Unlocking EU Global Digital Trade: New Study Shows the US’s Key Role in EU Data Adequacy Determinations

There’s little empirical research on the impact that the European Union’s (EU) adequacy determinations—where it assesses whether a country’s privacy laws are equivalent to its General Data Protection Regulation (GDPR)—has had on digital trade. Filing this gap, a new European Union Institute (EUI) econometric study shows that adequacy determinations have a positive impact on digital trade—estimating increases of 6-14 percent—but that it is driven by whether there’s a legal framework so EU personal data can flow to the United States, such as the new Transatlantic Data Privacy Framework. It shows why it’s in the EU’s own interests to work with the United States (and other like-minded partners at the G7 and elsewhere) to develop common, high-standard legal tools for firms to transfer personal data, given the importance of network effects to digital trade.

The EU exhibits a related, but weirdly estranged, relationship between data privacy, personal data transfers, and digital trade policies. Unlike Australia, Japan, New Zealand, the United States, and others, EU trade agreements don’t address (in any meaningful way) issues related to personal data, instead relying on separate determinations as to whether a country offers adequate data protection. The EU does this as European privacy fundamentalists don’t think the transfer of personal data is a trade issue. They anchor EU policy to this unrealistic position that data isn’t central to the global digital economy.

Some European policymakers use privacy concerns to disguise protectionist efforts to target data transfers to the United States (but no one else, such as China). This was evident in the European Board of Data Protection’s report on government access to data in China, India, and Russia, which highlighted how none of those countries have meaningful protections against government access to data (like those in the United States). Yet, it is strangely silent on the issue of whether EU personal data flows to these countries should be cut off. This contrasts with ongoing (and overzealous) efforts by EU data protection authorities to cut off U.S. firms service-by-service like Google, Zoom, and Microsoft. This reflects the fact that adequacy determinations have become unnecessarily politicized. One day, the United Kingdom is a Member State of the EU with the GDPR in force, free to receive personal data from other EU Member States. The stroke of midnight on Brexit rendered it a third country needing it to go through the rigmarole of having the adequacy of its data protection standards scrutinized and doubted by parts of the EU. Contributing to these concerns about bias and politicization is that very little is known about the criteria the EU applies to prioritize countries for adequacy and its criteria or methodology for working through an assessment (in contrast to, for example, the United Kingdom’s own data assessments).

The EUI study by Martina F. Ferracane, Bernard Hoekman, Erik van der Marel, and Filippo Santi provides enormously useful data to show how EU data adequacy determinations require data to flow to the United States to have an impact on EU digital trade. The study improves on existing research in several ways: by defining different categories of digital trade as opposed to working with total goods and total services trade; by exploring the potential network effect of bilateral adequacy determinations (in terms of the impact on digital trade with other adequate countries and the United States); and by using a synthetic control to assess and test the accuracy of their results. The study uses the Organization for Economic Cooperation and Development’s Trade in Value-Added (TiVA) database, one of the few databases that records trade for goods and services from 1995 to 2018. This enabled them to incorporate most of the EU’s adequacy decisions except Uruguay (for which TiVA does not report data) and the most recent decisions: Japan (which received adequacy in 2019), Korea (2021), and the United Kingdom (2021). Trade data availability precluded assessing the impact of the Court of Justice of the European Union (CJEU) decision striking down Privacy Shield. Therefore, the study covers a total of 14 decisions/agreements agreed through 2018: 10 EU adequacy decisions (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, and Switzerland) and four agreements that involve the United States (the EU-U.S. Privacy Shield, E.U.-U.S. Safe Harbor, Switzerland-U.S. Privacy Shield, and Switzerland-U.S. Safe Harbor).

The European Commission (EC) issues adequacy decisions in relation to third countries to alleviate GDPR’s general prohibition on transfers of EU personal data. It’s a high bar for countries to meet as it means a country’s laws must be “essentially equivalent” to GDPR. Adequacy determinations are a legal mechanism that firms use to transfer EU personal data to another country. Thus, adequacy determinations reduce trade costs by removing the need for firms to obtain individual consent for cross-border data transfers (which is burdensome) or use standard contractual clauses (a common legal tool used for data transfers that are increasingly complex, onerous, and under legal threat in the EU). The United States has never been deemed adequate. Instead, firms have had to depend upon a series of negotiated agreements, such as Privacy Shield and Safe Harbor.

EU adequacy decisions are a highly problematic tool for managing personal data transfers. The process is uncertain, opaque, and seemingly ad hoc. For example, in the case of Argentina, the decision was granted despite the European data privacy authorities expressing concerns about weaknesses in Argentinian data protection laws. The EU has never been willing to seriously scrutinize Israeli surveillance practices as it does with the United States (although recent judicial reforms in Israel may lead the EU to reconsider Israel’s adequacy decision). Similarly, European data privacy authorities dismissed concerns about deficiencies in New Zealand’s onward transfer laws on the basis that, given its geographical distance from Europe and the size and nature of its economy, it was unlikely that those deficiencies would have much practical effect on EU data subjects. Ultimately, the EU’s reliance on adequacy is untenable in the long term as few countries will harmonize their data protection frameworks to a level that the EU finds acceptable. It will be interesting to see how the European Commission tackles these issues as part of its review of pre-GDPR adequacy decisions (expected to be finalized shortly).

One clear and problematic demonstration of the “Brussels” effect is that a growing number of countries are using “whitelists” of countries for managing where personal data can be transferred. There are 73 countries designating (in one way, shape, or form) other jurisdictions as adequate or comparable. This creates a “spaghetti bowl” of lists that, like the EU, fail or struggle to use clear, common, and consistent criteria for listing or delisting countries. A country whitelist approach reveals a limited regulatory view of how data flows and a limited understanding of how legal accountability works in practice. Since data protection agencies cannot maintain the integrity or credibility of their whitelists, over time, they tend to degrade into greyish lists. Ultimately, the proliferation of whitelists doesn’t add to better global data governance and privacy practices but makes it harder. This is why the EU and other like-minded partners should work to develop common criteria for country whitelists and standard contractual clauses to at least make them more compatible and meaningful.

The EUI study shows that the impact of EU adequacy determinations on digital trade depends on personal data flows with the United States. The study examines the value of network effects in terms of firms’ ability to depend on a single legal tool (such as adequacy decisions) to transfer data between third countries. Adequacy decisions are bilateral (e.g., between the EU and Argentina, the EU and Israel); however, their impact is plurilateral in that it allows firms to onward transfer EU personal data within the EU ‘adequacy club,’ such as from Argentina to Israel. However, the study shows a weak level of statistical significance for this intra-club effect. The intra-club impact on digital trade only becomes significant when the EU-U.S. Safe Harbor or Privacy Shield was operational. The study estimates a 14 percent increase in intra-club digital trade when there’s a legal mechanism in place for EU-U.S. personal data flows. The study’s use of a separate trade database to test the robustness of its results reinforces this result—that Safe Harbor and Privacy Shield have a statistically significant impact on intra-club digital trade (of about 8-9 percent).

The results are intuitive—digital goods and services are critical intermediate inputs into physical goods and other digital products. U.S. firms are leading global suppliers that many firms from Argentina, the EU, Israel, and other adequacy club members use for global operations. The study provides direct evidence of this point. The study estimates the extent to which foreign value-added in exports of adequacy-granted countries is sourced from each other, including the United States, during the time of Safe Harbor and the Privacy Shield. The results suggest that EU-U.S. agreements positively impacted the composition of digital trade (in value-added), with about 7 percent shifting away from being sourced from non-adequacy-granted countries (or the domestic market) to countries within the EU adequacy club.

The study’s analysis on the network or “club” effect of EU adequacy determination and digital trade gets at a critical point—the global digital economy needs firms to have a common, high-standard set of easy-to-use legal tools to manage data privacy issues across key economies. It shows that if the EU continues its “my way or the highway” approach in making life difficult for the United States on data flows, then its own and the global digital economy will suffer. The G7’s “data free flow with trust” initiative is still conceptual, but it has the potential to become a venue to develop pragmatic tools to address data privacy and governance issues. However, the G7’s success depends in no small part on the EU being far more pragmatic (rather than dogmatic) in how it works with like-minded countries on data governance issues. This study provides European policymakers with critical evidence and perspective about why they must do this.