Privacy professionals continue to wait for news on a replacement for the EU-U.S. Privacy Shield after it was struck down by the Court of Justice of the European Union in its “Schrems II” ruling last summer.
Recent reports suggest it may not be anytime soon. European Union Justice Commissioner Didier Reynders said a Privacy Shield replacement is likely years away, citing the challenges in finding a data transfer deal that would protect European citizens’ data from U.S. intelligence agencies.
Though there are indications this could be the case, there is a sense of urgency to solve the trans-Atlantic data flow issue. During a Wall Street Journal Pro Cybersecurity webinar, IAPP Research Director Caitlin Fennessy, CIPP, who formerly served as the Privacy Shield director at the U.S. International Trade Administration, said negotiations for Privacy Shield rose to the highest levels of the U.S. government, which created a rapid sense of urgency to get a deal done.
Fennessy sees a similar sense of urgency this time around and believes the appointment of U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, is a signal the Biden administration understands the importance of having a data transfer agreement in place with the EU.
During a Wednesday panel session hosted by Euractiv, Hoff said finalizing Privacy Shield negotiations is a “top priority” for the administration. While Hoff stated he could not get into specifics of negotiations, he said it is a “vast interagency process” with conversations narrowly focused on issues addressed in the CJEU’s ruling related to national security data collection and the ombudsperson mechanism in the U.S.
“We are all trying to be pragmatic and open-minded and ambitious and quick about this because for us it’s been seven weeks in the new administration but the world has been waiting eight months since the 'Schrems II' ruling, so there is a real sense of urgency on our part. There is also an opportunity to restart the trans-Atlantic relationship, and there is so much great cooperation going on between our leadership right now,” Hoff said. “We also do want it to be as future proof as possible, so it’s a tricky conversation and balance.”
Speaking during an IAPP virtual KnowledgeNet meeting, Wilson Sonsini Goodrich & Rosati Of Counsel Laura de Boel questioned whether privacy is a priority for the administration, saying she expects an extended wait for a Privacy Shield replacement. “The Biden administration does not have privacy as their top priority as they look to tackle other issues first,” she said.
However, when Privacy Shield was negotiated, Fennessy said an important part of its development was relying on input and insight from stakeholders. Those stakeholders have already gotten to work as its replacement is considered.
Fennessy cited a proposal from Alston & Bird Senior Fellow Peter Swire, CIPP/US, and Georgetown University Law Center Professor of European Union Law Kenneth Propp that would lean on the Foreign Intelligence Surveillance Court, the Privacy and Civil Liberties Oversight Board, and independent privacy and civil liberties officers to meet the redress challenge negotiators currently face as an example of feedback that will likely be considered as the proceedings move forward.
NOYB Founder Max Schrems is skeptical whether these solutions will help a Privacy Shield replacement stand up to legal challenges.
He also said the conversations he has had in Brussels suggest the only way a deal will stick is if there is legislative reform in the U.S., and on that front, he is not optimistic about the future of the next Privacy Shield.
“There are these prompts that are really pressing and unless there’s a fundamental shift in U.S. law, I don’t see a lot of these suggestions really cutting it on the European side,” Schrems said. “That’s the problem. There’s very little movement on the U.S., and there’s a very high bar to reach on the European side. There’s a feeling that we just have another agreement that is going to be killed rather soon.”
To address the uncertainty a Privacy Shield 2.0 could face from inevitable legal challenges, Baker McKenzie Partner Brian Hengesbaugh argued the Biden administration should "go big" by pursuing what he calls a "multilateral privacy treaty" among "like-minded" democratic nations. He discussed his proposal in a new episode of The Privacy Advisor Podcast.
Fennessy, on the other hand, feels a Privacy Shield replacement has a chance to weather the storm.
“I have a lot of optimism because the negotiators on both sides of the Atlantic here are really focused on pragmatic, practical solutions,” Fennessy said. “They know they need to meet the theory ... and the legal standard of the court, but they want to make this work and so they are trying to figure out how to make it work quickly.”
Speaking as part of the Euractiv panel, Centre for Information Policy Leadership President Bojana Bellamy, CIPP/E, also said the “optics” around potential federal privacy legislation in the U.S. will be important. As states adopt their own privacy regulations, Bellamy said the U.S. could end up with “a patchwork of state laws,” which she added, “I don’t think helps enable effective use of data within the U.S.”
Such a patchwork of legislation is a concern for Hoff, who said global, interoperable frameworks “have to be the future.” He is also concerned about calls for data localization in the EU saying that “is not a good solution for any of us.”
“Finalizing the Privacy Shield enhancement is a priority of the administration because it not only addresses the Privacy Shield/'Schrems II' issues, but it will also steady the ground under standard contractual clause transfers. And what we’re focusing on in the world to get around or past this data localization is interoperable frameworks,” he said. “That is a focus of this administration and those before it and our relationship with Europe is a close partnership, and we’re grateful for that.”
Irish Data Protection Commissioner Helen Dixon, who also joined in the Euractiv session, said the High Court of Ireland’s review of its preliminary order for Facebook to suspend data transfers from the EU to the U.S. will be “significant” to the future of trans-Atlantic data flows. Facebook last fall appealed the order to the High Court and Dixon said judgment could come as early as next month.
“It’s clear for Facebook and a lot of companies operating in the EU that this is an area of considerable stress,” she said. “The Irish DPC is looking forward to a decision from the High Court so we can progress or not progress.”
For businesses trying to tackle the data transfer conundrum, de Boel said she has seen varied responses.
“You’ve got the large multinationals that send out vendor questionnaires and transfer impact assessments, but then you have large U.S. players that have different resources to rethink their data infrastructure,” she said. “If you’re thinking about changing your architecture to keep EU data in the EU, then that’s a long-term plan that you can’t really implement overnight.”
De Boel also noted there may be some potential flexibility for companies in the form of Article 49 derogations.
“We’ve been told as privacy professionals to use these in exceptional cases only, but then you’ve got the court in 'Schrems II' saying there’s not going to be a legal void if we invalidate Privacy Shield because there’s always the derogations,” de Boel said. “I heard the judge that prepared the judgments in the 'Schrems II' case recently said we should look more at using the derogations and that they could be very good for intergroup transfers. It’s something we’re going to see more talk on in 2021.”
The recent comments from CJEU Judge Thomas von Danwitz were certainly striking for many but might not be the solution. De Boel pointed out that using a derogation to transfer to the U.S. will “provide less protection to the individual than adhering to previous Privacy Shield principles.”
The prospect of using derogations under Article 49 of the EU General Data Protection Regulation was also a topic of conversation this week during a LinkedIn Live event with IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird Partner Ruth Boardman.
“I think with intergroup transfers, you’d struggle to use a derogation under Article 49 that would help,” Boardman said. “I know there are a number of derogations that are worth digging into in some situations, but none of them provide a solution for large-scale routine transfers of data within a corporate group.”
On the broader use of derogations, Boardman deferred back to the ultimate point of Article 49, which is to be applied in situations “where countries haven’t been offered adequate protections” or “when you can’t use appropriate safeguards.”
If you want to comment on this post, you need to login.