One of the European Union’s top officials has warned negotiations with the U.S. over a new data-transfer agreement could take years rather than months, making it difficult for companies to continue cross-border business without violating privacy rules.
EU officials hope to start new talks soon with U.S. Secretary of Commerce Gina Raimondo, whom the Senate confirmed last Tuesday and who is responsible for sealing a new trans-Atlantic data-flow deal.
It will be difficult to find a solution that protects Europeans’ data from U.S. law enforcement and intelligence authorities, EU Justice Commissioner Didier Reynders said in an interview.
But there are some developments that could ease the talks, such as a recent increase in state privacy laws in the U.S. and a push from American businesses to restore the European pact, he said. Mr. Reynders’s office leads the EU’s negotiations on international data transfer agreements.
“We don’t think it’s possible to do a quick fix,” he said. During her Senate confirmation hearing in January, Ms. Raimondo named the EU-U.S. data flow agreement as a priority. Mr. Reynders said he hasn’t spoken with Ms. Raimondo yet. The Commerce Department didn’t respond to a request for comment.
Negotiators are under pressure from businesses to fix digital trade relations after the EU’s top court shut down an existing trans-Atlantic deal last July. The court ruled that the previous Privacy Shield agreement was illegal and companies could no longer use it to transfer Europeans’ data to the U.S., which could expose it to government surveillance.
Laws including Section 702 of the U.S. Foreign Intelligence Surveillance Act give authorities access to Europeans’ data, but those individuals don’t have the same rights as Americans to challenge illegal surveillance, the court said.
If the U.S. passed federal privacy legislation, following calls from some members of Congress and business leaders in recent years, that would be “an important element” in fixing the current schism with Europe, Mr. Reynders said. U.S. states have passed a patchwork of laws over the past few years, with Virginia becoming the most recent state to add its own legislation last week.
U.S. legislation doesn’t need to be identical to EU rules for negotiators to strike a privacy agreement, but the jurisdictions should share similar data principles, Mr. Reynders said. Many American companies would easily adjust to new U.S. rules, he said. They already comply with the EU’s 2018 General Data Protection Regulation, the broad privacy legislation that applies in its 27 member states, he said.
A revamped trans-Atlantic data agreement would need to guarantee that Europeans’ personal information won’t be subject to U.S. surveillance and that Europeans can seek redress in American courts if they believe U.S. authorities accessed their information using surveillance laws that grant intelligence officials access to data, Mr. Reynders said.
Mr. Reynders said he hopes that the U.S. and EU could together hold discussions regarding data privacy with China, Russia and other countries after they reach a trans-Atlantic agreement. The Biden administration’s openness to multilateral policy discussions could make that easier than it would have been under the Trump administration, which withdrew from international treaties such as the Paris Agreement on climate, he said.
“If you want to speak about privacy with China…it’s important to show you’re taking care of privacy in your own legislation,” Mr. Reynders said.
The Trump administration’s decisions to limit the U.S. activities of Chinese company ByteDance Ltd.’s TikTok reflected concerns about data security that Europe shares with the U.S., he said. TikTok declined to comment.
Companies in the U.S. and Europe have urged officials to negotiate a new data-transfer agreement. In addition to striking down Privacy Shield, the EU court decision last July added restrictions to a separate legal mechanism for data transfers, known as standard contractual clauses, making them more difficult and expensive to use. “We cannot wait for years for a new decision,” said Théodore Christakis, a professor of European and international law at the Université Grenoble Alpes in France.
Around 75% of companies that use standard contractual clauses, which are contracts with language preapproved by EU officials, are based in the EU, according to a survey of 292 companies in 25 countries published in November by BusinessEurope, DigitalEurope, the European Round Table for Industry and the European Automobile Manufacturers’ Association, trade groups whose members include large multinational firms.
The past few years have been volatile for businesses that move data from Europe to the U.S. Privacy Shield replaced a previous agreement called Safe Harbor, which the same EU court ruled illegal in 2015. Both decisions stemmed from lawsuits filed by Max Schrems, an Austrian lawyer and privacy advocate.
In striking a new agreement with the U.S., Mr. Reynders said his “first concern is to avoid a ‘Schrems III’ decision,” referring to last year’s decision, known as Schrems II.
“There’s a huge need, there’s almost an obligation to succeed in getting it right this time,” Mr. Christakis said.
While striking a broad data agreement with the U.S. will take time, Mr. Reynders said his office is encouraging companies to exchange recommendations about how to properly use standard contractual clauses after the court decision last year required businesses to add stronger privacy safeguards.
After the court decision last summer, some European privacy regulators warned companies that they should stop transferring certain data to the U.S. altogether. Berlin’s regulator advised firms to make sure U.S. cloud providers store data in the EU. Privacy advocates have filed a number of complaints aiming to stop data transfers to the U.S.
A new trans-Atlantic pact would help companies do cross-border business and could stop initiatives to keep data stored in Europe, Mr. Reynders said. “It’s just a question of protection of data, it’s not a question of protectionism,” he said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com