Discussions on U.S. privacy legislation and a response to the invalidation of the EU-U.S. Privacy Shield have been mostly separate from one another since July. That changed Dec. 9 as the Senate Committee on Commerce, Science, and Transportation opted to explore a potential parallel between subjects at a hearing to discuss the halt to Privacy Shield and other matters related to trans-Atlantic data flows.

A common line of questioning from several lawmakers throughout the hearing was whether a federal privacy law, which some committee members argued has great promise of coming to fruition in 2021, would clear up issues cited in the Court of Justice of the European Union's decision to nix the Privacy Shield program. While a novel idea, witnesses dismissed privacy legislation alone as an answer to the EU-U.S. conundrum.

"That ruling focused exclusively on government access to data and did not in any way question Privacy Shield's protections with regard to commercial collection or use of data," Department of Commerce Deputy Assistant Secretary for Services of International Trade Administration James Sullivan told Sen. Richard Blumenthal, D-Conn., and fellow committee members. "I think potential federal data privacy legislation would be very well received by the EU, but it will not address the immediate national security issues cited by the court."

FTC Commissioner Noah Phillips and BSA – The Software Alliance President and CEO Victoria Espinel agreed with the assessment from Sullivan, who has been participating in discussions and negotiations with EU officials on a Privacy Shield replacement in recent months. Sullivan also noted that only 12 jurisdictions have received adequacy decisions from the EU since 1995. "We're seeing a proliferation of national laws that are taking inspiration from the (EU General Data Protection Regulation)," he said, but "that is not a guarantee of adequacy."

On the topic of the CJEU's issues with the U.S. government's access to data for national security and intelligence purposes, views from committee members and the witnesses were wide ranging. Sen. Maria Cantwell, D-Wash., made it known that she would like to see "way more transparency" on the Foreign Intelligence Surveillance Court while also noting she and fellow lawmakers "don't control agencies and certainly don't control executive orders." On the other hand, Sen. Rick Scott, R-Fla., was focused on preserving Americans' privacy and finding the means to protect it from being undermined by foreign adversaries but made no mention of alleviating the EU's concerns with the U.S.

Notably, Phillips claimed the intelligence regimes in the U.S. and EU are, in fact, comparable to one another, which would raise questions on why the CJEU would rule based on issues that may exist within its own jurisdiction.

"There have been a number of studies by authoritative lawyers and academics here and in Europe," Phillips said. "The bottom line is that the practices we engage in from a national security perspective afford just as many, if not more, rights to U.S. citizens as rights afforded by domestic law in EU member states."

Cantwell considered what it would take to foster more trust in international surveillance cooperation, calling on Washington University School of Law Koch Distinguished Professor in Law Neil Richards to expand upon the possibilities. Richards, who co-authored a paper on a proposed "duty of loyalty in privacy law" framework, mentioned the importance of "privacy protections flowing with the data," as well as "countries with shared values having shared protections."

"It should be possible," Richards said. "The U.S. used to be the leader on commercial privacy in the early 1970s and sort of abdicated that to Europe. Now that the GDPR, fair information practices and all the Europeans have is the emerging global market norm if the U.S. cooperated on that as well I think it could go a great deal toward solving the broader international cooperation on surveillance."

What witnesses said can't be accepted going forward is a move to data localization. When Sen. Marsha Blackburn, R-Tenn., asked whether localization is becoming "the new norm," Sullivan opined that such a shift is "not a perfect solve and exceedingly expensive." Phillips added to Sullivan's comments, saying localization "is not good for privacy or data security."

Beyond suggestions of legislative reform and continuing negotiations, the hearing did not generate much in the way of other avenues the U.S. could explore while EU-U.S. transfers hang in the balance. Alston & Bird Senior Counsel Peter Swire, CIPP/US, warned against what happens without a path forward, alluding to the consequences of the CJEU ruling starting to come to light with EU legal battles, namely the Irish Data Protection Commission's case to halt EU-U.S. Facebook transfers.

Swire proposed a short-term solution could be a one-year agreement put in place as soon as possible, allowing data to continue to flow while the incoming Biden administration gets an opportunity to negotiate with the EU.

"For the EU, there have been reports in the press that they'd like to have a broader negotiation on many issues, including privacy, with the new administration," Swire said. "Having a year to negotiate this as part of a broader deal would help meet important European goals and allow time to clarify guidance. It would also allow significant additional work on U.S. actions and time for Congress to see if specific statutes might help.

"Having this issue negotiated in the first weeks of a new administration would be very challenging. Getting something done soon before a cutoff on data flows creates a lot more room for better things down the road."