Takeaways from a Congressional Trans-Atlantic Data Flows Briefing
On July 12, R Street’s Cyber team, in collaboration with the House Congressional Cyber Caucus, hosted a staff briefing discussing the status and trajectory of EU-U.S. data flows—namely, on the replacement for the EU-U.S. Privacy Shield Framework. With news ranging from social media companies potentially being unable to oscillate data to the United States to a pending executive order from the White House, restoring workable trans-Atlantic data flows is one of the year’s most anticipated privacy policy actions.
The Cyber Caucus, led by Reps. Jim Langevin (D-R.I.) and Michael McCaul (R-Texas), provides a forum for members of Congress from different committees and backgrounds to work toward securing Americans in cyberspace. Data flows was a fitting topic for a caucus briefing because, as one panelist noted, it is a refreshingly bipartisan issue. The briefing consisted of a diverse panel of experts with experience in industry, government and academia. It featured Alex Joel of American University, Gabriela Zanfir-Fortuna of Future of Privacy Forum and Evangelos Razis of Workday. The panel was moderated by R Street’s Brandon Pugh and included opening remarks by R Street’s Tatyana Bolton.
Through the panel conversation and staff questions, a wide range of topics on data flows were covered with an emphasis on cyber, international security and business implications. Key points are highlighted below.
What’s at stake?
Panelists first gave an overview of the complex topic to answer why a data flow framework is important. At a high-level, trans-Atlantic data flows are at the nexus of international security and privacy. Both U.S. and EU stakeholders have worked to strike the right balance between the two, but it’s proven to be complicated. And beyond these concepts, trans-Atlantic data flows underpin so much of our commerce today that ensuring their legality is a question of continuity of service.
Panelists conveyed how the inverse of data flows is data localization, where policies require data to be isolated in a specific country rather than being transferred or accessed across borders. On top of enterprise data, information sharing as it relates to security was also raised. Sharing threat intelligence would be harder to facilitate without a framework over time, as would hiring international cybersecurity experts.
Where are we now?
Since the Court of Justice of the European Union’s 2020 ruling invalidated the EU’s recognition of the Privacy Shield Framework, both sides have had to head back to the drawing board. Part of the challenge rests on ensuring that when European information leaves the European Union, it has essentially equivalent levels of protection that it would have within the jurisdiction. Speakers reminded the group that this is the second try since the original Safe Harbor agreement, and, therefore, avoiding a third invalidation ruling is paramount. Without the Privacy Shield, businesses are in a state of uncertainty on how to transfer data across the pond with many companies resorting to standard contractual clauses (SCCs), but panelists questioned the sustainability of this practice.
Panelists conveyed that two of the main concerns with Privacy Shield were around U.S. government commitments related to potential U.S. intelligence community access to EU citizen data and redress methods for EU citizens, which have to be solved for a future agreement to be upheld. Possible options were highlighted like a data protection review court. The question remains as to whether such a redress mechanism will be enough for the European courts to grant—and maintain—an adequacy decision in the face of already promised legal challenges.
Where are we going?
Looking ahead, the Biden administration announced earlier this year that a tentative agreement was reached on a trans-Atlantic data privacy framework and that an executive order is forthcoming that would formalize the United States’ commitments. Panelists conveyed that specifics of the negotiating process have been held tightly but that staffers should be ready to consider legislative options to implement parts of the framework or to consider additional areas. Some have already questioned whether an executive order is enough to guarantee the United States’ commitments.
One of the final comments expressed was about how data flows connect to comprehensive data privacy and security legislation that is gaining momentum on the Hill. While a privacy bill would not fully address the data flows issue, some panelists believe it would signal to the world how the United States views privacy and that passing a law is critical.
Overall, the briefing laid out how the Privacy Shield’s replacement is a question of international security and privacy. While the exact details of a new mechanism are still pending, stakeholders on and off Capitol Hill must understand what the stakes are and, perhaps more importantly, that the consequences of continuing without a framework are anything but business as usual.
