In July, the EU’s highest court ruled that companies must build in new data protection safeguards if they send their data to a country whose intelligence laws threaten Europeans’ privacy rights under the 2018 General Data Protection Regulation. It also claims that the Privacy Shield, a separate data-sharing agreement between the US and the EU, is illegal. The decision has caused panic among lawyers and company CEOs about how to enforce cross-border activity, as some data protection officials in the EU have advised companies to stop transferring data outside the EU.
This is really difficult and very frustrating, probably for everyone involved, said Peter Swire, former privacy commissioner in the Obama and Clinton administrations, speaking about the negotiations for a new agreement between the US and the EU. Mr Swire spoke at the conference on Friday about protecting consumer data and privacy.
Peter Swire, former US privacy commissioner.
Rod Lamkey – Cnp/Zuma Click
Companies will be able to easily transfer personal data between the EU and the UK, or between the EU and the US, if EU officials make what is known as an adequacy decision for both countries. The bloc offers this solution when it brings the country’s privacy laws in line with EU standards. So far, only 12 countries, including Japan and New Zealand, have received adequate solutions. The situation was similar to that of the now illegal privacy shield with the United States.
The UK poses unique problems for any adequacy decision because, as a former member state, it still applies the GDPR but could change the data rules in the coming years, said Bruno Gencarelli, a European Commission official monitoring the talks. We have similar or identical starting points, and we need to find a way to address the future as well, he said at a separate conference last week.
Without a suitable solution, British companies face additional legal costs of between 1 and 1.6 billion pounds ($1.37 and $2.19 billion), according to a study published in November by the New Economics Foundation, a London-based think tank.
We need to recognise and accept that countries have different approaches to data protection, said Joe Jones, head of international data regulation at the UK’s Department for Digital, Culture, Media and Sport, speaking on the same panel as Mr Gencarelli. Just because the country does things differently than we do doesn’t mean privacy is any less, Mr. Jones said.
A coordinating group of European data protection supervisors will need to give their views before the EU and UK decide on adequacy. The European Commission, the EU’s executive body, will soon seek the advice of regulators, an official said last week.
Additional information on WSJ Pro Cybersecurity
One of the regulators’ concerns is whether companies can transfer data from Europeans to the UK and from there to other countries such as the US, Florence Raynal, privacy adviser to the French regulator, said last week at a conference on consumer privacy and data protection. Ms Reynal referred to the US-UK cloud agreement signed in 2019, which should allow law enforcement agencies to more easily access data for criminal investigations. This measure has not yet entered into force.
The negotiations between European and American officials go back a long way. Since the July decision, there have been only preliminary discussions about a follow-up privacy shield agreement, said Ralph Sauer, an EU official who worked with Mr. Gencarelli last week. There is certainly still a lot of work to be done. The devil will be in the details, he said. Sauer nevertheless said U.S. negotiators want to reach an agreement and referred to Gina Raimondo, President Biden’s Commerce Secretary nominee, who cited the privacy deal as a priority issue during her Senate hearing last week.
In the absence of adequacy decisions, many companies rely on standard contractual clauses – contract language pre-approved by the European Commission – to export data from the EU.
But a European Court of Justice ruling last summer said the current version is not strong enough to protect data from foreign surveillance. EU officials plan to publish a new version in March. An earlier draft of the rules, released in November, required companies to research foreign laws before deciding to migrate data.
Email Catherine Stapp at [email protected]