WASHINGTON – As data is transferred around the globe, dozens of countries are creating barriers to cross-border data flow, but a number of U.S. business and technology experts say the result will reduce international commerce and increase costs.
Instead, they said, the U.S., European Union and Asian countries should create an “interoperable framework.”
Denise Zheng, vice president of Business Roundtable, a group of chief executive officers of major U.S. corporations, recently told a Senate technology subcommittee that the global patchwork of privacy requirements creates a “compliance nightmare” for companies that have international operations.
The trend of data localization is increasing as countries are forcing firms to store data locally, inhibiting the free flow of information, to ensure data privacy and cybersecurity, said Roslyn Layton, a visiting scholar at the conservative American Enterprise Institute.
More than 35 countries have erected barriers to restrict cross-border data flows, according to data from the Information Technology and Innovation Foundation.
Data localization will diminish competition, international commerce and cost a lot for companies to comply with the myriad of national regulations, former Homeland Security Secretary Michael Chertoff told the Senate hearing. The best way to avoid such barriers is to cooperate and build consensus with other democratic countries and develop uniform laws to protect the rights of data users across international borders, he said.
For instance, the EU enacted a General Data Protection Regulation in April 2016, which requires businesses to protect the personal data and privacy of EU citizens in transactions that occur within EU member states.
However, the European law hurts American businesses, said Layton, citing decisions by Williams-Sonoma and Pottery Barn to no longer sell in the EU because of the cost and complexity of the GDPR, which hurts competitiveness.
Instead of adopting each other’s data privacy standards, the U.S. and other countries could create the interoperable privacy framework by “tying enforcement to contracts,” Daniel Castro of the Information Technology and Innovation Foundation said. Under this framework, the Europeans could maintain their strong data protection rules, but if they send the data to a U.S. company, the contract would guarantee that the U.S. company doesn’t need to comply with the EU rule and would be protected against potential EU penalties.
A framework for such an agreement between the U.S. and EU could be the EU-U.S. Privacy Shield, said Castro. Created by the U.S. Department of Commerce and the European Commission in 2016, it provides companies with a mechanism to comply with data protection requirements when transferring customers’ personal data from the EU to the U.S. U.S.-based companies can opt-in voluntarily, but once they have joined the framework, the commitment becomes enforceable under U.S. law.
In a related effort to modernize U.S. data privacy laws, Sens. Amy Klobuchar, D-Minn., and John Kennedy, R-La., introduced the Social Media Privacy and Consumer Rights Act of 2018 in April to ensure users’ right to know what information has been collected and shared. Users also would be given the right to opt in or out of the data sharing and have remedies if a privacy violation occurred.
Layton applauded the bill’s provision to create a safe harbor for innovations so that tech firms wouldn’t be punished for the trials and errors inherent in trying to create breakthroughs. The bill also should also set rewards and penalties to both encourage competition and protection of consumers’ data, she said.
Castro said the bill could be costly for companies. Right now, the best way to monetize for many online services is by targeted advertising, which depends on access to consumer data. If the bill grants consumers the right to opt out of data sharing and still enjoy the free service, it will be like “giving the diners the option to opt out of paying for the meal, and you can’t deny serving them,” he said.