Is the European GDPR Incompatible With U.S. Privacy Law, Including the Recent U.S. CLOUD Act?

WASHINGTON, June 20, 2018 – Data privacy experts questioned the effectiveness of the European General Data Protection Regulation as a means of regulating international data privacy on the grounds that it may be incompatible with current U.S. policies. At the 2nd Annual Transatlantic Symposium on inf

Is the European GDPR Incompatible With U.S. Privacy Law, Including the Recent U.S. CLOUD Act?
The author of this Expert Opinion is Helge Tiainen, head of product management, marketing and sales at InCoax.

WASHINGTON, June 20, 2018 – Data privacy experts questioned the effectiveness of the European General Data Protection Regulation as a means of regulating international data privacy on the grounds that it may be incompatible with current U.S. policies.

At the 2nd Annual Transatlantic Symposium on information communications technology and policy, industry and policy experts joined to discuss transatlantic data privacy policies such as the GDPR and the 2018 U.S. CLOUD Act, or the Clarifying Lawful Overseas Use of Data Act.

At the event hosted by the Wilson Center, social media giant Facebook also came under attack for the company’s lack of clarity regarding its data privacy policies.

GDPR was approved for the EU in April 2016, with an enforcement date of May 25 2018.  The regulations enact numerous provisions designed to protect consumers’ data privacy, including informed consent, mandatory breach notifications, and right to be forgotten.

Though enacted in the EU, GDPR is likely to have far-reaching effects as it not only applies to companies based in the EU, but any global company that processes personal data of E.U. citizens. That’s how Silicon Valley giants such as Facebook and Google are snared by it.

GDPR is seen as the most massive, large-scale global data privacy regulation law yet.

U.S. CLOUD Act puts new rules on U.S. data use, and conflicts with GDPR

In the U.S., efforts to put new rules on data flow resulted in the CLOUD Act. The law was a response to legal process surrounding the Supreme Court’s consideration of Microsoft v. United States, regarding the U.S. government’s right to retrieve data from Microsoft in Ireland.

In March, Congress amended its laws governing the U.S. government’s power to access data stored overseas. In April, the Supreme Court dismissed the prior controversy as moot under the passage of the new law.

U.K. Regulatory Policy Committee Representative Jonathan Cave explained that the GDPR and CLOUD Act may not work together.

“There are still questions whether the two laws are at all compatible,” Cave said.

The CLOUD Act’s requirements to disclose, preserve, and back up data “conflicts with some of the fair information practice principles: For example, store as little as possible only for the purposes you collected it and for as short a time as possible,” Cave said.
“There are alternatives to this,” he said. “The law was not set up to make U.S. firms find themselves in violation of GDPR. So it is possible to quash an access request if the people involved are not U.S. citizens and if complying with the request would violate the law. But that’s a judicial decision: It’s not in the text of the law, and that is problematic from the European perspective.”

Technology companies profit off the gap between the economic value of private information

Glenn Ricart, founder and chief technology officer of the U.S. Ignite non-profit ground advancing high-bandwidth technology, said that tech companies profit off of the gap between the high economic value of private information and the very low price individuals put on the information.

“We are now building some major world economic companies on this arbitrage,” Ricard said, speaking of the gap. “So the privacy that we don’t realize in some cases we’re giving up is actually powering very powerful commercial organizations in lots of countries.”

“One of the things that we can do as an organization and a cooperation in the transatlantic sense is to think about what is the role of government in modifying [the inequality between the respective worth of private data|. In the EU there is a much larger attempt in trying to understand what that is, educate the populace, and provide some protections, put them into place. In the U.S. there’s … less of an inclination to go do that,” Ricart said.

Recent hearings involving Facebook CEO Mark Zuckerberg in the U.S. and in Europe came into the discussion regarding regulation, as Cave spoke of the dangers of “competition and competition policy.”

“My reading of Zuckerberg’s appearance before the European Parliament, and also before the Senate, is that it was a plea for regulation,” Cave said.

“If your behavior and your ability to act go at variance so that people don’t opt away from large data entities whose behavior they don’t like, then market forces won’t resolve the problem,” he said. “Regulation won’t resolve the problem either.” He advocated for a combination of the two instead as a viable solution.

According to Ricart, the Zuckerberg testimony “didn’t even get into the many ways in which Facebook uses sells, [and] trades information with lots of other countries, lots of other companies.”

“I think it’s that business being so far out in advance of general understanding–governmental understanding,” Ricart said. “We’re in catch up mode here.”