court to adjudicate EU resident national security claims. Due to the DPRC and other factors, the EU-U.S. DPF should be in a stronger position than its two predecessors to withstand scrutiny by the CJEU.
Multilateral treaty on data privacy and government access
Despite the improved position of the EU-U.S. DPF over its predecessors, the U.S. government still has incentives to pursue a multilateral treaty on data privacy on government access. A multilateral treaty approach would avoid the risks associated with future CJEU review of bilateral accords and provide greater certainty for business on cross-border data privacy transfers.
Such an approach would need to take into consideration the commercial privacy aspects of EU-U.S. DPF, the related privacy protections on government access to personal data in the national security context, and other global developments in this area. Although there has not been notable progress on such a multilateral treaty to date, the logic underpinning this approach in the digital age remains sound.
Cross-border transfers in reverse: US national security restrictions on outbound data transfers
The U.S. government recently flipped the script on cross-border data transfer restrictions and has adopted its own restrictions for national security purposes on outbound data transfers. Specifically, on 28 Feb. 2024, President Joe Biden issued Executive Order 14117 directing the U.S. Department of Justice and other federal agencies to promulgate regulations that restrict U.S. companies from, among other activities, sharing of sensitive personal information with certain "countries of concern" for national security purposes. The DOJ and other agencies are now engaged in substantial rulemaking to implement such regulations.
In April, the U.S. also enacted the Protecting Americans' Data from Foreign Adversaries Act of 2024 to prohibit data brokers from transferring certain personally identifiable sensitive data of U.S. individuals to foreign adversary countries. The executive order and act include China, Iran, North Korea and Russia as covered countries for these purposes, and the DOJ rulemaking under the executive order also contemplates coverage for Cuba, Hong Kong, Macau and Venezuela.
The executive order and the act directly apply to data transfers to China and other identified countries of concern. They also have an indirect application to data transfers to non-countries of concern jurisdictions. Specifically, the executive order and the act restrict covered data transfers to legal entities located in third countries, e.g., an EU member state, if such legal entities are under the control of a country of concern. This means that U.S. companies need to evaluate the ownership structures of recipient legal entities in non-countries of concern jurisdictions and other downstream issues and adds substantial complexity for U.S. businesses in the context of the supply chain, third-party business partners, and other transactional settings.
Notably, the U.S. policy underpinnings for the executive order and the act will likely persist, regardless of the outcome of U.S. national elections in November 2024. The act achieved Congressional approval with broad bipartisan support in a matter of weeks. The executive order represents a continuation of a policy approach from the Trump administration, and an extension of national security risk mitigation measures that have been imposed in recent years by the Department of the Treasury's Committee on Foreign Investment in the U.S.
US national security interests could help drive a multilateral treaty on privacy
Given the adoption of the U.S. Outbound Data Transfer Restrictions, the U.S. now has something affirmative to gain from pursuing a multilateral treaty on privacy and government access to data. Previously, the U.S. would have only been looking for defensive benefits in the form of assuring that cross-border transfer restrictions, such as those in the EU, would not be applied to restrict U.S. companies from engaging in global data transfers and business activities.
Now, the U.S. government could pursue affirmative measures to enhance its national security goals with outbound data transfers. This could take various forms, such as requirements for participating countries to adopt laws that restrict onward transfers of U.S. personal information to countries of concern, i.e., reducing risk of onward transfers through such countries. It could also include provisions requiring participating countries to adopt outbound data transfer rules similar to the U.S. requirements to protect their local residents. Other elements could be adapted based on CFIUS and other foreign investment rules. Regardless of the final shape and form of any such requirements, this represents a new incentive for the U.S. government to pursue a multilateral treaty approach to data privacy and national security.
The road ahead
Whether the U.S. government and other democratic societies decide to pursue a multilateral instrument in the short term is an open question. Geopolitical risks, other priorities, or other factors may inhibit such an initiative for some time.
However, if a path forward on such a binding multilateral instrument is pursued, several international organizations could serve as the forum for the development. For example, the Organisation for Economic Co-operation and Development promulgated foundational multilateral principles on data protection in 1980 and has a proven track record with developing and implementing highly successful binding conventions on anti-corruption and other matters.
The OECD has also promulgated a nonbinding Declaration on Government Access to Personal Data Held by Private Sector Entities in 2022 that has signatories including 24 European Economic Area countries, the EU, and the U.S. Other options are also available. For example, the Council of Europe has adopted a Budapest Convention on Cybercrime and could be a focus for these efforts. It is also possible to consider other forums, such as the United Nations or the World Trade Organization.
Much will depend on political leaders and other developments. Overall, however, it is clear that more work is needed to provide more certainty for global business in this increasingly complex area of cross-border data transfer restrictions.
Brian Hengesbaugh, CIPP/US, is a partner at Baker & McKenzie and chair of global data privacy and security.