Subscriber OnlyTechnology

Karlin Lillington: Hard to see how EU-US data-exchange deal can be reliable data bridge

Net Results: US security laws lax on surveillance and data gathering

Three years after the General Data Protection Regulation (GDPR) came into force in the EU, problems loom in the two big markets that exchange data with the EU: the US and UK.

The US really needs a strong, coherent federal privacy law. And the UK has laws, but questionable implementation, as evidenced by anti-privacy findings from several EU court cases. But time keeps ticking by.

In failing to tackle these issues, both face potentially crippling data-exchange threats to trade if they are not deemed “adequate” in terms of the protections they afford EU data, as required by GDPR.

Although the European Commission has made regular soothing noises about data exchanges remaining safe and adequate, such reassurances are flimsy protections against decisions emerging from the EU's courts, particularly the European Court of Justice (ECJ).


The most gaping US hole is its security laws that allow surveillance and data gathering without the safeguards and provision for redress of European law.

Given disclosures from Edward Snowden on the scale of US mass surveillance, utilising the sea of data sucked in by US-based multinational social media and technology giants, it remains difficult to accept US arguments that EU user data can be kept separate and given protections not afforded US citizens.

Without a federal privacy law, and some significant changes to US security laws, it’s hard to see how the existing EU-US data exchange agreement, Privacy Shield, can serve as a reliable data transport bridge between the US and EU.

Legislative landscape

The US had seemed ready to pass a national law, especially as more and more states enact their own legislation, creating a messy, piecemeal legislative landscape. But such efforts – which even managed to be bipartisan – have stalled. Various theories have been advanced as to why, but to me, the most likely explanations are the Biden administration’s initial focus on the pandemic and the economy.

In addition, the drive towards better privacy law in the US emerged from outrage at Big Tech and social media platforms. We’ve had several months now without any major dramas to stir up voters and hence political focus on the need for a federal privacy law.

At the state level, however, developments have continued apace, which might sound promising, but isn’t. California has the strongest, most GDPR-like privacy law, but many of its provisions (the powerful ones that really alarm businesses used to less stringent privacy protections) don’t come into effect until 2023.

Meanwhile a raft of other states – 20 of them – are preparing privacy laws. That might seem a good thing but, according to US tech watchdog The Markup, 14 of those 20 proposals are similar to or weaker than an industry-lobby-supported law passed in Virginia.

"The Bills are backed by a who's who of Big Tech–funded interest groups and are being shepherded through statehouses by waves of company lobbyists," according to The Markup, which notes that industry experts say "the ultimate goal is to prompt federal legislation that would potentially override California's privacy protections".

Data-compliance problems

This could end up a ludicrous own-goal by industry. Surely Americans will not be satisfied that the same companies give Europeans far better protections. And a federally driven, two-track, data-management approach will hardly reassure the EU or its courts, which already have concerns about EU data ending up in the existing and problematical, alternative US data-management universe. And at the end of the day, those opaque US security laws are still there, too. None of this bodes well for data transfers.

The UK has its own unique EU data-compliance problems, many created by its security laws that give enormous data-gathering and surveillance scope to Government Communications Headquarters (GCHQ) – with even fewer restraints than are imposed on its US equivalent, the National Security Agency (NSA).

But this is only part of the data-gathering story in a nation with the highest per capita level of installed CCTV surveillance in the world. If you want a single, immediate example of just how problematical and non-transparent the UK data-gathering environment is right now, consider the plan to pull the entire medical history of all patients in England's GP practices into a giant database to be shared with third parties .

This is being done without any national discussion and on short notice – English citizens have only a narrow window of weeks in which to withdraw consent. Data is “anonymised”, but that only means pseudonymised – many studies have shown how easy it is to reconnect “anonymised” data to individuals.

How would such a project have satisfied GDPR’s protections? But then, the EU law no longer applies. The UK still has its own GDPR implementation, but that hasn’t prevented this rush-job data grab. The project is not going to be a reassuring marker on the UK’s road to a needed EU data protection adequacy determination.

And yet both the US and UK need such a determination. It’s anyone’s guess how those governments will attempt to square their respective data adequacy circles.