The U.S. Department of Commerce and the European Commission announced Monday that they have initiated discussions "to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgement of the Court of Justice of the European Union in the 'Schrems II' case." Last month's decision invalidated Privacy Shield and placed additional due diligence requirements on companies transferring European citizens' data to non-EU countries through standard contractual clauses. 

In the joint press statement, European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross highlighted the "vital importance of data protection and the significance of cross-border data transfers" to both regions. "As we face new challenges together, including the recovery of the global economy after the COVID-19 pandemic, our partnership will strengthen data protection and promote greater prosperity for our nearly 800 million citizens on both sides of the Atlantic." 

More than 5,000 companies were participating in the Privacy Shield arrangement in order to conduct trans-Atlantic data transfers before it was invalidated last month. 

On Monday, Reynders also tweeted, "I will now work closely with national data protection authorities and the @EU_EDPB. I will also reach out to my U.S. counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism." 

July's decision from the CJEU focused on U.S. government access to EU citizens' data that is transferred by companies back to the U.S. and the ability for EU citizens to have judicial redress. Specifically, the CJEU found that U.S. surveillance programs were not limited to what is strictly necessary and proportional as required by EU law and that EU citizens did not have actionable judicial redress in the U.S. 

"This is a very interesting development," said Hogan Lovells Partner Eduardo Ustaran, CIPP/E. He characterized the news as "a positive development for the privacy community to see that the EU and U.S. have not given up their attempts to get this right." 

In light of the "Schrems II" case, the U.S. government would likely have to make changes to its surveillance laws, particularly within the Foreign Intelligence Surveillance Act, Executive Order 12333 and PPD-28. 

However, Morrison & Foerster's Robert Litt, who served as the former general counsel for the U.S. Director of National Intelligence during the Privacy Shield negotiations, said a political solution is needed. 

In an email to The Privacy Advisor, Litt said, "It is good that negotiations have restarted because a political solution is the only way to reconcile the competing interests of commerce, privacy and national security. There is a lot that the U.S. can do without legislation by way of transparency, some enhanced procedures, and a stronger and more independent redress regime, but the EU must recognize that we have a different legal system. And it’s important that companies affected by this decision on both sides of the Atlantic get involved and have their voices heard." 

DLA Piper Partner Andrew Serwin, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, said, "there is a potential path forward if there is a focus on both the scope of surveillance, including oversight, as well as all the remedies that are available." Leading up to the "Schrems II" case, Serwin provided the Irish Data Protection Commission a memorandum on U.S. surveillance law in the Irish High Court Case. He also testified in the High Court proceeding and recently wrote a white paper for the IAPP on the history of U.S. surveillance law. 

Though Serwin indicated some optimism with Monday's news, he noted "there are some systemic issues that may be difficult to address." 

In a Privacy Perspectives post last week, Serwin noted that understanding "how and when the U.S. government can utilize Section 702, as well as Executive Order 12333, both focal points of the CJEU's decision" along with "PPD-28 and Executive Authority generally" may help in a potential way forward. 

In his comments to the IAPP Monday, Serwin pointed to "Increased roles for inspectors general, an enhanced ombudsperson, additional safeguards around surveillance, as well as other potential remedies all represent potential paths forward and all should be explored as part of the inevitable negotiations." 

"Striking the right balance on the enhancements will be critical if we are going to solve these issues," Serwin said. 

Looking at the history of EU-U.S. data transfers in the last 20 years, first with Safe Harbor, then with Privacy Shield, and the fact that both adequacy decisions were struck down by the CJEU, a path forward to a "Privacy Shield 3.0" may well be a difficult one. 

Max Schrems, who successfully challenged Safe Harbor and Privacy Shield, suggested that the U.S. will need to change its surveillance laws or face a third challenge in court. 

So the @SecretaryRoss and @EU_Justice are (A) working on changing US surveillance laws or (B) working on the third beating by the #CJEU?! 🤔#SchremsII #PrivacyShield https://t.co/E1LXaKgTBQ

— Max Schrems 🇪🇺🇦🇹 (@maxschrems) August 10, 2020

Ustaran summed up the current situation: "The 'Schrems II' decision makes it clear what the focus of any enhancements needs to be: greater limitations on surveillance powers and effective remedies for individuals." 

"It is now up to the imagination and efforts of the U.S. government and the European Commission to come up with formulas to achieve that." 

Photos by Ben White and by Christian Wiediger on Unsplash