Recent comments by European Union and U.S. lawmakers and insights from privacy experts suggest a new mechanism to ensure safe transatlantic data transfers might soon be introduced.
Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals, believes a replacement for the defunct Privacy Shield is likely to be announced in the next couple of months.
In February, the U.S. director of the Privacy Shield program, Alex Greenstein, said negotiations were in the “home stretch.” EU officials have also been quoted as saying progress is being made.
If a draft document comes out in May or June, Fennessy said, it will likely gain an adequacy decision by the end of the year and come into effect soon after.
The impetus for the agreement, she said, has been European concerns that since cloud-based services and tools such as Google Analytics might not be compliant with the EU’s General Data Protection Regulation (GDPR), European businesses might be negatively affected.
“The recent Google Analytics cases have certainly pushed the need to reach an agreement quickly,” said Fennessy. “It is not tenable for EU companies, as well as public-sector organizations, to no longer know whether widely used IT and internet tools comply with the GDPR or not and to avoid using them. Barring their use might put European organizations at a disadvantage, especially when everyone else is using them.”
Since Europe’s top court ruled in July 2020 that U.S. law does not provide a similar level of data protection as the European Union, there have been two particular stumbling blocks to creating an alternative to the Privacy Shield.
The first is U.S. reluctance to amend or water down the country’s sweeping surveillance laws. The second has been a lack of available redress for data subjects to complain when their data might have been intercepted (unfairly or otherwise) by U.S. intelligence and law enforcement agencies.
Experts believe the first obstacle is unlikely to ever be remedied, but the lack of redress can be fixed.
“The recent Google Analytics cases have certainly pushed the need to reach an agreement quickly. It is not tenable for EU companies, as well as public-sector organizations, to no longer know whether widely used IT and internet tools comply with the GDPR or not.”
Caitlin Fennessy, Vice President and Chief Knowledge Officer, IAPP
On Feb. 16, three legal experts authored a blog examining ways the U.S. government could create, by nonstatutory means, an independent body capable of providing an effective remedy for a European person who believes her or his rights have been infringed by an intelligence service. The authors suggested setting up the redress body by means of an executive order instead of trying to get legislation through Congress.
Fennessy believes the paper’s publication “tests the water” about what a replacement for the Privacy Shield might look like and how the United States would appease EU concerns over citizens’ privacy rights.
Alex Hazell, head of legal and privacy at data marketing and technology firm Acxiom, said, “While we obviously can’t say for sure, it does sound like things are moving in a positive direction.”
Edmund Probert, partner at law firm Spencer West, said while the solution seemingly put forward is “elegant,” it needs firm steps by both the U.S. Department of Justice and President Joe Biden to make it happen.
“Given the current political environment, I wonder whether this comes high on the list of priorities,” he said.
Probert said the methodology for appointing a board that has oversight and deals with complaints is “fraught with difficulties.” He believes board members need “to understand the intelligence systems but not be a part of the system” and have permanent seats “so that the executive cannot remove or influence them.”
Probert said the most sensitive issue is giving those with oversight the power to be able to monitor access to personal data, which “effectively means allowing access to all the U.S. intelligence services—something those services are likely to resist. While all of us who advise in this area would dearly like a solution, I will be surprised if we see anything new in 2022.”
Some doubt whether the European Commission is in tune with U.S. plans.
James Castro-Edwards, counsel at law firm Arnold & Porter, said, “Any attempts to fudge European requirements are likely to be challenged and result in a new deal going the same way as Safe Harbor and the Privacy Shield, thereby sending the process back to square one.”