Commerce Official: EU-US Data Transfer Deal Won’t Require Wholesale Shift
The U.S. can reach a data transfer agreement with the EU without wholesale revisions to American surveillance laws, said Department of Commerce EU-U.S. Privacy Shield Director Alex Greenstein Friday (see 2009100001). On an ACT|The App Association webcast, he said any deal will depend on EU interpretations of the general data protection regulation.
The European Court of Justice in July invalidated the PS in the Schrems II court case. A solution will involve complying with the court’s decision, said European Commission Policy Officer-International Data Flows and Protection Alisa Vekeman. Passage of a U.S. privacy law would help solidify a future arrangement, though it won’t solve the surveillance issues, she added.
Meeting ECJ’s demand would require a fundamental shift in U.S. surveillance law, said Chertoff Group Senior Adviser Paul Rosenzweig. If the EU expects that wholesale shift, there won’t be a long-term agreement, he added: No administration, including one under Democratic presidential candidate Joe Biden, will be able to reach consensus on such a dramatic change.
The U.S. needs strong federal privacy legislation that addresses the concerns in Schrems II, but EU companies must have candid conversations to find flexibility within the GDPR, said ACT President Morgan Reed. He called GDPR an aspirational law with broad interpretations. Some EU members don’t meet the standards with their surveillance practices, he said.
Greenstein noted varying interpretations of the GDPR from EU nations. How local rules are applied to government access to data will weigh heavily on negotiations, he said. Commerce believes U.S. laws and practices meet or exceed laws in Europe, he added, saying the U.S. has a strong system of oversight and limits. The department was disappointed with the Schrems II outcome but is committed to working with EU counterparts to enable data flows, he said.
No one questions U.S. strong oversight, but many unknowns remain, said Vekeman, citing executive order No. 12333 (see 2003300055). She denied EU is applying a double standard to European and American companies because ECJ’s decision is based on existing EU protections: EU had a judgment from its highest court and must comply. It would be the same with a judgment from the Supreme Court in the U.S., she said, noting both sides want to avoid a Schrems III.
EU is particularly focused on continuing U.S. talks for a new and improved shield but also finalizing modernization of standard contractual clauses, said Vekeman. SCCs are the most common mechanism for transferring data between the U.S. and EU. There's a big need for practical guidance, which should be as complete as possible to give companies exact instructions for transfers, she said. Examples for everyday practitioners are lacking, said Nouss/SolidQ CEO Fernando Guerrero. He said it’s difficult to figure out which aspects of the decision apply to certain companies and transfers.