Striking a new deal to allow U.S. companies to transfer data from the European Union will be a key test for the Biden administration, current and former officials say, as such a privacy agreement could play a central role in strengthening trans-Atlantic trade.
Thousands of businesses face uncertainty after an EU court halted a data-transfer accord this summer and as talks with the European Commission over a new framework drag on. Some privacy experts fear the transition of power in the U.S. could complicate negotiations further as many companies supercharge their data usage in response to the coronavirus pandemic.
“It must be a top priority by the Biden administration,” Sen. Maria Cantwell (D., Wash.), ranking member of the Senate Commerce Committee, said at a hearing last week.
The EU’s top court in July nixed the program, known as Privacy Shield, arguing that the transfer of consumer data stateside exposed Europeans to U.S. government surveillance without “actionable rights” to challenge it.
While U.S. companies can share data by other means, including methods known as standard contractual clauses and binding corporate rules, the Privacy Shield framework helped keep legal expenses and other costs down. That was especially helpful for small and midsize businesses without dedicated legal teams.
Cutting a new deal could take months or even years as Washington and EU member states seek common ground on surveillance norms and restrictions, according to former Commerce Department officials involved in previous data-transfer talks in the Obama and Clinton administrations.
Some privacy experts are calling for Congress and the Biden administration to seek stopgap measures to ease data flows for the program’s roughly 5,400 participants, which transfer data to support activities such as marketing, cloud services and human resources.
A federal privacy law could demonstrate to the bloc good-faith efforts to shift U.S. consumer protections closer to EU standards, they say. After becoming president, Joe Biden also could issue administrative orders that “meet the bar for actionable redress” in the EU for Europeans whose data is subject to U.S. surveillance, said Caitlin Fennessy, who directed the Privacy Shield program until last year.
Ms. Fennessy, now research director for the International Association of Privacy Professionals, highlighted as precedent the 2014 Obama administration directive issued in the wake of the Edward Snowden disclosures of National Security Agency surveillance. The directive underscored foreign nationals’ “legitimate privacy interests” and broadly outlined limitations and accountability measures for U.S. government data collection, forming the basis of the eventual Privacy Shield, Ms. Fennessy said.
As EU regulators issue strict guidelines for how companies transfer data outside the bloc, Commerce Department officials “are working urgently to resolve this crisis,” James Sullivan, deputy assistant secretary for services at the agency, said at last week’s Senate hearing.
Mr. Sullivan added that Commerce Department officials have met on multiple occasions with the Biden transition team and shared a memo outlining the state of play on data transfers.
Many privacy and digital trade experts expect the Biden administration generally to continue the Trump administration’s approach to data flows, despite turnover among political appointees. Obama administration officials from the Commerce Department and the Office of the Director of National Intelligence who helped negotiate the 2016 agreement also are advising the Biden transition, according to the transition team’s website.
The continuity between the Obama and Biden administrations on this issue will help move things along, said Justin Antonipillai, a former acting secretary for economic affairs at the Commerce Department who helped lead Privacy Shield talks.
Representatives for the transition team and the Commerce Department didn’t respond to requests for comment.
As policy makers explore a deal, many U.S. companies have turned to other vehicles to transfer data from the EU, including standard contractual clauses and binding corporate rules. Those mechanisms generally are more complicated to pursue, said Brian Hengesbaugh, chair of the data privacy and security unit at law firm Baker McKenzie.
Mr. Hengesbaugh, a former Commerce Department official who helped negotiate the Safe Harbor agreement that predated Privacy Shield, pushed back against some warnings of an EU crackdown on data transfers.
“We really need to see what is going to spin out in terms of actual enforcement,” Mr. Hengesbaugh said, adding that smaller companies typically aren’t the focus of U.S. government surveillance.
Still, data restrictions could disproportionately affect such businesses, said Nigel Cory, associate director for trade policy at the Information Technology and Innovation Foundation, a think tank.
“The big firms have a natural advantage in that they have the resources and expertise to build the systems to come into compliance,” Mr. Cory said. As for smaller businesses, he added, “they’ll essentially be squeezed out of digital trade.”
Write to David Uberti at email@example.com