On 9 December, the Commerce Committee of the U.S. Senate held a hearing on the consequences of the Schrems-II decision and the future of U.S. – EU data transfers. The Committee invited five experts to provide evidence and respond to the Senators questions. The hearing made clear there is no consensus yet on a new international agreement to replace the invalidated Privacy Shield. At the same time, both experts and Senators seemed to agree such an agreement is needed sooner rather than later, especially to allow small business owners to continue international trade. Small businesses made up over 70% of Privacy Shield certified companies, the Commerce Committee was told, and are essential for the U.S. economy.
James Sullivan, the Deputy Assistant Secretary for Services with the International Trade Administration of the U.S. Department of Commerce, explained he and his team were in regular contact with the European Commission to discuss a replacement Privacy Shield, and also confirmed the Biden Administration transition team was kept up-to-date on progress being made. He recognised one of the issues to be solved is government access to data, but stressed that from his perspective, liberal democratic countries should be able to reach agreement on this point, and clearly distinguish such access to the access demanded by non-democratic countries. He also referred to ongoing multilateral discussions, including within the OECD, to find common ground on government access restrictions.
FTC Commissioner Noah Phillips explained the increased legal uncertainty and costs for businesses following the Privacy Shield invalidation. The Privacy Shield was the most cost-effective and easy-to-use framework for data-related international trade, and a replacement is needed indeed. Interoperability between legal frameworks around the world, and especially between Europe and the United States, should be a priority for the incoming administration. He also referred to other successful examples of interoperability, including the APEC CBPR mechanism.
The next expert, Victoria Espinel, President and Chief Executive Officer of BSA – The Software Alliance, told the Committee that data trade often takes place without consumers being aware of it, be it when using email, exchanging HR data or buying something online. She stated consumers need to be able to rely upon effective and strong privacy protections, while recognising that some level of signals intelligence by governments might be required in a democratic society.
The final two experts provided a more academic point of view. Professors Peter Swire and Neil Richards both gave evidence during the court proceedings that led to the Schrems-II decision, and only gave brief summaries of the written evidence provided to the Senate Commerce Committee. Mr. Swire confirmed that in his view the U.S. did offer an essentially equivalent level of protection under the Privacy Shield, even though some improvements could be made with regard to individual rights under U.S. surveillance laws. He also stressed the need for the U.S. to understand that a lot of the issues under discussion in the Schrems-II case relate to EU constitutional protections [TrustArc note: the Charter of Fundamental Rights forms an integral part of the foundational treaties of the European Union]. He advocated for a short term, temporary deal, to be approved before the end of the Trump Administration, that would buy time for a bigger and more encompassing agreement to be negotiated. That agreement could then also involve legislative change on the U.S. side, and possible on the European side as well.
Mr. Richards on the other hand advocated for the U.S. to pursue an EU adequacy decision, and to initiate both privacy and surveillance law reform to this end. Obtaining an adequacy decision would be the best solution for U.S. small businesses and create a lot of added value for the economy. The Schrems-II decision should be seen as an opportunity, he explained, and could provide the U.S. with a chance to regain their leadership in privacy and data protection.
During the Q&A it was apparent that the development of a U.S. federal privacy law has broad support, and many members of the Commerce Committee seem to agree this should be a priority of the Biden Administration and the next Congress. Even if it would not solve all the challenges raised by the CJEU in the Schrems-II case, adopting a strong federal privacy law would send a positive signal to the EU and increase trust in the U.S. system. Of note was the remark by prof. Richards that the current U.S. system of ‘Notice and Choice’ is no longer adequate. The choice provided is often illusory (for example, the school deciding which platforms are to be used for online teaching) and the notice provided insufficiently clear and to the point.
Senators were less vocal about the need for surveillance reform, although ranking member Senator Cantwell (D-WA) advocated for more transparency on FISA Court decisions. Ms. Espinel advocated multiple times to create a global group of countries that share the same fundamental values, in order to reach agreement on what can and cannot be allowed in terms of government access to personal data.
A major topic of discussion was the risk of data localisation, which some EU voices currently seem to advocate. Both Senators and experts agreed that data localisation in the end is not very effective in today’s global and digital economy, while it does significantly increase the cost of doing business. Especially among like minded countries, data localisation requirements should not be needed, was the consensus.
The recording of the hearing is available via the website of the U.S. Senate. The written evidence of the experts, as well as any follow up exchanges between the Senators and the experts, will be made available via the same page.