The cross-border transfer of personal data between the United States and the European Union has undergone three institutional arrangements: the Safe Harbor Agreement, the Privacy Shield Agreement, and the latest EU-US Data Privacy Framework Agreement. The multiple rounds of cross-border data games between the United States and the European Union reflect the fundamental contradictions between the two sides, including the differences in rights-driven and market-driven concepts, the differences in the legal systems between unified and decentralized privacy legislation, and the different definitions of exceptions, which also lead to the unstable prospects of the EU-US Data Privacy Framework Agreement. The relevant measures of the United States and Europe have certain reference significance for China's cross-border data governance. China should continue to make efforts to clarify the concept of cross-border data governance, improve the rules for cross-border data flow, and promote data governance ideas internationally.
With the rapid integration and development of new generation information and communication technologies such as big data, cloud computing, blockchain, and artificial intelligence, the global digitalization process continues to deepen, and mankind is accelerating into the era of digital economy. As a link connecting the global economy, although cross-border data flow has brought new momentum to globalization, it has also caused a series of issues such as data sovereignty, privacy protection, and data supervision. As the world's two major digital economic entities, the United States and Europe have engaged in multiple rounds of games over the dominance of cross-border data flow rules. From the Safe Harbor in 2000 to the Privacy Shield in 2016 to the EU-US Data Privacy Framework Agreement in 2023, the US-EU cross-border data flow policy has been continuously updated, contributing to the continuous improvement of the mechanisms on corporate responsibility, ** constraints, and post-event remedies between the two sides. This paper analyzes the main content and characteristics of the EU-US Data Privacy Framework Agreement, the core concerns and main contradictions between the two sides in data governance, and puts forward ideas for improving China's cross-border data governance.
The development of cross-border data flow policies in the United States and Europe.
The United States and Europe have long claimed that transatlantic data flows exceed those between any other region in the world, affecting value7$1 trillion transatlantic economic relationship. As a result, cross-border data flow rules have become an important factor affecting US-EU relations, and they are still being adjusted after more than 20 years.
1.1 2000 to 2015: Self-administration of the Safe Harbor Agreement.
The first attempt at cross-border data governance in the United States and Europe was the Safe Harbor Agreement, which was formalized in November 2000. The agreement is based on the principle of "adequacy determination" set out in the European Union's 1995 Data Protection Directive (DPD), which re-emphasizes that the level of data protection in third countries to which data is transferred must be substantially equivalent to that of the European Union. The agreement set out the seven privacy protection principles of informed, chosen, portable, secure, data integrity, access, and enforcement, and effectively reconciled the data protection differences between the United States and Europe at the time. A total of 4,500 U.S. businesses are participating in the Safe Harbor and are free to receive any personal data from the EU by submitting a self-certification letter to the U.S. Department of Commerce each year committing to abide by the principles set forth in the agreement. The Federal Trade Commission (FTC) is responsible for reviewing a company's violations, including verification, dispute resolution, and remediation, and if the company continues to violate the rules, it will be revoked from entering the "safe harbor".
The Safe Harbor Agreement ensured the free flow of data across the U.S. and Europe for more than a decade, until the 2013 Den Incident revealed that all data transferred to the U.S. could be intercepted by U.S. intelligence agencies and with the cooperation of telecom carriers without the knowledge of the person or the company. In response, the EU** proposed a review of the Safe Harbor Agreement and launched negotiations with the U.S. side, focusing on four priority measures: improving transparency, ensuring remedial measures, strengthening law enforcement, and limiting access to data by U.S. intelligence agencies. Among them, the contradiction between the special provisions of the "** exception" in the Safe Harbor Agreement and the EU's requirement to restrict access to Safe Harbor data has become the focus of negotiations. In 2013, Austrian lawyer Max Schrems took Facebook to court in a lawsuit (known as Schrems I) to prohibit Facebook from transferring its personal data to the United States under the Safe Harbor Agreement. The case was moved to the EU's Supreme Court in 2014, and the Court of Justice of the European Union (CJEU) ruled in October 2015, raising three issues: first, the opacity of the privacy policies of companies that joined the Safe Harbor; Second, the U.S. Department of Commerce did not follow up on the validity of the agreement certification; Third, there is a lack of remedial measures for EU citizens. At the same time, the European Commission said that at the time of the adoption of the Safe Harbor agreement, it could not foresee large-scale access by intelligence agencies to data shipped to the United States in the context of commercial transactions, so it declared the agreement null and void.
1.2 2016-2020: Increased regulation of the Privacy Shield.
Following the invalidity of the Security of Hong Kong Agreement, the European Union and the United States** embarked on a new privacy shield framework for data transfers to maintain the day-to-day cross-border data flows between U.S. and European companies and institutions, and adopted the Privacy Shield in 2016. The Privacy Shield follows the main elements of the Safe Harbor with the refinement of the seven Privacy Shield Principles and additional provisions on sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data. Compared with the Safe Harbor Agreement, the Privacy Shield Agreement also comes with commitments from U.S. institutions and responds to the questions raised by the European Court of Justice, which are mainly reflected in: First, the strengthened commitment that U.S. companies intending to introduce EU personal data need to publicly commit to fulfilling the principles regarding personal data processing and protecting the rights of EU data subjects, including detailed notification obligations, data retention restrictions, restricted access rights, stricter transfer conditions and liability systems, etc. The U.S. Department of Commerce must oversee the FTC's enforcement of the Privacy Shield and impose severe penalties or restrictions on the use of the Privacy Shield by companies that fail to comply with the regulations. The third is to clarify safeguards and transparency obligations. In accordance with written commitments from the U.S. Department of Justice and the Office of the Director of National Intelligence, access to EU personal data by the United States** will be subject to clear restrictions and oversight mechanisms. The two sides will conduct an annual joint review of the issue of access to monitor the operation of the system on a regular basis. Fourth, provide more avenues of redress, including filing a complaint with the company, which will have 45 days to resolve the complaint; appeal to your national data protection authority, which may refer unresolved complaints to the U.S. Federal** Commission; In the event of inadmissibility by the Federal Commission, the claimant will be provided with a free alternative dispute resolution mechanism. In response to complaints about the possible entry of national intelligence agencies, the United States*** will establish a new special ombudsman to conduct a review independent of the intelligence system.
The Article 29 Working Group of the EU Data Protection Authorities acknowledged the "significant improvements" made to the Privacy Shield and noted that many of the Safe Harbor deficiencies have been addressed. However, the Working Group still expressed concerns about the terms and conditions of the Privacy Shield Agreement, including: first, the organization does not explicitly specify the obligation to delete personal data when the purpose for which it was collected does not exist; second, the protection measures for the transfer of data to third countries are insufficient; third, an overly complex relief mechanism; Fourth, the protection measures to restrict access to data in the United States** are insufficient; The fifth is whether the agreement is consistent with the General Data Protection Regulation (GDPR), which came into effect in April 2016.
In addition to the Safe Harbor Agreement, the EU also recognizes mechanisms such as Standard Contractual Clauses (SCCS) and Binding Corporate Rules (BCRS), which are the main data transfer mechanisms between the EU and the United States after the expiration of the Safe Harbor Agreement. At the end of 2015, Schrems again filed a complaint with the Irish Data Protection Commission, requesting a moratorium on Facebook's use of SCCS for cross-border data transfers. During the hearing, the High Court of Ireland challenged the validity of the Privacy Shield and referred it to the European Court of Justice. In 2020, the European Court of Justice (ECJ) declared the Privacy Shield null and void the Privacy Shield (ECJ) in 2020 on the grounds that the internal control mechanism of the intelligence system was an ex post facto protection that was not independent of the administrative system and was not sufficient to protect the personal information of EU citizens, nor did the so-called ombudsman system provide EU citizens with the right to protection through litigation.
1.3 2022-present: EU-US Data Privacy Framework Agreement
After the expiration of the Privacy Shield Agreement, the US and the EU went through another two years of lengthy negotiations, and finally reached an agreement with the US side compromise.
The first stage is that the United States takes the initiative to make concessions. In March 2022, the two sides agreed in principle on a Privacy Framework for Transatlantic Data Flows. In an effort to translate the agreement in principle into U.S. law, in October 2022, U.S.** Biden signed the Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities (E.O. 14086), restricting U.S. intelligence services' access to EU citizens' data to what is "necessary and proportionate" to protect.
The second stage is a swift follow-up response from the EU. In December 2022, the European Commission officially published the Draft Decision on the Adequacy of the Privacy Framework for Data Flows in the EU-U.S. and forwarded it to the European Data Protection Board for comments. In February 2023, the European Data Protection Board (EDPB) published its assessment of the adequacy draft, expressing general acceptance of the framework.
The third stage is the second handshake between the United States and Europe. In July 2023, the Office of the Director of National Intelligence issued a statement that U.S. intelligence had taken appropriate measures to manage intelligence activities under Executive Order 14086. The U.S. Department of Commerce also issued an implementation statement emphasizing that the U.S. has fulfilled its commitment to implement the Framework Agreement. Subsequently, on 10 July 2023, the European Commission fully adopted the adequacy resolution of the EU-US Data Privacy Framework Agreement. On July 17, 2023, the U.S. Department of Commerce launched the Data Flows Privacy Framework Program**, making public the EU-U.S. Data Privacy Framework Agreement developed by the U.S. Department of Commerce for eligible U.S. companies to use as a reference to self-certify and join the framework, and the free transfer of data between the U.S. and the EU was finally restored.
The main content and outlook of the EU-US Data Privacy Framework Agreement.
Following the Safe Harbor and Privacy Shield agreements, the EU-EU Data Privacy Framework Agreement is another attempt by the United States and the EU to establish a stable institutional arrangement for transatlantic data flows.
2.1 Main content.
The EU-US Data Privacy Framework Protocol mainly responds to key issues that have not been resolved in the previous two versions of the agreement. The first is to restrict the activities of US intelligence agencies. The European Union has previously criticized US intelligence agencies for violating the principle of "necessity and proportionality" in enforcing the law, and for excessive law enforcement. Based on this, the agreement sets the principle of "necessary and proportionate" as the main provision, restricts the access of U.S. intelligence agencies to data to the extent necessary to protect it, and stipulates that U.S. intelligence agencies need to inform the monitored individuals when information is declassified; The Office of the Director of National Intelligence shall limit the delivery of the report to the extent that it is intended to achieve its purpose; Retain relevant intelligence information with reference to the law, and cannot be differentiated on the basis of nationality; Ensure data accuracy, security, and accessibility.
the second is to improve the way of personal salvation. In response to the EU's previous criticism of the lack of remedies for cross-border data transfer agreements, the most notable change in this agreement is the establishment of a two-tier relief mechanism for EU citizens. First, U.S. intelligence will establish a Civil Liberties Protection Officer (CLPO) to conduct an initial investigation into complaints. Foreign nationals may file a lawsuit against U.S. intelligence services with the CLPO. The second layer is the establishment of the U.S. Data Protection Review Court (DPRC). DPRC judges are made up of non-U.S. *** and are not subject to the oversight of the U.S. Department of Justice. If the complainant does not accept the outcome of the CLPO's review, he or she may appeal the CLPO's decision to the DPRC. The DPRC will have the authority to conduct investigations, obtain relevant information from intelligence agencies, review whether the CLPO's determination of violations is legally correct and substantially supported by evidence, and make binding relief decisions. During the DPRC's review, a Special Advocate, who is part of the Department of Justice and has intelligence authority, will represent the complainant's interests before the DPRC. However, there is no lawyer-client relationship between the special lawyer and the complainant, and no information may be disclosed when communicating with the complainant.
The third is to strengthen the inspection and supervision mechanism. Under the agreement, the Privacy and Civil Liberties Oversight Board (PCLOB), an independent U.S. watchdog, will conduct an annual review of the CLPO and DPRC to determine whether they are able to review eligible lawsuits in a timely manner and whether they are operating in a compliant manner.
2.2 Prospects.
To a certain extent, the EU-US Data Privacy Framework Agreement clarifies the boundary between Europe and the United States and personal privacy protection, effectively promotes the integration of the data protection systems of the two sides, and enables the full recovery of transatlantic data flows, and its economic and geopolitical impact is gradually emerging.
In terms of economic impact, transatlantic data flows affect the US and European economies, from manufacturing and transportation to finance and internet services, with 70% of them being small and medium-sized enterprises. Restricted transatlantic data flows have a greater impact on SMEs than for large companies, which lack the resources to meet complex legal requirements. In this regard, the EU-EU Data Privacy Framework Agreement allows certified companies to transfer personal data from the EU to the US, temporarily satisfying the demands of US and EU companies for the establishment of a "strong transatlantic data flow framework", without the need for additional transfer mechanisms, such as standard contractual clauses or binding corporate rules, and additional transfer impact assessments, which will undoubtedly reduce costs for enterprises and bring legal certainty to US and EU data flows, so it has been unanimously welcomed by companies on both sides.
In terms of geopolitical implications, the EU-US Data Privacy Framework Agreement has to some extent acted as a "barometer" of US-EU relations, which have been hesitant to negotiate cross-border data regulation after the expiration of the Privacy Shield Agreement. After Biden took office, he used the regulation of cross-border data flow as a starting point to speed up the repair of relations with the EU, and made concessions on some terms, the intention behind which is to win over the EU to stabilize the transatlantic relationship, and make every effort to carry out strategic competition with China and achieve "winning", including the joint EU countries issued the "Declaration on the Future of the Internet", which will promote the free flow of information as an important measure to establish a global digital ecosystem centered on the United States.
In terms of development prospects, there is still great uncertainty about whether the EU-US Data Privacy Framework Agreement will operate smoothly, whether the EU will launch a new round of litigation against the framework, and whether the US will be able to comply with the requirements of the framework. On the one hand, it is difficult for the EU to restrain US surveillance. Although the US has further regulated intelligence gathering and established a comprehensive remedial mechanism, the EU is still unable to supervise the intelligence surveillance behavior of the United States**, and the main contradiction is that the DPRC is still a self-correcting mechanism within the US administrative system, rather than a completely independent court. Moreover, the EU side has expressed doubts about the process of appointing court personnel, and thus questioned the fairness and transparency of its decision-making; And the complainant must be heard through a special attorney affiliated with the United States** and cannot directly confront the DPRC. As a result, E.O. 14086 is only a unilateral proof that E.O. 14086 alone cannot truly address EU citizens' concerns about data security without significant amendments to the U.S. Foreign Intelligence Surveillance Act. On the other hand, the process of "digital sovereignty" in the EU has accelerated. In recent years, the European Union has successively introduced laws such as the Digital Services Act, the Digital Markets Act and the Artificial Intelligence Act to accelerate the construction of the EU's "digital sovereignty". Therefore, it is judged that it does not fully comply with the legal standards of the European Union, and has become a "sword of Damocles" hanging over the new agreement.
The main contradiction between the United States and Europe in data governance.
From the Safe Harbor to the Privacy Shield to the EU-US Data Privacy Framework Agreement, the US-EU cross-border data game reflects the philosophical differences and logical differences between the two sides.
3.1 The divergence between rights-driven and market-driven concepts.
Due to historical reasons, the European Union regards respect for private life and the protection of personal information as a fundamental human right, and Article 1 of the European Convention on Human Rights has special provisions on respect for private life, which has been strongly supported by the European Court of Human Rights. Article 44 of the GDPR, which came into force in 2016, also expressly prohibits the transfer of personal data outside the European Union, unless the receiving country can provide the same level of protection as the European Union. The EU uses safeguards such as adequacy mechanisms, SCCS and BCRS to ensure that the personal data of EU citizens, wherever they are located, is protected at a level comparable to EU legislation. In the EU-led international** agreement, the privacy standards proposed by the GDPR have become a mandatory requirement. In general, the EU considers that the "collection and processing of personal data" is generally prohibited in the absence of an express legal provision.
The U.S. has a different view of data protection and personal privacy, believing that "what is not prohibited by law is acceptable" and supporting "collection and processing of personal data" as long as it is not explicitly violated by law. This is mainly because the United States has the most developed digital economy and the largest data volume, and is a data-flowing country in the global data flow system, and unrestricted data flow rules can maximize the interests of the United States. As a result, the U.S. favors a market-led approach, disapproving of other countries' legal barriers to the cross-border flow of data, and intends to rely on corporate self-regulation to implement data protection, so the U.S. openly supports private sector initiatives on privacy protections.
3.2 Differences in the legal system between unified and decentralized legislation.
There are fundamental differences between the EU and US systems for personal data protection**. Based on the 1995 Data Protection Directive, the EU's data protection law establishes a comprehensive EU-wide data protection framework that harmonizes data protection rules across the EU. Since then, the ePrivacy Directive of 2002 and the GDPR of 2016 have pursued uniform EU-wide data protection legislation.
Privacy legislation in the U.S. is fragmented and lacks a unified data protection framework, with provisions set primarily through industry and state legislation. Industry legislation mainly covers the fields of finance, insurance, television and telecommunications, consumer credit, and children's privacy, such as the Rightto Financial Privacy Act (RFPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Privacy Protection Act (THE). children'S Online Privacy Protection Act, COPPA), etc. At the state legislative level, the California Consumer Privacy Act (CCPA) passed by California is a pioneer of privacy legislation in the United States and has had an important impact on the protection of privacy rights in the United States. The U.S. also does not have a dedicated privacy protection agency, and federal data privacy matters are primarily carried out by the FTC, which deals with unfair competition and consumer fraud by businesses. In recent years, after the Landmark and Cambridge Analytica incidents, the two parties in the United States have also actively promoted unified legislation such as the American Data Privacy and Protection Act (ADPPA), the Consent Act, and the Online Privacy Act (OPA).
Under such differences in legal systems, the EU presents a unified "Commonwealth of States" image in cross-border data flow, that is, the EU sets standards for cross-border data flow with the EU's unified high-standard data protection model. In the absence of uniform federal privacy legislation, the U.S. is more "arbitrary" in regulating cross-border data flows, intending to promote corporate self-regulation in the absence of "intentional" national policies. Therefore, when coercion meets self-discipline, contradictions between the United States and Europe will inevitably erupt.
3.3 The scope of the *** exception is different.
The European Court of Justice (ECJ) restricts intelligence activities within the EU primarily through the "principle of proportionality", which requires that such activities only be carried out when there is a real, imminent and foreseeable threat. After the law enforcement agency has collected or collected such data, the reading or use of the data must be strictly in accordance with the purpose for which it was originally collected or collected, and must be reviewed by a court or independent administrative authority.
The U.S. Act overrides the U.S.-EU cross-border data transfer agreement. Section 702 of the U.S. Foreign Intelligence Surveillance Act of 1978 (FISA) and U.S. Executive Order 12333 (EO12333) are most in conflict with the EU's personal data protections. FISA Section 702 provides a legal basis for U.S. "prism" and "upstream" surveillance programs by intelligence agencies that may conduct mass surveillance, including surveillance of non-U.S. citizens outside the United States. Executive Order 12333, signed by former Reagan in 1981, expanded the scope of surveillance powers for U.S. intelligence agencies and provided the legal basis for a wide range of surveillance practices by U.S. intelligence agencies that go beyond public safety purposes. Moreover, the intelligence gathering activities carried out by the U.S. Bureau of Advanced Affairs under E.O. 12333 are not subject to judicial oversight and trial. In general, there is no clear demarcation of the scope of data collection by US intelligence agencies, which directly contradicts the "principle of proportionality" that the EU adheres to.
Revelation. With the continuous promulgation of regulations and standards such as the Measures for Security Assessment of Cross-border Data Transfer, the Measures for Standard Contracts for Cross-border Transfer of Personal Information, and the Implementation Rules for Personal Information Protection Certification, the framework of China's cross-border data transfer security management system has basically taken shape. The game between the United States and Europe in the field of cross-border data flow for more than 20 years has certain reference significance for China's cross-border data governance.
The first is to clarify the concept of cross-border data governance in a comprehensive and balanced manner. In the digital era, data is related to the interests of individuals, enterprises and countries. The confrontation between the US and the EU over data governance reflects the focus on different parties. On the basis of both, China should comprehensively consider the protection of the best interests and shape a more balanced data governance concept. On the one hand, in line with the principles of overall development, security, efficiency and fairness, we should take into account the relationship between personal information protection, corporate commercial interests and personal security; On the other hand, the ** department should cooperate with domestic Internet enterprises, financial institutions, and large entities in the management of cross-border data flows, expand global data management and control capabilities, and establish and improve the governance system for cross-border data flows.
The second is to improve the rules for cross-border data flows. In September 2022, the Measures for the Security Assessment of Cross-border Data Transfer came into effect, which is an important step in the regulatory process of China's cross-border data transfer, and the promulgation of the Measures will further regulate the cross-border data transfer activities, protect the rights and interests of personal information, safeguard the public interest, and promote the safe and orderly cross-border flow of data. In December 2022, the "Opinions on Building a Data Basic System to Better Play the Role of Data Elements" was released, proposing to "coordinate the development and utilization of data and data security protection, explore the establishment of a cross-border data classification and hierarchical management mechanism", "explore the construction of a multi-channel and convenient cross-border data flow supervision mechanism, and improve the multi-departmental coordination and cooperation of the cross-border data flow supervision system". In this regard, it is necessary to further improve the supporting measures for the security assessment of data export, personal information protection certification, and standard contracts for personal information export, open up convenient channels for data export, innovate the security assessment of data export and the standard contract system for personal information export, and adopt a regulatory mechanism that combines "before, during, and after the event" to strengthen risk prevention and security management throughout the life cycle of outbound data.
The third is to actively promote China's data governance in the international community. The game between the United States and Europe on cross-border data reflects the competition for the right to speak internationally on data governance, especially the use of the first-mover advantage of both sides to form a competitive advantage in the rules of international cross-border data flow, which makes China more passive in key areas such as competing for the right to speak in digital industry and digital governance. In this regard, on the one hand, China can actively participate in the e-commerce negotiations of the World Trade Organization (WTO), and promote China's data governance concept with the help of the WTO platform; On the other hand, it has signed bilateral agreements on data flow with important partners, forming a "package" of institutional arrangements on personal information protection, data security and network security, technical specifications and standards, etc., and advocating "increasing capacity and expanding the circle" for China's cross-border data flow rules. In addition, China should take the opportunity of joining the Digital Economy Partnership Agreement (DEPA) to continuously expand the circle of friends for cross-border data cooperation.
Conclusion. The cross-border transfer of personal data between the United States and the European Union has undergone three institutional arrangements: the Safe Harbor Agreement, the Privacy Shield Agreement, and the EU-US Data Privacy Framework Agreement. The EU-EU Data Privacy Framework Agreement has reformed the restrictions on the activities of US intelligence agencies, improved individual remedies, and strengthened review and supervision mechanisms, but because it is still difficult for the EU to restrain US surveillance and the acceleration of the EU's "digital sovereignty" process, the regulation of cross-border data flows between the US and Europe is still uncertain. Factors such as the scope of the exception is limited. The cross-border data flow between the United States and Europe has certain reference significance for China's cross-border data governance, and China should further clarify the concept of comprehensive and balanced cross-border data governance, improve the rules for cross-border data flow, and actively promote the proposition of China's data governance in the international community.