Lessons from a Privacy Shield post-mortem on Capitol Hill

On December 9, the US Senate Committee on Commerce, Science, and Transportation held a hearing on the consequences of the European Court of Justice’s (ECJ) invalidation of the EU-US Privacy Shield, the main vehicle to allow transfers of data from the European Union (EU) to the United States—and on the uncertain future of transatlantic data flows. The event lacked the passion and publicity of pre-election Congressional inquisitions of US technology company leaders on competition and content regulation. But the sober, factual, and concerned tone of the proceedings illuminated the deepening transatlantic divide over data transfers, and it highlighted the early challenge the subject looks to pose for President-elect Joe Biden’s administration, which is eager to repair US-EU relations.

The ECJ’s July Schrems II judgment, which invalidated the Privacy Shield agreement for reasons related to US surveillance law, forced companies to shift to standard contractual clauses (SCCs) as an alternative legal vehicle for protecting personal data sent from Europe to the United States for commercial purposes. While the ruling did not interrupt data flows at the time, the court also insisted that companies bolster SCCs with additional safeguards to guard against the risk of foreign surveillance of transferred data.

On November 10, the European Data Protection Board (EDPB) produced draft guidance recommending, among other things, that companies employing SCCs adopt end-to-end encryption of data. The EDPB also pointed out that end-to-end encryption, while recommended, is not feasible for data transfers to cloud service providers, which require access to data in the clear, or for transfers within a corporate group for shared business purposes such as human resources or customer service. If the EDPB guidance survives unchanged, companies would be legally unable to conduct these major types of transatlantic data transfers. The unexpectedly tough regulatory pronouncement added urgency to US government efforts to negotiate the Privacy Shield’s successor with the European Commission. 

The chairman of the Senate Committee on Commerce, Science, and Transportation, Roger Wicker (R–MS), opened the December 9 hearing by describing the tasks that would satisfy the administration’s ambition for a “durable and lasting” transatlantic data-transfer framework as a “tall but essential order.” The two administration witnesses lamented the demise of Privacy Shield and defended the US privacy regime. US Department of Commerce Deputy Assistant Secretary for Services James Sullivan acknowledged that the Schrems II judgment had created “enormous uncertainties for US companies and the transatlantic economy at a particularly precarious time.” Noah Phillips, a member of the Federal Trade Commission (FTC), pointedly observed that the FTC’s consumer privacy-enforcement actions against Facebook, TikTok, YouTube, Zoom, and other companies had already had a “greater impact than any others in the world,” since those settlements apply to the companies’ worldwide operations.

Several senators pressed the witnesses to explain the likely consequences of Europe’s impeding of data-transfer mechanisms for companies. Phillips called out “prominent European voices” advocating for data localization in Europe, “sometimes under the rubric of data sovereignty.” “Liberal democracies should be uniting, not splintering,” he added. Sullivan conceded that in recent months some US companies had begun considering data localization in Europe, a solution that would be “exceedingly expensive—especially for small- and medium-sized enterprises—and pose numerous technical problems for the global business models of most US companies operating in Europe.” Peter Swire, a Georgia Tech law professor and research director of the Cross-Border Data Forum, added that localization would be particularly problematic for transatlantic financial-data transfers.

Neil Richards, a Washington University law professor, described the current transatlantic divide over privacy and surveillance as a “creature of distrust,” with roots in the long-standing US failure to adopt comprehensive national privacy legislation and Edward Snowden’s 2013 revelations of National Security Agency (NSA) surveillance. Several committee members who have proposed privacy bills during the current Congress, including Senators Maria Cantwell (D–WA) and Richard Blumenthal (D–CT), probed how enactment of a domestic privacy law could help address Europeans’ concerns. Richards explained that creating privacy rights for Americans, like the rights contained in the EU’s General Data Protection Regulation (GDPR), would help make US privacy protection legally adequate in relation to Europe’s protections. Sullivan suggested that a comprehensive US privacy law would help “atmospherically” with the EU, while also observing that it would not address the specific issues of US surveillance law and practices on which the Schrems II judgment had turned.

Changing US surveillance law to tackle the problems identified by the ECJ—the absence of judicial redress for surveilled foreigners and the vast scale of the US signals-intelligence collection system—also was essential, according to Richards. Swire foresaw difficult discussions ahead with the EU on these issues, suggesting that the US offer interim fixes in return for a one-year agreement that would return data flows to normal. “This sort of breathing period,” he proposed, “would enable a new administration to engage systematically to create durable approaches for agreements with the EU on data protection and other issues.”

Victoria Espinel, the president and CEO of BSA | The Software Alliance, a software-industry lobby group, also focused on the longer-term dimension. She urged the Biden administration to “lead a conversation with other governments about the appropriate use of safeguards to protect privacy and fundamental rights, the level of independent oversight, and the ability of individuals to obtain redress for violations,” asserting that “a common understanding on best practices will improve transparency among America’s allies and decrease future transatlantic data conflicts.” Sullivan concurred that “democracies should come together to articulate shared principles regarding government access to personal data,” noting that the United States recently has agreed to take part in such a discussion at the Paris-based Organization for Economic Cooperation and Development (OECD).

The Senate hearing clearly demonstrated the practical problems that companies engaged in transatlantic data transfers face, as well as the considerable difficulties that Washington and Brussels confront in restoring stability to the legal regime. It also underscored the rising political stakes, as US legislators faced with an already-full domestic technology-policy agenda devoted time to a once-arcane topic in transatlantic relations. Indeed, Chairman Wicker mentioned in his remarks that he had been called by a member of the European Commission in advance of the hearing, indicating that Congress’ new engagement has not gone unnoticed in Brussels.

The US government reportedly delivered a proposal to the European Commission recently that suggests changes in US privacy protections for surveilled Europeans in response to the defects in judicial redress identified by the ECJ. The ideas build on suggestions that Swire and I put forward in a Lawfare post, which has been deemed a “valuable framework” by a former senior EU privacy lawyer. If agreement can be rapidly reached with the European Commission, then US President Donald J. Trump’s administration may make the necessary changes through an executive order or another form of executive action before Biden’s inauguration on January 20.

Whether the European Commission will be prepared to accept enhancements to Privacy Shield that do not entail the US changing its underlying surveillance law is open to doubt, however. The Commission operates under the scrutiny of civil libertarians in the European Parliament, not to mention under the watchful eye of a European court that has tossed out two transatlantic data-transfer agreements in the past five years. But business pressure for a deal, even a short-term one with questionable staying power, has grown significantly on both sides of the Atlantic, so the prospect cannot be ruled out. More likely, though, the Biden administration will have to add commercial data transfers to the sizeable pile of festering transatlantic trade disputes requiring immediate attention.

Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Future Europe Initiative.

Further reading

Image: A man looks at data on his mobile as background with crowd of people walking is projected in this picture. REUTERS/Kacper Pempel/Illustration/File Photo