Last week I was interviewed by Laurie Clarke about the future of EU-US data transfers and what the US needs to do to make a new agreement a reality. Read “After a year of limbo a EU-US data privacy agreement still hangs in the balance” published in Tech Monitor, part of the New Statesman Media Group, here.
This blog post takes inspiration from the reflections I shared with Mrs. Clarke.
More than one year after the Court of Justice of the European Union’s so-called “Schrems II” decision which invalidated the Privacy Shield, and despite great urgency, the United States (US) and the European Union (EU) have not yet managed to reach a much-needed deal on transatlantic data flows. While both sides have expressed eagerness to make progress and the ongoing nature of the talks, little is to be (publicly) seen of their efforts.
The talks are taking a very long time, something which presents numerous difficulties for companies on both sides of the Atlantic. Indeed, this is a reality that I face on a daily basis in assisting multinational clients in managing the lawful transfer of data from the EU to the US in the absence of concrete, and most of all, practical and truly actionable guidance from the EU Supervisory Authorities, that at the same time are carrying out investigations that closely examine international data flows.
The reason for the delay in finding an agreement likely lies in the fact that the EU does not want to accept a “band aid” solution – i.e., another agreement similar to the Privacy Shield or Safe Harbor – that would be struck down by the CJEU in a short matter of time due to its fundamental inability to ensure that EU citizen’s data protection rights are respected. We already know that privacy advocates are ready to take action should a “superficial” adequacy decision be made and activism in this area has only ramped up in recent months (see my blog post here on “Two-sided control”).
With respect to what the EU is expecting, it is important to recall what has been stated in the past by EU Commissioner Didier Reynders and the VP of the European Commission for Values and Transparency, Věra Jourová: material changes to how the US treats the data of EU citizens will be a prerequisite for a new agreement. More specifically, this means that the US will need to concretely and legally (via actual legislation) limit access to the data of EU citizens by American national security agencies and ensure that EU citizens have the ability to challenge such access.
While it has been suggested that the introduction of a federal US privacy law would help the US’ case (a coherent and consistent approach to regulating privacy and data protection is of course welcomed and would not hurt) and such a law may help the US in demonstrating that it takes the matter seriously, it would take too long at this point and would not fundamentally resolve the issue at hand. Instead, there must be adequate protections in place for EU citizens’ data to protect their fundamental rights and freedoms. This assumption has also been put forward by activist Max Schrems who played a central role in the demise of the Privacy Shield.
The costs of failing to reach an agreement are immense for both the EU and the US. As I suggested earlier in this blog, even multinational companies which have sufficient resources and time to dedicate to the question of international data transfers are finding themselves in a sort of limbo where a strict interpretation of the guidance provided by EU Supervisory Authorities to date practically would lead to a halt of data flows from the EU to the US – something which is unfeasible in the global marketplace in which these entities operate today. As time passes, SMEs which may not be able to afford allocating significant economic resources to the question of data transfers are posed to lose out on potential business or risk significant sanctions under the GDPR. To say the least, this is not a win-win situation, and it is not realistic to think that companies can continue in this void of legal certainty without truly practicable alternatives.
To the best of my knowledge, both sides are hoping to reach an agreement by the end of the year, though given what is publicly known at this time, I am not sure if we should get our hopes up just yet given the complex geopolitical nature of the deal at hand.
I was personally very much looking forward to knowing the outcome of the Trade and Technology Council (TTC) meeting which is scheduled to take place in Pittsburgh, Pennsylvania, at the end of the month. Since I spoke to Laurie last week, however, things are not looking good for the meeting, which was only confirmed on 23 September. Additionally, reports have it that “The negotiations on a privacy agreement for international data transfers are not part of the conclusions, as requested by the European counterpart.” Instead, it appears that the TTC meeting will focus predominantly on semiconductor supply chains.
US President Joe Biden’s 15 September announcement of the AUKUS trilateral security pact, which will facilitate the sharing of knowledge and information in “key technological areas like artificial intelligence, cyber, quantum, underwater systems, and long-range strike capabilities” has significantly complicated diplomatic relations between the EU and the US. That’s really to say the least. In fact, on 21 September, European Commissioner for Internal Market Thierry Breton went so far as to say that “something is broken in our trans-Atlantic relations” and that “trust between the EU and U.S. has been eroded. So it is probably time to pause and reset our EU-U.S. relationship.” With these strained relations, it’s difficult to imagine that an agreement on data transfers will be reached any time soon.
This current situation perfectly demonstrates something which is not new, but that should not be ignored any longer: data protection is not only a legal matter, but also a geopolitical one. It’s safe to say that we will be stuck in limbo for a little longer than some of us may have wished.
Recommended reading: In relation to the issue of EU-US data flows, I highly suggest reading the “U.S.-EU Privacy Shield and Transatlantic Data Flows” report published by the US Congressional Research Service on 22 September, available here.