EC Adequacy Decision Coming 'Soon,' Official Says
Expect an adequacy decision on U.S.-EU data transfers "soon," a European Commission official said on a Friday Atlantic Council Europe Center webinar. The EC is "very confident" the proposed framework will survive a challenge in the European Court of Justice (ECJ), said Lucrezia Busa, a member of Justice Commissioner Didier Reynders' cabinet. If it doesn't, several alternatives could be considered, including some sort of multilateral scheme, panelists said. An adequacy decision is a finding by the EC that a non-EU country's data protection regime affords privacy protections essentially equivalent to those granted under EU law.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"Stay tuned; you won't be disappointed," said Busa, saying she was speaking personally. But Kenneth Propp of the Europe Center said challenges could come in two areas: the necessity and proportionality of U.S. data collection and the redress system for Europeans whose data is misused. The U.S. has, for the first time, agreed with Europe's stance on the need for necessity and proportionality in data collection, but bulk data sweeps remain a concern for the EU. The other issue is the U.S. proposal for a data protection review panel, which is an administrative body rather than an actual court. Nevertheless, Propp said, his initial assessment of the framework is that the framework "stands a better chance" of being accepted by the ECJ.
If the framework falls, what else could the U.S. and EU do to ensure the free flow of data? Propp suggested two alternatives in an issue briefing: Engaging the Trade and Technical Council, which has done "solid work" on AI and could take up the topic of privacy risks, or discussing data protection in the context of a bilateral digital trade agreement.
Interest has increased in multilateral privacy agreements, speakers said. Businesses have often flagged the need for more tools in the toolbox to enable cross-border data transfers, said Steven Lang, U.S. State Department deputy assistant secretary-international information and communications policy. The U.S. adapted an "all-of-the above" approach that includes the EU general data protection regulation (GDPR), binding corporate rules, standard contractual clauses and other mechanisms, and wants all tools to be scalable and interoperable, he said.
The U.S. also believes cross-border privacy rules under which companies can certify privacy programs under core principles from data protection regions worldwide are good, Lang said. Asked whether multilateral initiatives would be compatible with the GDPR, Busa said Europe's data protection system is unilateral, but the EU doesn't want everyone to "cut and paste the GDPR." The bloc is open to talks with other countries to gauge if their systems offer adequate protection, she said: This doesn't preclude the use of common principles as long as they're done within the boundaries of EU legislation.
The situation is ripe for a multilateral initiative, Propp said. There's a lot of frustration around the world about how the EU-U.S. discussion has taken the air out of the wider debate on data protection. The good news is that there has been a "burst" of initiatives responding to the desire for a simpler data flow system, such as from the Organisation for Economic Co-operation and Development and the Council of Europe. Despite that momentum, he said, no one knows how they would fit together.