As the one-year anniversary of the Court of Justice of the European Union's "Schrems II" decision approaches, the privacy industry has seen a wave of developments on international data transfers.
The European Commission adopted new standard contractual clauses. The European Data Protection Board issued its recommendations on supplementary measures for data transfers and the commission adopted a pair of adequacy decisions for the U.K.
All of these events took place within the last month, if you can believe it.
While data transfer news has been coming in fast this June, an important element of the "Schrems II" ruling still needs to be addressed: a replacement to the EU-U.S. Privacy Shield agreement.
During an IAPP LinkedIn Live event, U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, offered a window into the progress on the Privacy Shield talks, assuring privacy professionals the negotiations between the European Union and U.S. are not stuck at the starting line.
"I definitely would assuage anyone’s fears that we are at the beginning of this negotiation. We are not at the beginning of this negotiation," said Hoff. "A good diplomatic friend mentioned to me allies get into these conversations where there’s often 95% agreement and 5% disagreement. Without saying that that’s where we are, it feels like that is essentially where we are. I am confident that we will figure out the remaining percent, whatever percent that it is. We are absolutely not at the beginning at these conversations and we will figure out the rest."
The summit between the EU and U.S. recently concluded, which included the creation of the EU-U.S. Trade and Technology Council. While the trade council may have been top story, Hoff said Privacy Shield negotiations were a major part of the summit talks.
"Data transfers and data flows are foundational to the rest of any trade and technology conversation. It’s the lifeblood of trade and technology and of business. Privacy Shield is a very big part of the conversation in Brussels," said Hoff. "We are following up on those high-level leaders and principles meetings in Brussels with more and more and more meetings, including today with the commission."
Hoff couldn't give a conclusive timeline to when a new Privacy Shield agreement would be on the books, but said there has not been any lull in the conversations between the U.S. and its European counterparts.
He added the European Commission has been patient throughout the proceedings, as it has now had to work with two different presidential administrations on Privacy Shield 2.0. Hoff said other federal entities beyond the Department of Commerce and the White House have been working to make a new data transfer agreement a reality, as observers on both sides of the Atlantic expect a deal to eventually be made.
Hoff also discussed the other notable data transfer developments before and after the EU-U.S. summit. Hoff said the Department of Commerce and other federal agencies are in the process of assessing the EDPB recommendations and the new SCCs at a high level, and offered his thoughts on these documents from the view of a privacy professional.
"I see some difficulties and some big holes in the use cases that are quite common, and there are not any good answers for those, but at the same time, we are happy to see the maintenance of a risk-based approach that the commission put into the standard contractual clauses," said Hoff. "We are glad to see some of that in the EDPB recommendations."
The "Schrems II" ruling turned the privacy world on its head last summer, and privacy professionals patiently waited for guidance and new mechanisms to facilitate very valuable data transfers.
Now, those materials and tools are materializing, allowing those who handle data transfers to breathe a little easier for a litany of reasons.
"I found the EDPB recommendations very helpful and illuminating. It represents a consensus among the supervisory authorities of the EU member states in interpreting what the ‘Schrems II’ decision requires," said American University Washington College of Law Scholar-in-Residence and Adjunct Professor Alexander Joel, CIPP/G, CIPP/US. "When supervisory authorities are taking enforcement in the interim, they are going to be looking at these recommendations that this guidance document has established an interpretive opinion of what ‘Schrems II’ sets forth. From that perspective, it’s very helpful."
But will all of these developments impact Privacy Shield negotiations?
Hoff said the new SCCs and the EDPB recommendations will not directly influence talks around a Privacy Shield replacement, but rather highlight the need for a government solution to address these issues.
But don't expect quickness to be the name of the game. The primary focus for both the EU and the U.S. will be to craft a strong data transfer agreement that avoids the fate that fell upon Privacy Shield and Safe Harbor before it.
Photo by CHUTTERSNAP on Unsplash