EU-US data transfers deal could be finalized by end of year, says bloc

The European Commission continues to eschew pronouncing a firm timeline for finalizing a new EU-U.S. data transfers deal after the two sides reached a political agreement on a way forward last month. But today justice commissioner, Didier Reynders, put out a slightly strengthened suggestion that a replacement for the defunct Privacy Shield could be adopted by the end of this year.

In remarks late last month, soon after the agreement in principle had been announced by Commission president Ursula von der Leyen and U.S. president Joe Biden, Reynders implied that finalizing everything by the end of the year “maybe” possible.

Speaking in a pre-recorded keynote address to the IAPP conference in Washington, D.C. today, he told delegates: “It is difficult to give a precise timeline at this stage but we expect that this process could be finalized by the end of this year.”

So — at the least — it looks clear that companies hoping for a high-level quick fix to resolve the legal uncertainty hanging over transatlantic data flows are still facing many more months of waiting. Which may be more time than Facebook has before a final data transfer suspension order hits it, in just one example of a long running regulatory procedure in this area. (Albeit, that particularly knotty, multiyear saga has already defied expectations of any swift resolution so Meta may yet find a way to wriggle through the regulatory cracks.)

Reynders said a lot still needs to happen for an adequacy decision to be adopted by the Commission — including the U.S. president signing an executive order and implementing regulations that execute on the details of what’s been agreed around limiting data gathering for national security purposes to what’s necessary and proportionate, as well as on redress, to adequately empower the proposed Data Protection Review Court to be able to hear petitions and take decisions that are binding on the U.S. intelligence services.

The July 2020 decision by the EU’s top court that struck down Privacy Shield also almost certainly won’t be the last time the CJEU is asked to scrutinize the detail of an EU-U.S. adequacy deal so the stakes for the Commission in adopting another data flows deal are high; if it gets the detail wrong a third time (also after the predecessor deal, Safe Harbor, was struck down in 2015) it will open itself up to trenchant and justified criticism.

The final legal texts of the replacement Privacy Shield arrangement will also face scrutiny from other EU institutions, including the European Data Protection Board — which, earlier this month, indicated where its attention will be focused — and the European Parliament (which was also heavily critical of Privacy Shield and had called repeatedly for its suspension, only to be ignored by the Commission). EU Member States will also need to vote for the new transfer deal.

Hence Reynders emphasized that “we still have a lot of work ahead of us,” before segueing into more comfortable talk of EU-U.S. “shared values.

“I do believe that this agreement in principle confirms once more how much the European Union and the U.S. can achieve by building on their shared values,” he suggested. “This is true in the area of privacy as in so many others” — pointing to what he couched as “an ambitious EU-U.S. dialogue on consumer protection” as also highlighting “the material benefits of policy and regulatory cooperation.”

“In this context we will look also at issues — at the interplay — between privacy and data protection,” he added. “When the challenges we are facing are the same and are increasingly of a global nature the best thing two likeminded partners such as the EU and the U.S. can do is to intensify their cooperation.”