US, EU Reach Preliminary Deal on Data Flows
The EU and U.S. "found an agreement in principle" on trans-Atlantic personal data transfers, European Commission President Ursula von der Leyen tweeted Friday. The U.S. made "unprecedented" commitments to put in place new safeguards to ensure that signals intelligence activities are "necessary and proportionate in the pursuit of defined national security objectives," and to create a new mechanism for EU individuals to seek redress if they believe they're unlawfully targeted by such activities, said a White House fact sheet. The deal addresses the concerns of the European Court of Justice in Schrems II, it said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The accord "is a major development," since companies on both sides of the Atlantic continue to exchange personal data and want to do it safely and in compliance with applicable data protection rules, emailed Linklaters privacy lawyer Tanguy Van Overstraeten. But beyond the principles of an agreement, whatever new mechanism is put in place must be sufficiently robust to resist potential challenges by privacy activists and scrutiny by EU and local privacy authorities, and to pass the test of the European Court of Justice, he said: "If there is a Schrems III , the EU Commission must win it."
The U.S. appears to have understood the Schrems II ruling to say government access to data must be necessary and proportionate and there must be a right to an effective remedy, Hogan Lovells data protection attorney Eduardo Ustaran wrote. It's not clear how the limits on government surveillance will be articulated, but the right to an effective remedy appears to be a change from the ombudsman mechanism to one that involves a court, he said. It seems the new regime is "being sanctioned from the very top via an Executive Order, which will help bypass the challenge of getting the US Congress to pass a federal law."
Ensuring a “durable and reliable” legal basis for trans-Atlantic data flows paves the way “for a more inclusive digital economy that will benefit American consumers and small businesses alike,” said Commerce Secretary Gina Raimondo. “The framework lays the foundation for further economic cooperation and will allow American businesses to more effectively compete globally, while also ensuring that unprecedented commitments to strengthen privacy protections do not come at the cost of our national security interests at home and abroad.”
Rep. Suzan DelBene, D-Wash., welcomed the new privacy framework but expressed disappointment in the EU finalizing its Digital Markets Act (see 22032500010). The new privacy agreement will allow the free flow of data, but it doesn’t decrease the urgency for the U.S. to develop its own national standard, she said. She noted “serious concerns” from the Biden administration, Democrats and Republicans about the DMA: “The DMA’s discriminatory aspects are at odds with the fundamental principles of the World Trade Organization and undermine the U.S.-EU economic relationship.”
The American Chamber of Commerce to the EU urged both sides to "continue to engage as they lay out the remaining details." The announcement is good news for European and international companies that rely on data flows, but "while we welcome more certainty for EU-US commercial data flows, we are increasingly concerned with new European restrictions covering 'non-personal' data," said Computer & Communications Industry Association Public Policy Director Alexandre Roure.
SIIA hopes the development "motivates Congress to enact a comprehensive federal privacy law" that restores European and American trust in data safety standards while "continuing to enable the innovation that has made the U.S. the global leader in technology," said President Jeff Joseph.
The National Retail Federation also hailed the agreement. NRF and its members “have long supported a coherent regulatory system for EU-to-U.S. data transfers that works for both consumers and businesses and provides protective, flexible and predictable rules that permit retailers to serve their customers as they wish to be served,” said David French, NRF senior vice president-government relations.