Speaking Monday at the State of the Net conference in Washington, D.C., U.S. Department of Commerce Privacy Shield Director Alex Greenstein said his team and their European counterparts are trying to clear up the fuzziness around international information exchanges as quickly as possible.
"We definitely recognize that there has been a lot of instability in data transfers and that companies are operating in an environment of uncertainty right now," he said. "We and our partners in Europe are trying to conclude this negotiation as quickly as possible. We recognize this is having an impact on U.S. companies but also EU companies."
Greenstein added that although he can't give a specific timeline for striking an agreement, "we're sort of in the home stretch. We will hopefully have good news soon."
After the European Court of Justice in July 2020 struck down for the second time a mechanism that thousands of multinationals relied on to legally transfer data from the EU to the U.S., talks began almost immediately between the European Commission and U.S. Department of Commerce to come up with a replacement.
Although the past year has failed to yield an agreement, officials on both sides of the Atlantic have signaled that they remain motivated to come up with a new lawful data transfer mechanism to replace the invalidated Privacy Shield, and people watching the space agree that another revamped version of this deal is imminent.
Sean Heather, senior vice president of regulatory affairs for the U.S. Chamber of Commerce, said Monday he's optimistic that a data transfer agreement will be reached soon, especially as Russia's invasion of Ukraine drives home the urgency of international cooperation.
"I do think this has put a renewed emphasis on the importance of transatlantic talks. I'm not in the negotiating room. I'm not at the table, but I feel like we have a chance to see something maybe mid-spring, late spring, early summer. That would be the window that I'm watching right now," Heather said.
He also highlighted how important it is to companies at home and abroad that the gray areas around European data transfer protocols be resolved quickly. A Privacy Shield replacement would provide companies with a more efficient way to lawfully transfer data than standard contractual clauses and binding corporate rules, the current alternatives for transferring data outside the EU.
Standard contractual clauses, or SCCs, have become even trickier to implement in recent months, after the European Commission in June took the long-awaited step of updating the rules to establish a "modular" structure that will allow companies to better tailor their contracts to their data processing activities while requiring them to guarantee that they have taken reasonable steps to assess these transfers and ensure that the exchanges don't raise any data protection concerns.
"This giant question mark, I think, has chief policy officers and general counsels of major companies both in Europe and the United States kind of scratching their heads saying, 'What does this mean?'" Heather said.
As the Privacy Shield negotiations wrap up, Greenstein emphasized the complexity of the issues that the U.S. and EU regulators are still grappling with — including Europe's hesitancy about potential data surveillance in the U.S. In striking down Privacy Shield, the Court of Justice cited concerns over the failure of the pact to protect EU citizens from having their data intercepted by U.S. authorities or from allowing them adequate means to challenge these transfers.
"What we're working to negotiate right now is something that threads the needle between what the European Court of Justice requires under European human rights law, and also sort of what is possible under the U.S. Constitution, and also what is advisable given the national security commitments that the United States has," he said.
Heather suggested that another issue that has bogged down negotiations is Europe's aggressive advancement of technology-related standards that don't have clear counterparts in the U.S.
"Europe has decidedly put out its markers as to where it wants to go on [artificial intelligence], where it wants to go on competition policy, where it wants to go on data policy," Heather said. "On the core regulatory issues of data governance and the digital economy, Europe has decided the path they want to pursue, and I don't think it is interested in listening to the United States."
--Additional reporting by Allison Grande. Editing by Stephen Berg.
For a reprint of this article, please contact firstname.lastname@example.org.