In March 2022, the EU and the U.S. struck an understanding on a revamped Privacy Shield data transfer agreement. The goal?
To allow Europeans’ personal data to flow to the U.S. once again, following the striking of the Privacy Shield agreement in July 2020.
At the time, there were fears data was not safe from access by American agencies once transferred across the Atlantic.
Here’s how we got to this stage.
The End of the Privacy Shield
In December 2020, the Commerce Committee of the U.S. Senate held a hearing on the July 2020 Schrems-II decision, impacting the future of U.S.–EU data flows.
The committee invited five experts to give evidence and respond to the senators’ questions.
Back then, with the invalidation of the Privacy Shield, it was unclear when a new international agreement would come into play.
While we now know it will likely be March 2023, the experts’ 2020 insights were revealing.
The Need for a Data Flow Agreement
The Privacy Shield was the most cost-effective and easy-to-use framework for data-related international trade.
When the Schrems-II decision ended it in 2020, experts and senators stressed the need for a new data flow agreement – soon.
It was particularly urgent to allow small business owners to continue international trade.
After all, they make up over 70% of Privacy Shield certified companies and are essential to the U.S. economy.
At the hearing, James Sullivan, Deputy Assistant Secretary for Services with the International Trade Administration of the U.S. Department of Commerce, said his team was already working with the European Commission to discuss a replacement Privacy Shield.
He noted ongoing all-party talks, including within the OECD, to find common ground on government access restrictions.
Meanwhile, FTC Commissioner Noah Phillips explained the increased legal uncertainty and costs for businesses following the Privacy Shield invalidation.
The key to re-establishing data flows, he said, was in establishing a transparent exchange between legal frameworks around the world, and particularly between Europe and the U.S.
Strong Data Privacy Protections
Victoria Espinel, President and Chief Executive Officer of BSA – The Software Alliance, told the committee that data trade often takes place without consumers being aware of it: perhaps when using email, exchanging HR data or shopping online.
She said consumers should be able to rely on effective and strong data privacy protections. She noted that some level of signals intelligence by governments might be required.
Privacy Shield: an Academic View
Professors Peter Swire and Neil Richards both spoke at the court proceedings leading to the Schrems-II decision. Swire said he believed the U.S. did offer an equivalent level of protection under the Privacy Shield.
Some improvements could be made to individual rights under U.S. surveillance laws, he admitted.
He advocated for a short-term, temporary deal to be approved before the end of the Trump Administration.
This would buy time for a bigger and broader agreement to be negotiated. That could then involve legislative change in the U.S. and possibly in Europe.
Richards encouraged the U.S. to seek an EU adequacy decision, and to initiate both privacy and surveillance law reform.
He said this would be the best solution for U.S. small businesses, creating added value for the economy.
The Schrems-II decision should be seen as an opportunity, he said, giving the U.S. the chance to regain leadership in privacy and data protection.
U.S. Federal Privacy Law
During the Q&A, it was apparent that the development of a U.S. federal privacy law was supported. Many members of the committee thought it should be a priority of the Biden Administration.
It may not solve all challenges, but adopting a strong federal privacy law would send a positive signal to the EU, increasing trust in the U.S.
Richards stressed the current U.S. system of ‘notice and choice’ is no longer adequate. ‘Choice’ is often illusory, he said, and ‘notice’ is often unclear.
Surveillance Reform for Data Flow
Espinel said the way forward was to create a global group of countries that share the same values, in order to reach agreement on what can and cannot be allowed in terms of government access to personal data.
This raised issues of data localization, which some in the EU are for. But senators and experts thought data localization is ineffective in today’s global and digital economy.
Plus, it increases the cost of doing business.
Among like-minded countries, data localization requirements should not be needed.
The recording of the hearing and written evidence of experts is available via the website of the U.S. Senate.
Hot Hot Hot – Executive Order – Start your Privacy Engines
Listen as Dr. K Royal and co-host, Paul Breitbarth distill the various events that comprise the Executive Order (Fact sheet along with the information on the European Commission site), Department of Commerce statement, Department of Justice from the Office of the Attorney General on the Data Protection review Board final rule, and NOYB’s response.
As expected, and TrustArc predicted, those companies who remained in the Privacy Shield will have a transition plan.