The privacy community here in Brussels continues to closely follow the latest developments in the transatlantic data transfer talks between the EU and United States. Officials from the U.S. Department of Commerce and European Commission today again expressed optimism here at the Computers, Privacy, and Data Protection conference that a deal would be reached in the coming days, but the opinion of the EU’s data protection regulators - the Article 29 Working Party - remains unknown and potentially ominous for an agreement.
“We are working hard on this topic,” said Isabelle Vereecken, privacy and data protection legal advisor at the Belgian Privacy Commission. “We are fully aware that companies are trying to comply, and we know there is a lot of tension,” she said, but added, “This is an opportunity to find new solutions without undermining fundamental liberties.”
Taking a brief break from the transatlantic negotiations, representatives from the Commission and DoC joined a panel on the future of Safe Harbor. Seated next to the European Commission Head of Unit for DG Justice Bruno Gencarelli, DoC Deputy Assistant Secretary Ted Dean expressed several times his sense of optimism about the negotiations. “I’m sitting next to Bruno, and I don’t think we’d be doing this if we didn’t have some shared sense of optimism on where we are," he said. "I am optimistic we will be on the same side of the table in the not too distant future.”
Gencarelli also expressed optimism: “There are pragmatic solutions on which we can agree. A deal is possible in the next days.” But, he added, “We are not there. We need movement and we need an arrangement that will pass the test of the court. The worst thing that would happen would be a second annulment” by the Court of Justice of the European Union.
Industry also shared their view during the panel, demonstrating the huge amount of work and uncertainty that’s gone into a post-Schrems world.
“I’m pleased to hear this optimism,” said MasterCard Senior Managing Counsel Caroline Louveaux. “Hopefully this will turn into reality.”
Data transfers are a core component to MasterCard’s business model, and since it’s a global company with its main server located in the U.S., it has relied heavily upon the Safe Harbor agreement for years.
“At first we cursed the Schrems decision,” she said. “Suddenly we were in a state of non-compliance and that is not an option for MasterCard.” She explained the enormous amount of work that went into their response. “We worked hard. Entering into new contracts with all our vendors is a lot of work. It requires signatures for an impressive number of people,” as well as sworn translations for multiple countries. “Some of them took this as an opportunity to audit us," she noted, "so this was bad timing.”
Plus, Louveaux explained that the decision raised the ire of consumers. MasterCard was flooded with requests from customers about how they were handling their personal data. In response, MasterCard created customer FAQs and spent time answering questions over the phone.
On the positive side, this sudden state of non-compliance provided the privacy office with a larger budget to handle the response. With this decision, she explained, “suddenly privacy becomes a key concern for companies.” Louveaux added, “We’re looking for quality privacy pros, so if you know of any send them our way.”
ExxonMobil Legal Counsel Frederik Peels said his company has experienced a very similar situation to MasterCard’s. Though ExxonMobile doesn’t deal in the commoditization of personal information, it is a large global company with thousands of employees around the world.
“The lion share of PII we keep belongs to employees, contractors and to process payroll. Despite the modest amounts of personal data we process,” he said, “we are deeply concerned with these developments.”
Data transfers are essential for a company like ExxonMobil to conduct daily business. An account manager, for example, may work with a team of employees residing in multiple countries across the world. Like MasterCard, ExxonMobil placed money and resources into reaching compliance through Safe Harbor.
“We want to be seen as protecting personal data,” Peels said. “We invested a lot in this.” As a result, ExxonMobile has invested money and man power into model clauses.
Looking directly at Dean and Gencarelli, Peels added, “We are hoping that the U.S. and EU can come together.”
Peels also offered a suggestion for the government officials. He said, in the long term, an agreement should be standardized among the different member states and be convergent with other transfer mechanisms, like BCRs and SCCs. A short-term solution, he suggested, needs to be practical, durable, principles-based, and not something that gets weighed down in too many details. Peels also said an agreement should be risk-based, “so we can channel our efforts into what is most necessary.”
The timing of an agreement was also top-of-mind. The Belgian Privacy Commission's Vereecken said, “We are hearing that the negotiations are progressing, which is good news. If there is progress, we are waiting for positions. We will have a meeting on Tuesday, or maybe Monday, and then we will give feedback.”
The European Commission’s Gencarelli also noted that the negotiations will not result in an international treaty. Since it is an agreement with the U.S., and as long as commitments are taken by the U.S., a finalization can be implemented quickly.
Regardless, the coming days will be very interesting for both sides of the Atlantic.
If you want to comment on this post, you need to login.