European Union Justice Commissioner Didier Reynders stated he does not expect a replacement for the EU-US Privacy Shield agreement to come quickly. Reynders said a new data transfer deal between the EU and US could take years rather than months as ‘it may be challenging to find a solution to protect European citizens' data from US intelligence agencies’.
Reynders added that a US-wide federal privacy law that would create uniform standards across states would be an "important element" to fixing the current schism between the U.S. and Europe. The news comes as US Congresswoman Suzan DelBene, reintroduced a proposal for exactly such a US-wide federal privacy law, that if passed, would create a national standard for digital privacy rights. She argues that not only will small businesses and U.S. citizens be affected by a patchwork of individual State privacy laws, but that it would also be challenging for global organizations to conduct business with American companies.
What’s in the bill?
The proposed Information Transparency and Personal Data Control Act is intended to give consumers across the U.S. more control over their data by implementing an opt-in model of collection and “plain English” privacy policies. Like other proposals, it would increase the authority of the FTC, giving it more power to fine companies while increasing the number of full-time FTC staff by 50 as well (15 of whom “technical experts”) and its budget by $35m. The bill would also require companies to acquire “privacy audits” by “a neutral third party” and submit those results each other year to the FTC.
Importantly, the bill would overrule state privacy laws like the California Consumer Privacy Act (CCPA) and Virginia’s recently introduced privacy law, Virginia Consumer Data Protection Act (VCDPA). Previous coverage by CNBC stated it would also exempt small businesses from regular audits of their privacy practices. “I understand why states are moving forward in the absence of the federal government moving, but I think it is much better to have a federal law versus a patchwork of laws” DelBene said.
Will it be enough?
But will the bill, if passed, be enough to open up free transfer of data between the EU and United States that companies so desperately need after Schrems II introduced significant hurdles to global data flows? For that to happen, the bill must do more than protect consumers’ privacy from business practices.
If we look at the EDPB’s Recommendation on European Essential Guarantees for surveillance measures, to protect European citizens' data from (U.S.) intelligence agencies, there should at least be the following safeguards in place:
- Guarantee A - Processing based on clear, precise and accessible rules
- Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- Guarantee C - An independent oversight mechanism
- Guarantee D - Effective remedies need to be available to the individual
Timeline - priority by majority?
DelBene’s bill already gained support of House Democrats in 2020. With a Democratic majority in both houses and a Democratic President in the White House, it might be that the bill gets the priority it lacked in the past. DelBene previously raised concerns that "One of the biggest things is for folks to understand what a big priority it is, because, in the absence of feeling a sense of priority, no one wants to invest the time or take a position that might be controversial one way or another if they don’t think something is going to get done".
During her Senate confirmation hearing in January, U.S. Secretary of Commerce, Gina Raimondo, whom the Senate confirmed last Tuesday and is responsible for sealing a new trans-Atlantic data-flow deal, listed the EU-US data flow agreement as a priority.
If all guarantees mentioned are met, the tap on free EU-US data flow might open again. If not, Reynders might be right after all, companies having to deal with the current situation for years to come. Luckily, there are solutions to lessen the load. Why not try ours for free?