As hard as it is to believe, it has almost been one year since the Court of Justice of the European Union made its decision in the "Schrems II" case. The CJEU struck down the EU-U.S. Privacy Shield agreement while upholding standard contractual clauses, albeit with caveats.

Since then, privacy professionals have been waiting for conclusive answers to address trans-Atlantic data flows, and there has been some news on that front over the past couple of months. The European Commission unveiled its draft implementing decision on SCCs in November, and EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Gina Raimondo issued a joint statement last month saying negotiations on a Privacy Shield replacement are "intensifying."

The privacy industry is waiting to see what happens with these two pillars of data transfers. They may soon see some clarity with one data transfer mechanism, while a resolution on the other is likely months, if not years, away.

During an IAPP Global Privacy Summit Online 2021 session, European Commission Head of International Data Flows and Protection Bruno Gencarelli said the new standard contractual clauses will be adopted in short order.

"We are about to because it’s a question of weeks, adopt modernized SCCs that do things that are aligned with the (EU General Data Protection Regulation) that are much better adapted to the reality of today’s digital economy," Gencarelli said.

Gencarelli called the draft SCCs an "enormous success" given the amount of feedback the European Commission received following its publication. He added the commission is taking the feedback "very seriously," which is one of the primary reasons why the process is still ongoing.

The SCCs in their current form have not been updated in more than a decade, which is why Gencarelli believes the modernized SCCs will be far better suited to handle a digital environment that has grown both in size and complexity.

"We will have a single entry point for SCCs where companies will be able to, around core common principles, use a number of models to cover as many as transfers situations and business models as possible," Gencarelli said. "We have injected some flexibility by allowing, for instance, more than two companies to adhere to this clause. Since we last adopted those clauses more than 10 years ago, the processing chains have become much more complex, with a number of different actors intervening at a number of stages of the processing chain. Having a more agile instrument where more companies can adhere from the outset or join later is something that’s very important and has been very welcome by stakeholders."

Movement on SCCs may be coming in short order; however, a replacement for Privacy Shield is likely farther off on the horizon. Gencarelli and U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, said there is a willingness on each side of the Atlantic to make a deal.

"Nobody here is underestimating the importance of this or the complexity of these issues," Gencarelli said. "That balancing between privacy and national security is delicate on both sides of the Atlantic. National security is important in Europe as it is important in the U.S., and finding that data and making that balancing act is certainly not an easy exercise."

Gencarelli and Hoff both used the word "durable" to describe the Privacy Shield replacement each side seeks to craft. Privacy Shield and its Safe Harbor predecessor failed to stand up to legal challenges, and neither side has much of an appetite for a "Schrems III."

Before Hoff was appointed to oversee Privacy Shield negotiations, there were questions over whether the Biden administration will make trans-Atlantic data transfers a high priority. Between Raimondo's involvement in data flow conversations and the support of various communities and agencies, Hoff indicated a new data transfer agreement is on everyone's radar.

"While sometimes I may be the face of the conversation around Privacy Shield, there’s an entire team of people working on this, from the White House to the intelligence community, the law enforcement community, Commerce and the State Department," Hoff said. "We are all here. We are all working around the clock to find a solution because we understand the pain point that this is causing with both of our industries."

Hoff pointed out that large U.S. and European organizations are not the only ones who are relying on governments to solve this problem. Hoff said 70% of companies that were in Privacy Shield were small- and medium-sized enterprises. 

The U.S. and EU are both invested in finding a data transfer agreement that will stand up to any potential legal scrutiny, and both sides acknowledge it will take some time to meet that goal. Whatever the next data transfer agreement will look like, it will be heavily influenced by the decision the CJEU made last July, further cementing the influence of "Schrems II" and adding to its legacy as one of the most important privacy cases to date.

"We are using the 'Schrems II' judgment as a blueprint," Hoff said. "Everyone has it in front of them when we at the table discussing these things. It is for the government to come to a solution because there’s more onus on companies now because of 'Schrems II' to do these data transfer impact assessments to determine whether they need additional safeguards in place, and what those should look like. Those are complex issues, too. There isn’t an easy answer to that."

Photo by André Ravazzi on Unsplash