US and EU Remain Divided on Data Policy
Deep divisions over digital sovereignty and regulation persist between the United States and the European Union. During the Munich Security Conference, European officials pushed back against certain US claims, highlighting ongoing friction over transatlantic data policy. Despite high-level dialogues facilitated by groups like The Conference Board's Privacy and Data Governance Council, substantive policy convergence remains elusive.
- A core tenet of the EU's strategy is "digital sovereignty," which aims to give the EU the ability to act autonomously in the digital world. This includes setting its own legal framework and reducing dependency on foreign technologies, a direct point of friction with the U.S.'s market-driven approach. - Successive transatlantic data transfer agreements have been invalidated by the Court of Justice of the European Union (CJEU). The "Schrems II" ruling in 2020 struck down the "Privacy Shield" framework, citing concerns that U.S. surveillance laws did not provide adequate protection for EU citizens' data. This followed the 2015 invalidation of the previous "Safe Harbor" agreement. - The current EU-U.S. Data Privacy Framework, adopted in July 2023, is the latest attempt to ensure legal certainty for data flows. However, its long-term viability is questioned by privacy advocates and some EU bodies, with concerns that it still may not satisfy the CJEU's requirements regarding U.S. government surveillance and redress for EU citizens. - Diverging approaches to AI regulation represent a major fault line. The EU's AI Act is a comprehensive, binding regulation with a risk-based approach and significant penalties for non-compliance. In contrast, the U.S. has favored a more flexible, innovation-focused strategy that relies on existing laws and encourages industry standards rather than imposing broad new legal frameworks. - The EU Charter of Fundamental Rights establishes data protection as a fundamental right for individuals, a cultural and legal distinction from the U.S. where data privacy is often viewed through a consumer protection and commercial lens. - A key component of the new data framework is the establishment of a Data Protection Review Court (DPRC) in the U.S., intended to provide a redress mechanism for EU individuals to resolve complaints about access to their data by U.S. national security authorities. However, recent dismissals from the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) have raised questions about the independence of this oversight. - At the Munich Security Conference, European Commission President Ursula von der Leyen has emphasized the EU's stance on digital sovereignty, stating that "what is forbidden offline is forbidden online" and that the EU will be steadfast in pursuing this principle. - The EU is actively promoting "Made in Europe" solutions through public procurement policies, aiming to reduce reliance on non-European cloud providers and strengthen its own digital infrastructure and technology sector.
