Bloomberg Law
March 25, 2021, 10:52 PM

EU-U.S. Data Privacy Talks Pick Up as Companies Sit in ‘Limbo’

Andrea Vittorio
Andrea Vittorio

Stepped-up talks between the U.S. and the European Union around privacy protections for transatlantic data flows could signal policy proposals are coming soon that may lead to more certainty for U.S. companies moving data out of the bloc.

U.S. Commerce Secretary Gina Raimondo and EU Justice Commissioner Didier Reynders said in a joint statement Thursday that their governments agreed to “intensify” negotiations on the Privacy Shield, previously one of the main mechanisms governing data transfers from the EU to the U.S.

The statement is likely a welcome sign for businesses waiting for a data transfer solution. Otherwise companies could face hefty fines from European regulators or be forced to use data centers local to Europe instead.

“It will provide comfort to those companies who are in limbo,” said Dona Fraser, senior vice president for privacy initiatives at BBB National Programs.

Companies that must comply with European privacy rules have faced uncertainty since a July court ruling against the Privacy Shield. The EU Court of Justice cited concerns that European citizens’ data would be used for U.S. government surveillance, an issue that’s expected to be the focus of proposals for revamping the bilateral agreement.

The joint government statement points to an “enhanced” Privacy Shield, meaning parts of the policy mechanism that concern corporate data practices are unlikely to change significantly, Fraser said.

Christopher Hoff, the official charged with carrying out the Biden administration’s policy work on EU-U.S. data flows, and the Commerce Department’s press office didn’t immediately respond to requests for comment on the negotiations.

Surveillance Changes

Observers anticipate changes to the transfer protocol will concentrate on thornier issues surrounding U.S. intelligence practices.

The U.S. government must convince the European Commission to give its approval for privacy protections as adequate for data transfers, which could mean limiting the scope of intelligence-gathering.

The EU Court of Justice also took issue with what sort of redress the U.S. provides for individuals from the EU who are impacted by government surveillance. A State Department official is tasked with fielding complaints about European privacy rights violations that are passed on from EU data protection authorities.

“Those are issues only the government can address,” said Peter Swire, a law and ethics professor at Georgia Institute of Technology and senior counsel with Alston and Bird LLP. Swire also directs research for the nonprofit Cross-Border Data Forum.

Swire and other academics have suggested shifting such work to the Privacy and Civil Liberties Oversight Board, an independent agency tasked with balancing counterterrorism efforts and protecting people’s rights, or to officials in the intelligence community that work on these issues. Cases in need of judicial review could also be sent to the Foreign Intelligence Surveillance Court, which oversees requests for surveillance and searches for foreign intelligence purposes.

“I believe the U.S. government has provided or will soon provide a set of concrete proposals,” Swire said.

Company Challenges

An approach with targeted U.S. surveillance reforms that allow for an updated version of the Privacy Shield, rather than a total replacement, would allow companies to react more quickly, said Caitlin Fennessy, research director at the International Association of Privacy Professionals.

Fennessy, who was previously U.S. director for the EU-U.S. Privacy Shield, said it’s especially important for companies to see that negotiators don’t want to “reinvent the wheel” as other aspects of the data transfer regime remain in flux.

Even companies that don’t rely on the Privacy Shield but use another transfer tool built around corporate contracts still face questions around the use of additional measures such as encryption, so that data transferred would be unreadable. Added safeguards might not be enough to satisfy EU regulators for certain scenarios, including companies that use U.S.-based cloud service providers or those accessing data on European workers from abroad.

“The limited set of safeguards companies have access to ups the urgency for officials on both sides of the Atlantic to find a solution,” Fennessy said.

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editors responsible for this story: Kibkabe Araya at; Keith Perine at