Is the EU worth the trouble?
Not entirely unexpected Ben Thompson has a slightly different view on the Schrems II ruling [subscribers only] that i discussed here last week. His analysis places the ruling in the context of the larger more regulation benefits dominant players that can more easily shoulder the cost of regulatory compliance argument (that also constitutes the core of his criticism of the GDPR):
Speaking of Facebook, many of the usual suspects are hailing [Schrems II] as a loss for the social network in particular, which makes sense given that the underlying case was explicitly about Facebook’s transfer of data. It seems pretty obvious, though, that the implications are going to be similar to GDPR: pain on an absolute basis for Facebook and other Internet giants, but far greater pain on a relative basis for basically everyone else, including would-be competitors.
Even once SCCs are knocked out, though, the solution for a company like Facebook is pretty obvious: simply build out data centers in the E.U. that import algorithms and machine learning models from the U.S., while doing all data processing locally. Sure, this is going to be more expensive and less effective than treating all Facebook data the same, but Facebook can afford it — as can Google, Microsoft, Amazon, Apple, etc. Things will be much more difficult for smaller sized companies; expect increased reliance on the big cloud providers to offer geographic data management as a service.
Still, while this is obviously another reason for the U.S. to consider its own national privacy law (which, notably, is the best way to address The TikTok War), the biggest losers are likely to be European citizens. Not only will this ruling reduce the likelihood of services entering the E.U. market, but another casualty will be companies considering opening E.U. offices, or hiring E.U.-based personnel. Is it really worth it to run a separate data center for that free-lancer in Belgium, or that five-person team in Berlin — not to mention the increased legal risk that comes with local operations for sales and services from the U.S.? If you’re not a big company, it’s increasingly hard to see how the E.U. is worth the trouble; perhaps E.U.-based companies will pick up the slack.
So what Thompson is missing here is that from the EU perspective this outcome looks more like a feature than a bug. In the long term a EU digital strategy cannot be based on foreign “services entering the E.U. market”, but must be based on EU services operating from a strong home market (even with the UK gone, the EU still has a population of 445 million). Having strong privacy rules in place and requiring an equal level of protection from government surveillance for anyone touching personal data from EU data subjects can (and should) be a competitive advantage. Especially since nothing in the Schrems II ruling should prevent EU based services from processing data from outside of the EU in the EU even it comes from countries where government surveillance is rampant.