The writer is a partner at Perkins Coie in Los Angeles
The early morning call from the chief executive of a US-based multinational company was frantic. The European Court of Justice had just struck a crippling blow to its online operations and they needed a quick legal fix.
My client’s company — like many others — faced a stark choice: stop tracking and sharing data about EU customers with analytic teams based in the US or face billion-euro fines for not adhering to the court ruling.
Almost every major global company monitors online behaviour and collects digital data to run its business. That means the ECJ’s July ruling that struck down the transatlantic data-sharing regime, known as Privacy Shield, had immediate ramifications for thousands of companies operating across the EU and US.
The European privacy campaign group Nyob (None of Your Business) swiftly made the problem acute by filing 101 complaints against dozens of businesses — including retailers, banks and media groups — that it claims are still sending data to the US.
The crux of the ECJ’s decision related to concerns that date back to Edward Snowden’s 2013 revelations of extensive US surveillance and intelligence-gathering. They held that the data sharing regime failed to protect the privacy of EU citizens from American authorities.
Now there is an opportunity to create a new framework governing transatlantic data transfers that could win approval in Brussels and future-proof the arrangement to protect multinationals and millions of consumers alike.
After the US presidential election in November, either a re-elected Donald Trump, or a newly elected Joe Biden should amend a cold war-era presidential executive order on intelligence-gathering to break the data-sharing deadlock.
If the president were to amend the order, or issue a new one, to include judicial redress, or a private right of action for EU citizens in US intelligence court hearings, that would significantly address EU privacy and data security concerns.
To win more favour in European capitals, the new order should also a guarantees that data collection be limited to the minimum needed, and the US will not use legal manoeuvres to block EU citizens from having their privacy claims heard in an intelligence court. Both would be consistent with the stance taken by Barack Obama’s administration.
In truth, Mr Biden is far more likely than Mr Trump to move this way, given their disparate attitudes toward co-operating with the US, and, as vice-president, Kamala Harris would also be more likely to nudge a president Biden in this direction, based on her pro-consumer privacy record as a senator and California’s attorney-general.
But other factors may also come into play as companies seek to reboot the US-EU data-sharing framework. Voters in California will have a chance to weigh in because there is a new initiative on the November ballot in the US’s most populous state — the California Privacy Rights Act — which aligns closely with existing EU data protection law.
The initiative, among other things, would enshrine data transparency and create new restrictions on the way sensitive consumer data can be used. If enacted, it would cover Silicon Valley where many global technology firms crunch the online data flows of their European customers.
If the CPRA’s robust privacy protections were allied with an amended, or entirely new, executive order, the combination could provide an effective answer to the ECJ’s privacy concerns. It would also be a quick route to restoring a transatlantic data-sharing process that would bring significant relief to many boardrooms.
A new US-EU accord built on these principles would enable thousands of businesses to keep running their online operations, and the vital economic engines they provide, amid the pandemic.