Is It Too Late To Convince Europeans They Can Trust The U.S. With Their Data?

By CHHS Extern Mercedes Subhani

On January 4th, Microsoft announced that it was upgrading its cloud computing service to let European customers store all their personal data only within the European Union. Microsoft claims this move, that will affect Azure, Microsoft 365, Power Platform, and Dynamics 365, is directly aimed to ease customers’ privacy fears of having their information flow into the U.S. where a federal privacy law still doesn’t exist.

This fear of letting their personal data stored in the wild west of the U.S. stems from the Edward Snowden revelations that the American government eavesdropped on people’s online data and communications. Since then, the U.S. has been trying to convince the European Commission that EU citizens’ data will be kept safe. The U.S. was finally successful on July 10, 2023 when the EU adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“Framework”). The EU’s decision “has the effect that personal data transfers from controllers and processors in the Union to certified organizations in the United Sate may take place without the need to obtain any further authorisation.” Despite this transatlantic agreement, Europeans are still not convinced that their data will be kept safe in the U.S. as demonstrated by Austrian privacy activist Max Schrems’ confirmation that his group NOYB will be pursuing legal challenge.

First, although the EU adopted the decision, there is no certainty that the Framework will survive a challenge before the Court of Justice of the European Union. The framework is predicted to be invalidated like its two predecessors was by Max Schrems in Schrems I and Schrems II. Thus, it is very likely that this newly founded EU-US agreement will be invalidated. Secondly, the U.S still does not have a federal data privacy law. The level of data privacy rights an American citizen has, if any, entirely depends on which state they live in. The strongest state privacy law the  U.S has is the California’s Consumer Privacy Act which is still not as protective as the EU’s General Data Privacy Rule. Therefore, not even in the most protective U.S. state can Europeans enjoy the same amount of privacy safeguards as they do in the European Union. Lastly, when the U.S. did try to pass a federal data privacy law, the American Data Privacy Protection Act (“ADPPA”), it still did not fix the root problem Europeans are concerned with which is the U.S. government eavesdropping on people’s online data and communications. ADPPA only targeted the private sector and exempted the public sector of any privacy constraints.

In the current court of public opinion, Europeans have ruled that they cannot trust the U.S. with their personal data. For right now, they are correct in deciding so. However, as Europe presses forward with data rights and the U.S. public grows more concerned about data privacy rights, more politicians will be pressured to respond adequately. We have seen this already with The White House mimicking Europe with its Blueprint for an AI Bill of Rights and how privacy activism organizations have pushed 12 states to pass state data privacy laws with several more states expected to pass their own law in 2024. Eventually, the U.S. will fully regain Europeans’ trust in the U.S with its data.