After Schrems II and the EDPB Guidance, Lessons from a 1998 Study About the Effects of Data Localization Between the EU and the US

This post describes a newly available resource for studying the effects of data localization within the European Union, a prospect that has become newly relevant in the wake of this year’s decision in Schrems II by the Court of Justice for the European Union (CJEU).  In 1998, I co-authored a book entitled, “None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive.”[1] This month the Brookings Institution, for the first time, has made the text of the book available for free download from its website (click “None of Your Business pdf” on the left of the page).

In 1998, the EU’s Data Protection Directive went into effect, and its potential effect on trans-Atlantic data flows had until then been little studied.  Much of the book described the major flows of personal data from the EU to the US.  For each category of data flow, the book analyzed whether and in what circumstances the flow might remain legal, if no agreement were reached between the EU and US.  Where the data flow appeared unlawful, the book described effects of data localization within the EU.

This detailed analysis of possible data localization is newly important now, not only due to the Schrems II case itself, but also the new guidance by the European Data Protection Board (EDPB).   As described extensively elsewhere, the CJEU in Schrems II case invalidated the EU/US Privacy Shield, and cast doubt on the continued use of Standard Contractual Clauses (SCCs). The possibility of strict data localization has become greater after the release on November 10 by the European Data Protection Board (EDPB) of two documents.  Professor Théodore Christakis, in discussing the  “European Essential Guarantees for Surveillance Measures,” concluded that “the preponderance of transfers to third countries do not meet the essential guarantees as set forth by the EDPB.” Where such essential guarantees do not exist, then the EDPB issued its “Recommendations on Supplementary Measures.”  These, too, are strict. Professor Christakis concludes, upon careful examination, that the EDPB Guidance seems “to prohibit almost all such transfers when the personal data is readable in the third country.”  He adds: “If European data has almost no way of leaving Europe (that is, in a readable format) that means that it needs to remain in Europe. This is called data localization.”

There has been no recent, systematic study of the effects of EU-wide data localization. Working with the Cross-Border Data Forum, I hope to participate in such a study as soon as practicable. With that said, the 1998 book presents the most systematic discussion to date of how localization would affect major categories of data flows.  It is true that some types of data flows have emerged since 1998, including the widespread use of cloud computing, where the personal data of individuals is often stored outside of their home country.  Nonetheless, many of the data flows discussed in 1998 have a striking overlap with data flows today.  I would like to thank the Brookings Institution for making the 1998 book freely available to inform the current discussions about possible data localization.

Outline of Important Trans-Atlantic Data Flows

Moving forward, I hope to work on a study of the effects of data localization on current data flows. Here, we present the outline of categories of data flows from the 1998 book.  Since then, some new types of data flows have become important, such as cloud computing.  With that said, the topics listed here at a minimum provide a useful list of data flows to consider in studying effects of data localization.

The book applied the following methodology: describe the data flows; explain the apparent legal limits on such flows; and assess possible options for modifying or blocking such flows.

Chapter 5: Privacy Issues Affecting Many Organizations (p. 90-101)

  1. Human Resources Records
  2. Auditing and Accounting
  3. Business Consulting
  4. Call Centers and Other Worldwide Customer Service
  5. Article 7 and Article 26 Processing
  6. Conclusion

Chapter 6: The Financial Services Sector (p. 102-121)

    1. Payment Systems
    2. Sale of Financial Services to Individuals
    3. Sale of Financial Services to Businesses
      1. Reinsurance
      2. Participations
    4. Investment Banking
      1. Market Analysis
      2. Hostile Takeovers
      3. Due Diligence
      4. Private Placements and Other Sales to Europeans
      5. Other Issues for European Companies Raising Money in the United States
    5. Mandatory Securities and Accounting Disclosures
      1. Legal Required Disclosures
      2. Disclosures Required by Accounting or Stock Exchange Rules
      3. Disclosures that are Not Strictly Required
    6. Individual Credit Histories
      1. Providing Information to Credit Agencies
      2. Receiving Credit Reports
  1. Corporate Credit Histories
  2. Information on Persons in Their Business Capacity

Chapter 7:  Other Sectors with Large Transborder Data Flows (p. 122-151)

  1. The Press
  2. Effects Generally on Non-Profits
  3. International Educational Institutions
  4. International Conferences
  5. Effects on Non-EU Governments
  6. Research and Marketing for Pharmaceuticals and Medical Devices
  7. Business and Leisure Travel
    1. Reservation Systems
    2. Frequent Flyer Miles and Other Affinity Programs
  8. Internet Service Providers
  9. Retailing and Other Direct Marketing
    1. Traditional Direct Marketing
    2. Direct Marketing and Electronic Commerce
  10. Effects on Europe of Restrictions on Transfers
    1. Intraorganizational Data Flows
    2. Data Flows Between Organizations
    3. Dynamic Effects
  11. Conclusion

[1] Peter Swire & Robert Litan, “None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive” (Brookings, 1998). The title of the book was intended to have three meanings. “First, the Directive is about privacy, about the fundamental idea that “my” personal information is none of “your” business. … A second meaning of “none of your business” invokes the concern of other countries that the European Union is trying to impose its privacy rules in an extraterritorial fashion. … A third meaning is closely related to the second. Under the global trade regime administered through the World Trade Organization (WTO), laws that appear to prevent free trade in goods and services are carefully scrutinized. Data protection rules such as the Directive can have the effect of excluding companies in the United States and other third countries from the European market.” Swire & Litan, at p. 3-4. The 1998 book should not be confused with the non-profit “None Of Your Business,” which Max Schrems has established to address E.U. data protection issues.

 

 

These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.