In the four months since a European court struck down an agreement between the United States and European Union regarding how companies can send their data across the Atlantic Ocean, companies are still struggling to keep up with the myriad proposals, recommendations and sharp legal turns that have come out of various European governing bodies about what to do now, all with the continued risk of investigations and fines if they make a misstep.
And despite the upcoming transfer of power in the White House, two people close to the matter said officials in the United States and Europe are expected to start formal negotiations soon now that both have completed their legal analysis of what exactly the European court’s ruling means and what a replacement deal should include.
An exact timeline for forthcoming meetings was not disclosed, but the people said they don’t anticipate the transition to President-elect Joe Biden’s administration to slow down the progress and conversations already taking place remotely.
The Court of Justice of the European Union ruled on July 16 in a court case brought by privacy advocate Max Schrems that a 4-year-old agreement between the two regions known as Privacy Shield wasn’t sufficient enough to keep E.U. citizens’ data safe from the U.S. government’s surveillance mechanism, although privacy law experts contend that the government isn’t interested in most of the data involved in these transfers. The decision upended how more than 5,300 American and European companies transfer data such as customer information and human resources files.
But while Privacy Shield was nullified, many tech industry and privacy experts saw a strong alternative in standard contractual clauses, where each individual company discloses in their contracts with one another the odds that their home governments could request copies of the shared records, as U.S. and E.U. officials began negotiations for a long-term replacement deal.
The court’s July decision did little to change this tool, instead leaving it up to each member country’s own data protection agencies to interpret the validity of the individual contracts between companies.
Four months later, Europe’s governing bodies overseeing data privacy regulations offered mixed signals for how exactly companies worldwide — including those outside the United States and Europe — should make use of these contractual clauses, adding to the already pounding headaches companies had while verifying and reworking all of their data transfer agreements.
“It’s a big deal. The headlines coming out of the Schrems II decision were ‘Privacy Shield struck down, but standard contractual clauses live to fight another day,’” said John Miller, senior vice president of policy and senior counsel at the Information Technology Industry Council, a tech industry trade association.
But draft guidance released this month from the European Data Protection Board “has the potential to completely undermine the ability of a lot of companies to use these standard contractual clauses for a large number of everyday business transactions, not just for transfers to the U.S., but for transfers to anywhere,” he added.
While the European Data Protection Board in its guidance suggested companies rely more on technical frameworks, such as encryption, and not make suggestions about whether the United States or other international governments will end up requesting the data about E.U. citizens, the European Commission took a slightly different approach in a draft proposal it released this month, suggesting that contractual clauses are fine so long as they lay out the risk for international government surveillance.
All this follows a September white paper from the Commerce Department, Justice Department and the Office of the Director of National Intelligence where U.S. officials suggested that the majority of companies could satisfy European privacy laws by simply flagging that they’ve never received requests from government agencies for their records.
Caitlin Fennessy, research director at the International Association of Privacy Professionals and former Privacy Shield director from 2018 to 2019, said that the European Data Protection Board’s guidance could be interpreted mostly as guidelines, while the European Commission’s draft proposals could end up becoming the law of the land for global data transfers involving E.U. members. But those draft rules could change as comments come back.
While the U.S. Commerce Department and European Commission had said in August that they’ve initiated talks to find a more suitable path forward, it could be years before another deal is finalized, with Privacy Shield taking two-and-a-half years to negotiate, Fennessy said, leaving companies trying to predict the future by reading between the lines of these two documents.
“Since August 10, the United States and the E.U. have continued to intensify their engagement in negotiations for an enhanced Privacy Shield Framework that addresses the issues raised by the court and enables transatlantic data flows,” Secretary of Commerce Wilbur Ross said in a statement to Morning Consult.
One person close to the negotiations between the United States and Europe are hopeful that talks will happen quickly given the “great deal of discussion and dialogue on the Schrems II situation.”
The two people also noted that although the United States and European Union differ in their regulatory approaches to privacy and surveillance, they are both coming into the talks with a common set of values and protections for their citizens.
In the meantime, Miller said small- to medium-sized businesses bear the brunt of keeping up with the guidance and draft proposals coming from both governing bodies to ensure their data privacy frameworks are up to par.
One thing smaller companies could end up doing is following the lead of large companies. Microsoft Corp. was one of the first companies to respond to the European bodies’ proposals last week, with Chief Privacy Officer Julie Brill saying in a blog post that the company will challenge “every government request for public sector or enterprise customer data” from all governments and provide financial compensation to European citizens whose data gets swept up in an international government’s data request.
However, some companies who have already gone through the necessary re-evaluation of their data processing and transferring mechanisms to prepare for other privacy measures — such as the court ruling that led to the creation of Privacy Shield, the E.U.’s General Data Protection Regulation or the California Consumer Privacy Act — might have a leg up, said Jay Cline, the U.S. privacy lead and principal at PwC.
“Most Fortune 500 companies had a running start for the July Schrems decision, but there’s still a lot of work to do,” said Cline, adding that implementing technical measures like encryption will be the biggest source of that work.
And Cline noted that European regulators’ past privacy cases provide helpful insight into what kinds of data are more likely to come under scrutiny. Emails or other standard business operations might not catch European regulators’ attention in the same way that sensitive health data could, for instance.
But with the looming threat of European privacy advocates filing a complaint with the European Commission — and subsequent investigations that could result in lofty fines — hanging over companies, the pressure to get everything exactly right and up to speed with the latest guidance is stronger than ever, Fennessy said.
“We have not seen the end game here,” she said. “There’s much more to come.”