Legal and data privacy experts have expressed cautious optimism regarding Friday’s announcement the United States and European Union have reached an agreement in principle to resume transatlantic data flows without fear of violating the EU’s stringent data privacy rules.
While the details of how the framework will work in practice are vague, experts are hopeful it gains approval by the Court of Justice of the European Union (CJEU) and isn’t torpedoed by privacy campaigner Max Schrems like the Privacy Shield and Safe Harbor before it.
Seems we do another #PrivacyShield especially in one respect: Poltics over law and fundamental rights.— Max Schrems 🇪🇺 (@maxschrems) March 25, 2022
This failed twice before. What we hear is another "patchwork" approach but no substantial reform on the US side. Let's wait for a text, but my frist bet is it will fail again. https://t.co/y6RFUyB8eG
Patrick Van Eecke, head of law firm Cooley’s European privacy practice, said, “This is a great message for the U.S. and EU business community as it has been struggling with data transfer issues since the invalidation of the Privacy Shield two years ago.”
Guillaume Couneson, data protection partner at law firm Linklaters, said the importance of the announcement should not be understated.
“For companies with a presence in both the EU and U.S., the possibility to transfer personal data safely across the Atlantic and in compliance with applicable data protection rules is business critical,” said Couneson. “It may among others determine which services those companies can include in their supply chain, which can in turn be a key driver of innovation; growth; and ultimately, economic success.”
“That being said, businesses have certainly not forgotten what has happened to its two predecessors,” warned Couneson. Prior to the invalidation of the Privacy Shield in 2020 over U.S. surveillance concerns, the European court struck down a similar agreement, Safe Harbor, in 2015.
“To provide a reliable long-term basis for transatlantic data transfers, this new solution will have to withstand the scrutiny of the supervisory authorities and the privacy activists that brought down the two previous ones,” said Couneson. “Undoubtedly, many companies will be watching for the reaction of these actors as a first indication of the potential for this new transfer mechanism to stick.”
Caroline Carruthers, co-founder of global data consultancy Carruthers and Jackson, said any new framework must be simple and easy to understand.
“To provide a reliable long-term basis for transatlantic data transfers, this new solution will have to withstand the scrutiny of the supervisory authorities and the privacy activists that brought down the two previous ones. Undoubtedly, many companies will be watching for the reaction of these actors as a first indication of the potential for this new transfer mechanism to stick.”
Guillaume Couneson, Partner, Linklaters
“You need something that is fundamentally useable as well as secure,” she said. “It’s no use claiming to have the most secure data privacy in the world if nobody can use it or wants to use it, so it’s crucial any new framework has simplicity built into it.”
Carruthers also believes companies must be given enough time to prepare.
“The new Privacy Shield replacement will take time to gain widespread adoption as companies look to adapt technology and deal with legacy tech. You simply cannot put a new regulation in place and expect everyone to immediately start using it,” she said.
Some are skeptical the latest mechanism to ensure safe transatlantic data transfers will get off the ground quickly—if at all. Businesses looking for legal certainty “shouldn’t get too excited,” said Nigel Jones, co-founder of data management specialist The Privacy Compliance Hub.
“Progress may have been made and politicians can say what they like about agreements in principle, but we are months away from any clarity,” said Jones. “It will be the CJEU that decides whether any new Privacy Shield arrangement complies with EU law, and as we know, the law moves slowly to the detriment of business. Even if an agreement gets through the legislative process on both sides of the Atlantic, it will inevitably be challenged in the courts.”
Maarten Stassen, partner at law firm Crowell & Moring, believes the invalidation of Safe Harbor and the Privacy Shield has shaken businesses’ confidence in once again putting their trust in a framework that might later prove to be noncompliant with the EU’s General Data Protection Regulation (GDPR).
“It’s like forcing the vessels in a harbor to comply with all security measures and then punishing them because the harbor itself is not secure,” he said.
A short- to mid-term solution for data transfer to the United States, said Stassen, might be to take a sector-specific approach, carving out the sectors that are most susceptible to surveillance activities.
“While it is clearly not the ideal solution, it would provide relief for the many companies seeking a way to send human resources and customer data across the pond for absolutely legitimate purposes,” he said.