Top EU Officials Hope Data-Flows Deal Will Be Completed this Year

A final deal will require a combination of executive action by the White House, implementing regulations by federal agencies and a multistep approval process by EU officials and member states, European Commissioner for Justice Didier Reynders said Tuesday.

“It is difficult to give a precise timeline at this phase,” said Mr. Reynders, speaking at the International Association of Privacy Professionals’ Global Privacy Summit. “But we expect that this process could be finalized by the end of this year.”

The EU high court in 2020 invalidated a previous agreement, known as Privacy Shield, for not adequately protecting Europeans’ data in the face of potential digital surveillance. The decision and ensuing 20 months of negotiations created uncertainty for businesses that relied on the legal framework to transfer information for activities such as cloud services, human resources, marketing and advertising.

While many large companies move data from the EU to the U.S. by other means, the preliminary deal—the Trans-Atlantic Data Privacy Framework—aims to replace the relatively low-cost Privacy Shield mechanism used by more than 5,000 businesses.

“You really can’t overstate the importance of this for small- and medium-sized companies,” said Paula Bruening, founder and principal of privacy consulting firm Casentino Strategies LLC.

The White House last month said that President Biden will sign an executive order that will limit U.S. surveillance activities to what is “necessary and proportionate” relative to national security threats, using a phrase that privacy experts say is a key recognition of European law. Washington also pledged to create a Data Protection Review Court comprising members outside the U.S. government to review cases and remedial measures.

Christopher Hoff, who helps lead the U.S. side of negotiations as the Commerce Department’s deputy assistant secretary for services, said Tuesday that “dozens and dozens” of lawyers in the U.S. government are now turning those political promises into legal texts.

Speaking at a separate session at the IAPP conference Tuesday, Mr. Hoff said the new approach translates to new compliance requirements for U.S. officials rather than private businesses.

“The company obligation has not changed,” Mr. Hoff said. “It’s been the government obligations that have had to change.”

Mr. Hoff declined to provide details on coming guardrails for U.S. intelligence or the process by which Europeans will be able to challenge surveillance.

Once the U.S. completes its proposed text, it will be scrutinized by European elected officials and regulators en route to being deemed adequate under the bloc’s privacy law, the General Data Protection Regulation. The process could run through the end of the year, said Bruno Gencarelli, head of international data flows and protection at the European Commission.

“But once again, that’s a guess,” Mr. Gencarelli said, speaking at the IAPP conference.

The final deal could face challenges from European privacy advocates. Such opponents have successfully pushed back on two previous data-transfer agreements since 2013 disclosures by former National Security Agency contractor Edward Snowden showed that Washington and its allies conducted mass digital surveillance.

Referencing those previous cases, known as Schrems I and Schrems II for Austrian privacy lawyer Max Schrems, Mr. Hoff said Tuesday that he is confident the new approach will prove durable.

“We don’t want this to happen another time,” he said.

Write to David Uberti at [email protected]