According to EU officials, this could take years, not months.
International data flows between the EU and the U.S. are crucial for many organizations' core business operations. That's the reason for the virtual "gasp" heard 'round the world when the EU decided to eliminate the data transfer agreement more than 5,000 companies used to facilitate cross-border movement.
In July 2020, the Court of Justice of the European Union decided in Data Protection Commission v. Facebook Ireland, Schrems, that it must invalidate the Privacy Shield agreement because of perceived shortcomings in U.S. policy. Namely, U.S. surveillance programs under Section 702 of the Foreign Intelligence Surveillance Act that allow for mass sweeps of individuals' data and "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States."
In essence, the U.S. doesn't have a federal data privacy law. The EU boasts what's often called the "gold-star standard" of privacy law, the EU General Data Protection Regulation. The EU only allows data to cross borders to countries with frameworks "essentially equivalent" to the GDPR. And the U.S. doesn't meet that standard.
Also, the GDPR allows EU citizens a "redress" process if they feel intelligence agencies have unlawfully surveilled them. The U.S. has no such mechanism.
The Schrems II case triggered a panic that's rippled across the globe. The ruling signals trouble for the future of data transfers between the EU and the U.S. and transfers from any third-country that doesn't yet have a GDPR-like privacy law.
There are still existing data-transfer mechanisms to use absent Privacy Shield. Standard contractual clauses and binding corporate rules remain legit. But those mechanisms require individual agreements between affected parties and can be costly. Also, the Schrems II judgement did cast some doubt over the legality of standard contractual clauses, but we're awaiting an opinion from the European Data Protection Board before companies implement any major changes there. That leaves organizations hungry for a Privacy Shield replacement, a blanket agreement in which they can certify they're going to treat data according to the rules and then transfer all day long.
The problem is: It's not yet clear how the U.S. and EU will overcome the divide. Law enforcement agencies are vehement that they need access to the surveillance data, as allowed under Section 702, to fight terrorism and other crimes. And as long as that allowance exists under U.S. law, the EU will be dissatisfied.
The second hurdle is passing a federal privacy law in the U.S. While there's perhaps more momentum now than ever before given state action on privacy, there's no indication a law is imminent. Only one lawmaker has introduced a federal proposal so far this year.
For companies anxious for Privacy Shield's replacement, it doesn't look good. On March 9, the Wall Street Journal reported that negotiations could take "years rather than months, making it difficult for companies to continue cross-border business without violating privacy rules."
The report added that EU officials plan to start talks with U.S. Secretary of Commerce Gina Raimondo, responsible for securing a deal. The U.S. Senate confirmed her nomination to the post in early March.
For now, companies must ensure they're following data protection laws as closely as possible until the EU and U.S. reach a new deal. German data protection authorities, for example, have already indicated they'll be watching companies with data subjects in Germany closely.
If your company is relying on standard contractual clauses to get through the uncertainty, be sure to read the European Commission's draft on the future of that mechanism.