Europe Is Marching Toward Data Localization, ITIF Warns in New Report Analyzing the Uncertain Fate of Model Contracts for Data Transfers

WASHINGTON—Upon the European Court of Justice’s invalidation of the EU-U.S. Privacy Shield, Standard Contractual Clauses (SCCs) or “model contracts” have remained the only scalable and widely accessible legal tool available to organizations transferring personal data from the European Union to the United States and most of the rest of the world. Yet European courts and regulators are making them costlier and more complex, a sign of Europe’s march toward de facto data localization, shows a new report released today by the Information Technology and Innovation Foundation (ITIF). This is a threat to transatlantic digital trade that policymakers must avoid.

“The role and value of SCCs are barely recognized and poorly understood by most policymakers. If Europe makes SCCs prohibitively expensive and costly—or even worse ineligible—for firms to use to transfer data to the United States and other countries around the world, they’ll have inadvertently created the world’s largest de facto data localization requirement,” says Nigel Cory, ITIF’s associate director for trade policy and the report’s lead author. “Policymakers’ failure to address these issues means missing the bigger picture, and thus failing to marshal a response that creates a clear, coherent, and predictable framework for firms to use to transfer the data that is central to modern trade.”

SCCs are among the most widely used legal mechanisms for transferring personal data out of the EU, and firms from a broad range of sectors and countries rely on them—not just consumer-facing companies from the United States. While Europe’s highest court didn’t invalidate SCCs in Schrems II, it noted that there needs to be “supplementary measures.” However, Europe is considering measures that are overly restrictive and costly, and in some cases, essentially unusuable for firms wanting to transfer data to the United States. In response to Schrems II, the Irish Data Protection Commission has ordered Facebook to stop using SCCs to transfer data to the United States, showing how transatlantic digital trade may become even more disconnected following Privacy Shield’s demise.

The repeated, drawn out, and legalistic nature of the challenges to EU-U.S. data flows has lulled policymakers into a dangerous sense of complacency, ITIF warns. Policymakers should not passively accept the slow-motion train wreck that seems to be taking place, nor allow the EU to escape its responsibility as the conductor in leading to this situation.

“Absent some other major policy intervention—such as a Privacy Shield 2.0—maintaining transatlantic transfers will likely require a growing army of people and resources to ensure compliance given the critical role that data plays in modern trade and innovation. And make no mistake—SMEs and start-ups will shoulder a disproportionate share of this burden,” says Ellysse Dick, Research Analyst at ITIF and co-author of the report. “Policymakers need to redouble efforts to create the legal tools and overarching frameworks to reasonably, clearly, and coherently manage data privacy and national security issues related to transatlantic transfers.”

Read the report.