US Sends Initial Privacy Shield Offer to European Commission
U.S. officials sent the European Commission an initial offer to replace the Privacy Shield and address concerns in the Schrems II decision, industry officials and advocates told us (see 2103250023). An initial U.S. offer was sent a few weeks ago, but it “wasn’t as strong" as the European Commission hoped, said Gabriela Zanfir-Fortuna, a former adviser to the European Data Protection Supervisor in Brussels. Now senior counsel at the Future of Privacy Forum, Zanfir-Fortuna advised in the development of the first Privacy Shield agreement and the general data protection regulation.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The initial offer addresses some of the EU’s Schrems II concerns, including redress and proportionality, an industry official said. Redress involves the U.S. ombudsperson, the official who reviews European concerns about U.S. surveillance. Proportionality deals with data collection practices under surveillance laws. The initial offer wasn’t considered formal, just a starting point, a privacy advocate said. The Commerce Department and the EC didn’t comment Wednesday.
The commission is likely being cautious due to the record of invalidated privacy agreements between the two sides, said Zanfir-Fortuna. There are “specific points” concerning redress and proportionality in the European Court of Justice’s judgment, which are “quite clear,” and the “new framework has to address that,” she said. Independent oversight is another point of contention linked to redress, she said. Everyone wants to avoid a Schrems III, she said. But she noted European Union Justice Commissioner Didier Reynders said recently that the new agreement could “take years.”
Reynders made those comments before a joint statement with Commerce Secretary Gina Raimondo, saying the two sides have intensified negotiations (see 2103250023). “All parties appear to understand how critically important it is to have an agreement in place, sooner rather than later,” said World Privacy Forum founder Pam Dixon: “There does appear to be a lot of behind-the-scenes activity regarding an agreement, but the details remain to be seen.”
“Companies are really struggling,” said Fox Rothschild’s Odia Kagan, citing lawsuits, complaints and enforcement. Companies have only European Data Protection Board draft guidelines, which make certain transfer mechanisms, like cloud storage, “virtually impossible,” she said. “The question is: What does a diplomatic solution look like that will be ... Schrems III-proof? Both sides want to reach a solution, but also both sides want to reach a solution that doesn’t get invalidated in short order.”
"The free flow of data across the transatlantic is crucial for enabling innovation and promoting a thriving digital economy,” said Information Technology Industry Council Executive Vice President-Policy Rob Strayer in a statement. ITI is “encouraged” by recent steps and looks forward to collaborating on a new agreement that “protects citizens' personal data and privacy while supporting innovation,” he said.
Based on the ECJ decision, U.S. surveillance practices need to change, said Zanfir-Fortuna. She noted an active debate in the U.S. about what can be accomplished through executive action from President Joe Biden, rather than legislation.
Legislation isn’t needed to address concerns about proportionality and redress, said former Commerce Department Special Counsel Brian Hengesbaugh, now at Baker McKenzie. Those elements already are in U.S. law and policy, and they can be amplified to address concerns, he said. Long term, he suggested a multilateral treaty that establishes certainty for businesses, rather than a bilateral agreement.
Congress will likely need to enact legislation to fully resolve concerns, but there are actions the U.S. can take without congressional authorization, said New America’s Open Technology Institute in a report Wednesday. It highlighted proposals for updating the government’s targeting and collection practices, minimization procedures and transparency requirements. In order to establish independent judicial redress, legislation is needed, said OTI.