Greetings from Brussels!

In an interview published earlier this week by The Wall Street Journal, EU Justice Commissioner Didier Reynders commented that negotiations with the U.S. over a new data transfer agreement could take “years rather than months.” This is certainly not the reassuring kind of statement businesses — either side of the Atlantic — want to hear. You could argue this should come as no surprise when in September 2020 speaking to the European Parliament, Reynders was categorical in stating that there was no "easy fix" following the CJEU "Schrems II" ruling. He said then to MEPs — as he did to his U.S. counterparts — “what we need are sustainable solutions that deliver legal certainty, in full compliance with the judgement of the court.”

Well, we now have a new U.S. administration in the Biden administration, and one wonders whether this may foster a more conducive construct for ongoing negotiations. EU officials will be hoping that more positive discussions can be had with U.S. Secretary of Commerce Gina Raimondo who was overwhelmingly confirmed by the U.S Senate last week; it's early days.

There was also an interesting Euractiv event this week on the future of data privacy where Christopher Hoff in his new role as deputy assistant secretary with the U.S. Department of Commerce was asked for his insights into the status of the Privacy Shield talks and perceived shortfalls. Hoff reminded the audience of the relative newness of the current administration and reiterated the vast U.S. interagency consultation process required in these discussions to achieve a working solution. He further referenced Raimondo’s pledge during her recent Senate hearing of finalizing the Privacy Shield renegotiation as a top priority. Hoff was hopeful in tone, asserting that the senior U.S. civil service and transition teams are well briefed and fully conversant on Privacy Shield and the issues around international data transfers. Hoff, with a solid background in the privacy field, acknowledged the uncertainty imposed on business by the "Schrems II" ruling, adding both sides of the negotiation table are working with an open and pragmatic mindset to confirm a future proof solution. Not being able to speak to the details of ongoing discussions, Hoff was able to reaffirm the bulk of the discussion was centered on a limited number of points as reflected in the CJEU ruling, thus primarily the issues of national security data collection, and the mechanism of the ombudsperson.

The question of a U.S. privacy regime was also raised in the context of EU-U.S. international data transfers. Fellow panelist Bojana Bellamy, president of the Centre for Information Policy Leadership, stated it was time for the U.S. to seriously consider a federal law in the privacy space as we witness a growing patchwork of state laws emerge. No longer a partisan issue politically, there is increasing awareness across the Atlantic that a privacy "level playing field" — or convergence — is desirable for the sharing and processing of user data (also) across jurisdictions, as well as being conditional for economic stimulus and digital growth. The U.S. debate is growing around the preemption of federal law versus state law, she added, somewhat similar to what Europe experienced with the GDPR. Bellamy makes a valid point, while the optics of a federal privacy law would be encouraging for Privacy Shield and international data transfer discussions generally, a federal law would not necessarily answer or resolve the question of meeting the high bar of essential equivalency set by the CJEU. 

Hoff further added in any eventuality of a federal privacy law, its interoperability with international privacy frameworks and principles — including GDPR adequacy — will be a focus and stress test as policies take shape. Moreover, he reinforced part of the broader discussion on solutions or enhancements developed to Privacy Shield in respect to national security and redress will apply across the board regardless of the data transfer mechanisms used — think SCCs. He concluded by saying agreed principles of cross-border privacy rules have to be the future.