|
|
In July 2023, the European Commission published an adequacy decision on the EU-US Data Privacy Framework (DPF) – the third attempt to broker a lasting agreement on transatlantic data transfers. While the DPF has made important strides compared to its predecessors, it’ll likely face yet another challenge before the Court of Justice of the European Union (CJEU). To mitigate the risks of another disputed agreement, the EU and US should turn to a toolbox approach to cross-border data transfers – starting with joint R&D investment in Privacy-Enhancing Technologies (PETs).
The stakes of this recurring failure are high – according to AmCham EU, cross-border data flows account ‘for more than half of Europe’s global data flows and for half of the US’ total,’ and 90 % of EU-based companies rely on transatlantic data flows. Most importantly, without an agreement, transatlantic data transfers are more susceptible to legal uncertainty, putting the fundamental rights of European citizens at risk.
The EU and US are closer than they seem when it comes to data privacy. They both participate in multilateral initiatives to facilitate cross-border data flows, including the December 2022 OECD Declaration on Government Access to Personal Data Held by Private Sector Entities and the G7’s Data Free Flow With Trust Initiative (DFFT). While the EU has gone further through the GDPR, US public authorities can leverage several domain-specific initiatives, alongside privacy enforcement by the Federal Trade Commission. However, this fragmented approach leads to different levels of protection which are not always up to EU legal standards.
Different legal approaches to privacy and data protection make it difficult to address this issue only through legal avenues. Here, PETs can play a crucial role.
PETs are defined by the OECD as ‘a collection of digital technologies and approaches that permit the collection, processing, analysis and sharing of information while protecting the confidentiality of personal data.’ They can serve several functions including obfuscating and hiding information, enabling computations on encrypted data, or facilitating collaborative machine learning (ML) on decentralised data. In cases where the transfer of personal data is inevitable PETs can serve as a robust privacy-preserving mechanism.
Among the most relevant are Federated Learning (FL) and Differential Privacy (DP). Federated Learning allows participants to share the model but not the data when training an ML model – reducing the need for centralised data storage and processing. Differentially private techniques add noise to a raw dataset to obfuscate the details of individual inputs without compromising the data’s overall utility. This allows for the study of larger trends within a dataset while minimising the risk of re-identifying individual data. As new challenges to privacy emerge with the rapid advancement of ML and Large Language Models (LLM), DP and FL (among other PETs) could serve as data protection building blocks.
The OECD, G7 and the UN have all recognised the role of PETs in data transfers through various initiatives – including the G7’s forthcoming Institutional Arrangement for Partnership (IAP) which specifically mentions PETs. They’re not unknown to EU and US regulators, either. Several GDPR articles refer to or cover their use, and ENISA has deep expertise on data protection engineering.
In the US, the White House Office of Science and Technology Policy released a ‘National Strategy to Advance Privacy-Preserving Data Sharing and Analytics’ in March 2023 which included several references to PETs. The October 2023 US Executive Order on AI also dedicated an entire section to protecting privacy, specifically mentioning PETs.
At the transatlantic level, the Third EU-U.S. Trade and Technology Council (TTC) Ministerial joint statement in December 2022 committed both to ‘work on a pilot project to assess the use of privacy-enhancing technologies’ in the health sector. While there appears to be little progress, the TTC could still help to further this work.
To be sure, PETs playing an important role in providing ‘privacy by design’ shouldn’t be understood as an argument for techno-solutionism. In the DPF’s specific case, persistent issues raised by the EDPB and privacy activists won’t be resolved by technology – these are deeply engrained legal issues related to the US government’s broad surveillance toolkit. Any privacy regime’s priority should be to reduce the collection of personal data in the first place, and legal frameworks are necessary to make the deployment of PETs beneficial for individuals.