Photo illustration by John Lyman



The EU Cuts Data Flows from the World. The U.S. Shouldn’t Hold the Knife.

In our digital age, you have to think of computers, phones, and the Internet as the veins of the world economy, and the data coursing through them as the blood sustaining the entire system. Just as blood is necessary to keep the body alive and maturing, so is data essential for innovation and economic growth. It’s the key to a well-functioning, interconnected global economy.

With that in mind, it’s fair to say that the European Union has blood on its hands.

The EU implemented the General Data Protection Regulation (GDPR) in 2018 to protect EU citizens from private companies abusing their personal data hosted online. The law prevents selling consumers’ data without their permission, and gives consumers the right to request their data, and requires companies to implement a standardized minimum of security to prevent it from being stolen. While very well-intentioned, the measure has created mixed results, and it comes at quite a cost. It delayed or stopped entirely critical data flows between nations. And the countries this has affected most are the United States and the United Kingdom.

Thankfully last month, the UK recommended taking steps away from this misguided policy. But the U.S. seems bound to match the EU with its own equivalent regulation as evidenced by tech bills like the ACCESS Act currently going through the U.S. Congress. This is the wrong approach to take. Requiring companies to meet a certain standard cuts innovation and ends up doing more harm than good. Instead, the U.S. should negotiate directly with the EU to fix the flaws of the GDPR.

The United States holds companies responsible for securing and transferring clients’ personal data with a significantly lighter burden than the GDPR. This allows companies to customize security to their customer base — which means companies are on the hook and can be sued by the client if they mishandle their data.

That’s not how things work over the pond. In Europe, the EU has agreements on creating open data flows, but does not apply it to personal data. Personal data falls under special conditions that companies and other entities must comply with to avoid fines. This played out in Portugal this year when the EU ordered the country’s national statistics agency to stop using Cloudflare, an American company. Since the company did not process the data in Europe, they were not allowed to service Portugal. Security and privacy in personal data are significant concerns, but the EU’s restrictions are too harsh for the modern economy. These restrictions could annually cost the EU €9.3 billion in lost e-commerce services, €172 billion in transactions, and €8.9 billion in income from clinical trials. Additionally, outsourcing work to international partners that require data transfers to function could increase labor costs between €25.5 and €91.7 billion for European companies. The EU is set up to lose with its continued digital isolation from the world.

Open data flows are a key component of the international digital economy, and they are absolutely massive. Over 3 zettabytes of data, or 3 trillion gigabytes, were estimated to have traveled over the Internet in 2020. Data flows contributed a total of $2.8 trillion to the global economy in 2014. They are estimated to reach a value of $11 trillion by 2025. The economic boon to the world is apparent and growing exponentially — the question now is how to balance data security with the economic benefits of freely transferring data. There are trade-offs: Too many security requirements, like what exists in the EU, inhibit innovation and growth, while too little risks treating personal data as public, as the EU claims of the United States.

The United States’ response to this has been to join the EU in a race to the bottom by bringing legal standards more closely matched to the EU. Many of the concepts brought by Congress are commendable initiatives, such as data portability between social media companies by customers switching services as introduced in the ACCESS Act. But requirements tied to the regulation, like mandates on what security measures a company needs to take to facilitate data portability, are counterproductive. The issue is the same as the GDPR: Requiring what companies must and mustn’t do to make data secure usually ends up doing more harm than good. Rather than encoding these requirements in law, it would be much better to take soft-law approaches, which have already accomplished what the ACCESS Act is seeking to achieve.

What the EU has done, and the United States is close to doing, risks the flow of data to the world. Rather than closing ourselves off from each other, the U.S. and the EU need to encourage more efforts in what the private sector is already accomplishing. It’s fantastic to see President Biden put data transferability with the EU as a top priority. What’s worrisome is his willingness to match the EU and put a shackle on innovation.