Opinion & Analysis

The EU-US Data Privacy Framework is a sitting duck. PETs might be the solution

In July 2023, the European Commission published an adequacy decision on the EU-US Data Privacy Framework (DPF) – the third attempt to broker a lasting agreement on transatlantic data transfers. While the DPF has made important strides compared to its predecessors, it’ll likely face yet another challenge before the Court of Justice of the European Union (CJEU). To mitigate the risks of another disputed agreement, the EU and US should turn to a toolbox approach to cross-border data transfers – starting with joint R&D investment in Privacy-Enhancing Technologies (PETs).

The stakes of this recurring failure are high – according to AmCham EU, cross-border data flows account ‘for more than half of Europe’s global data flows and for half of the US’ total,’ and 90 % of EU-based companies rely on transatlantic data flows. Most importantly, without an agreement, transatlantic data transfers are more susceptible to legal uncertainty, putting the fundamental rights of European citizens at risk.

The EU and US are closer than they seem when it comes to data privacy. They both participate in multilateral initiatives to facilitate cross-border data flows, including the December 2022 OECD Declaration on Government Access to Personal Data Held by Private Sector Entities and the G7’s Data Free Flow With Trust Initiative (DFFT). While the EU has gone further through the GDPR, US public authorities can leverage several domain-specific initiatives, alongside privacy enforcement by the Federal Trade Commission. However, this fragmented approach leads to different levels of protection which are not always up to EU legal standards.

Different legal approaches to privacy and data protection make it difficult to address this issue only through legal avenues. Here, PETs can play a crucial role.

PETs are defined by the OECD as ‘a collection of digital technologies and approaches that permit the collection, processing, analysis and sharing of information while protecting the confidentiality of personal data.’ They can serve several functions including obfuscating and hiding information, enabling computations on encrypted data, or facilitating collaborative machine learning (ML) on decentralised data. In cases where the transfer of personal data is inevitable PETs can serve as a robust privacy-preserving mechanism.

Among the most relevant are Federated Learning (FL) and Differential Privacy (DP). Federated Learning allows participants to share the model but not the data when training an ML model – reducing the need for centralised data storage and processing. Differentially private techniques add noise to a raw dataset to obfuscate the details of individual inputs without compromising the data’s overall utility. This allows for the study of larger trends within a dataset while minimising the risk of re-identifying individual data. As new challenges to privacy emerge with the rapid advancement of ML and Large Language Models (LLM), DP and FL (among other PETs) could serve as data protection building blocks.

The OECD, G7 and the UN have all recognised the role of PETs in data transfers through various initiatives – including the G7’s forthcoming Institutional Arrangement for Partnership (IAP) which specifically mentions PETs. They’re not unknown to EU and US regulators, either. Several GDPR articles refer to or cover their use, and ENISA has deep expertise on data protection engineering.

In the US, the White House Office of Science and Technology Policy released a ‘National Strategy to Advance Privacy-Preserving Data Sharing and Analytics’ in March 2023 which included several references to PETs. The October 2023 US Executive Order on AI also dedicated an entire section to protecting privacy, specifically mentioning PETs.

At the transatlantic level, the Third EU-U.S. Trade and Technology Council (TTC) Ministerial joint statement in December 2022 committed both to ‘work on a pilot project to assess the use of privacy-enhancing technologies’ in the health sector. While there appears to be little progress, the TTC could still help to further this work.

To be sure, PETs playing an important role in providing ‘privacy by design’ shouldn’t be understood as an argument for techno-solutionism. In the DPF’s specific case, persistent issues raised by the EDPB and privacy activists won’t be resolved by technology – these are deeply engrained legal issues related to the US government’s broad surveillance toolkit. Any privacy regime’s priority should be to reduce the collection of personal data in the first place, and legal frameworks are necessary to make the deployment of PETs beneficial for individuals.

Most PETs aren’t technologically mature enough yet to be deployed. There’s also a lack of understanding and regulatory guidance for their use. It’s clear that they’re not a ‘silver bullet’ for data protection – nor can they overcome other issues such as ineffective redress mechanisms. Importantly, PETs shouldn’t lead to a lowering of current EU standards but rather help to uphold them. More than anything, these obstacles reveal a need for more R&D to understand how these technologies can fit into a broader toolkit of privacy-preserving techniques.

The EU and US should undertake two concrete steps to advance their R&D in PETs. First, they should revive the TTC workstream and launch an initiative modelled on the US-UK PETs Prize at the next TTC Ministerial (which the EU will host this spring).

They should also collaborate through the PETs-focused Research Coordination Network (RCN) announced in the October Executive Order. The US should expand this effort to an international partnership where EU and US technologists can advance R&D in PETs together. By mid-2025, the TTC and the RCN could develop a ‘whitelist’ of promising PETs for cross-border data transfers and feed their work into multilateral efforts, such as the UN’s PET Lab or the G7’s IAP.

The EU and US should continue to refine domestic regulatory guidance on PETs and clarify how their development, implementation, and deployment can bolster accountable privacy practices, domestically and for cross-border data transfers.

While PETs won’t singlehandedly overcome long-standing legal frictions, they can strengthen the EU and US’ trust-building initiatives within multilateral forums and continue to foster transatlantic convergence on data protection practices. By spearheading joint investment and providing clear guidance to regulators, such collaboration can significantly advance the use of PETs for cross-border data transfers.

With several existing levers already in place and political will on both sides of the Atlantic, now is the time to innovate – before the CJEU strikes again.

About the author

Camille Ford is a Researcher in the Global Governance, Regulation, Innovation and Digital Economy (GRID) unit at CEPS. Camille’s work at CEPS centers primarily on the Trade and Technology Dialogue, overseeing analysis, events and stakeholder engagement activities supporting the EU-U.S. Trade and Technology Council and its ten Working Groups.

Access the original publication here