The state of EU-U.S. data flows has unquestionably been the most talked about issue among data privacy professionals since the invalidation of EU-U.S. Privacy Shield. Despite excitement around the recent agreement in principle to stabilize data flows, remarks from involved parties at the IAPP Global Privacy Summit 2022 indicate the finish line is in sight but not quite on the immediate horizon.

The political agreement announced by EU-U.S. officials March 25 for the Trans-Atlantic Data Privacy Framework is just the latest step in what European Commissioner of Justice Didier Reynders described in his GPS keynote address as "intense negotiations" on a Privacy Shield replacement. Reynders made it clear that "the work continues" toward having a final agreement in place by year's end.

"It is difficult to give a precise timeline at this stage, but we expect that this process could be finalized by the end of this year," Reynders said. "While we still have a lot of work ahead of us, I do believe this agreement in principle confirms once more how much the European Union and the U.S. can achieve by building on their shared values."

Key players in the EU-U.S. negotiations took time at a breakout session following the keynote to echo Reynders' thoughts on the finalization timeline. U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, said U.S. negotiators are "thrilled to be at the point we're at now," but noted the ball is currently in the U.S.'s court and going through the "arduous process" of translating the agreement into new U.S. law that will affect multiple agencies.

Upon completion of those U.S. actions, Reynders and European Commission Head of International Data Flows and Protection Bruno Gencarelli both indicated the EU can initiate a proposal for an adequacy decision. These actions will lead to what Reynders hopes will be a "solid arrangement," which has been the ultimate goal during the last year of negotiations. 

"We had very detailed discussions to explore different solutions that could be developed within the U.S. legal system," Reynders said. "We have now reached an agreement on the key elements of the new framework. In particular, the future arrangement will provide for safeguards limiting access to data by American intelligence authorities to what is necessary and proportionate to protect national security."

No doubt, once a detailed agreement is reached, all eyes will be on potential legal challenges. Hoff and Gencarelli addressed concerns about a so-called "Schrems III" and the future agreement's durability. Gencarelli was clear in saying the new agreement must still follow the Court of Justice of the EU's "Schrems II" decision. Hoff said durability has been a focus during the negotiations and that he believes they will have something that will be durable. 

The key piece to the tentative deal is a redress system through the U.S. executive branch that will help satisfy EU concerns regarding U.S. national security checks and government access to personal data. Reynders said the provisions for the system in the political agreement provide "binding authority to direct remedial measures for complaints brought by Europeans." Hoff wasn't at liberty to speak on the specifics on the proposed functionality of the proposed Data Protection Review Court, but did discuss "the unprecedented commitments" around "substantial strengthening of privacy and civil liberties safeguards" that come with the redress mechanism's creation.

"There is a whole redress mechanism that has been created very creatively, independent and binding in its safeguards around how the court is set up along with the selection and removal protections of the judges," Hoff said, stressing that only government agencies will see new obligations with the mechanism. "All those things will become a lot more clear in time, but there's been a lot of thought and paper back and forth. I've been impressed with how forward-leaning, well-intentioned and privacy-focused those around the table have been."

The completion of an executive order from U.S. President Joe Biden and subsequent regulations from the U.S. attorney general's office will bring some immediate clarity and certainties around some transfer mechanisms. Hoff said data transfers executed through standard contractual clauses would be stabilized once the new U.S. law is in place following the executive actions. Hoff also said the Department of Commerce plans to release guidance on what those changes mean for companies conducting transfer impact assessments, though he was also clear to point out they would not be legal advice. 

Casentino Strategies Founder and Principal Paula Bruening views the agreement as an overall win for businesses, but specifically small- and medium-sized businesses that lost the ability to participate in various global activities once Privacy Shield was taken down.

"The ones that I work with want to comply, have a growing awareness of why compliance is important, and why the flow of data they are receiving from Europe is protected," Bruening said, later mentioning the agreement offers an opportunity to revisit and evaluate updated guidance materials for executing transfers. "This instrument is going to provide a more streamlined and cost-effective way of coming into compliance. That's important because these SMEs have privacy programs at various levels of maturity and they're still trying to kind of figure all of this out while building. Compliance can now be achieved in a way that is tailored to the realities of their business while not compromising protections."