Domesticating the “foreign” in making transatlantic data privacy law

Abstract

Research shows that in the data privacy domain, the regulation promoted by front-runner states in federated systems such as the United States or the European Union (EU) generates races to the top, not to the bottom. Institutional dynamics or the willingness of major interstate companies to work with a single standard generally creates opportunities for the federal lawmaker to level up privacy protection. This article uses federalism to explore whether a similar pattern of convergence (toward the higher regulatory standard) emerges when it comes to the international arena, or whether we witness a more nuanced picture. I focus on the interaction of the European Union with the United States, looking at the migration of legal ideas across the (member) state jurisdictions with a focus on breach notification statutes and privacy officers. The article further analyzes recent developments such as the invalidation of the Safe Harbor agreement and the adoption of a Privacy Shield. I argue that instead of a one-way street, usually conceptualized as the EU ratcheting up standards in the United States, the influences between the two blocs are mutual. Such influences are conditioned by the receptivity and ability of domestic actors in both the United States and the EU to translate, and often, adapt the “foreign” to their respective contexts. Instead of converging toward a uniform standard, the different points of entry in the two federated systems contribute to the continuous development of two models of regulating commercial privacy that, thus far, remain distinct.