Court ruling last year restricted data transfers to shield EU citizens from U.S. surveillance
By David UbertiJuly 21, 2021 5:30 am ET | WSJ PRO
The U.S. Commerce Department is still pushing to strike a new deal with the European Union to allow companies to transfer data legally across the Atlantic, an agency official said, but he wouldn’t provide a timeline for an agreement as negotiations with Brussels enter their second year.
The Biden administration is considering executive actions instead of a legislative fix to provide greater protections for EU citizens after the bloc’s top court last year said their personal information was exposed to U.S. surveillance, said Alex Greenstein, director of the Commerce Department’s Privacy Shield program, which certified businesses for such data transfers until the decision.
Mr. Greenstein spoke Tuesday at a virtual event hosted by the Information Technology and Innovation Foundation, a Washington, D.C.-based think tank.
The ruling from the European Court of Justice created legal uncertainty for companies that share data across borders to provide cloud infrastructure, advertising and other services that drive billions of dollars in trade. Privacy experts warn continued confusion over how U.S. officials meet EU data standards may push some of the roughly 5,400 firms in the program to relocate data or digital infrastructure to the bloc.
“As a matter of priority, we want to get something put in place as quickly as possible,” said Mr. Greenstein, who is helping to lead talks with EU officials on a successor agreement to Privacy Shield. “But it also has to be a strong agreement that meets legal standards.”
U.S. and EU officials discussed the issue at a summit in Brussels last month, Mr. Greenstein said.
The Commerce Department is studying potential guardrails for Washington’s access to EU personal data, he said, as well as citizens’ options for redress in the event of surveillance. A 2014 Obama administration directive on the government’s approach to such topics helped form the basis of the eventual Privacy Shield agreement.
“We do not wish this to fall to another legal challenge,” Mr. Greenstein said.
A spokesman for the European Commission, the EU’s executive branch, said talks are expected to continue throughout the summer. He didn’t comment further.
Trans-Atlantic data flows are crucial for U.S. firms that rely on customer data to hone their services, including large tech companies that dominate the digital ad industry, privacy experts say. Some businesses have instead turned to more customized legal tools to transfer data.
As talks with Brussels continue, Mr. Greenstein said, the Commerce Department has attempted to help firms use those mechanisms, known as standard contractual clauses and binding corporate rules.
But given that the majority of firms approved for Privacy Shield were small and medium-size businesses that may find such solutions costly, he added, “we also recognize that’s not a silver-bullet solution.”
Privacy experts say standard contractual clauses and binding corporate rules are generally more expensive for companies to pursue.
The negotiations highlight how companies’ collection, processing and storage of data is raising a growing number of geopolitical questions for governments in the U.S. and elsewhere.
Chinese regulators in recent weeks launched investigations into large tech firms, including ride-hailing giant Didi Global Inc., over its cybersecurity and data protection practices. In Washington, disagreements among national-security and trade officials over worker protections have slowed their attempts to craft a digital-trade deal with Asian countries that is intended, in part, to counter Beijing’s influence.
—Catherine Stupp contributed to this article.
Write to David Uberti at [email protected]