Early 2021 is turning out to be a delicate period for privacy negotiations. The European Union is conducting high-stakes talks with the Biden administration over how to allow corporate data transfers that will withstand future legal challenges despite U.S. intelligence-gathering practices. Separately, European privacy officials are working toward a June deadline to complete a similar arrangement with U.K. officials to continue data flows after the country left the union last year.

The EU’s top court ruled in July that companies must implement new safeguards to protect data if they send it to a country with intelligence laws that endanger Europeans’ privacy rights under the 2018 General Data Protection Regulation. It also said that Privacy Shield, a separate U.S.-EU data arrangement, is illegal. The decision prompted panic among corporate lawyers and executives about how to keep cross-border business afloat as some European privacy regulators advised companies to stop moving data to countries outside the bloc.

“This is really difficult and very frustrating, probably for everyone involved,” said Peter Swire, a former privacy official in the Obama and Clinton administrations, referring to the negotiations to broker a new deal between the U.S. and the EU. Mr. Swire spoke at the Consumer Privacy and Data Protection Conference on Friday.

Peter Swire, a former U.S. privacy official.

Photo: Rod Lamkey – Cnp/Zuma Press

Companies will be able to easily move personal data between the EU and the U.K., or the EU and the U.S., if European officials grant both countries a so-called adequacy decision. The bloc gives such a decision if it determines a country’s laws protect privacy in a way that is equivalent to EU standards. So far, only 12 countries have received adequacy decisions, including Japan and New Zealand. The now-illegal Privacy Shield with the U.S. was a similar arrangement.

The U.K. presents unique questions for a potential adequacy decision because it still applies the GDPR as a former member state, but could change data rules in the coming years, said Bruno Gencarelli, a European Commission official overseeing the discussions. “We have similar or identical starting points and we need to find a way to address also the future,” he said at a separate conference last week.

Without an adequacy decision, U.K. businesses face additional legal costs of an estimated £1 billion to £1.6 billion ($1.37 billion to $2.19 billion), according to a study published in November by the New Economics Foundation, a London-based think tank.

“We should recognize and embrace the fact that countries are going to take different approaches to data privacy,” said Joe Jones, head of the international data transfer regime at the U.K. Department for Digital, Culture, Media and Sport, speaking during the same panel as Mr. Gencarelli. “Just because a country does things differently to us doesn’t mean the outcome of data protection is any less high,” Mr. Jones said.

The umbrella group of European privacy regulators will need to weigh in on the EU-U.K. adequacy decision before it can go ahead. The European Commission, the EU’s executive arm, will soon ask the regulators for their opinion, an official said last week.

More From WSJ Pro Cybersecurity

One concern regulators have is whether companies can transfer Europeans’ data to the U.K., and from there move it again to other countries such as the U.S., Florence Raynal, an adviser to the French privacy regulator said last week at the Consumer Privacy and Data Protection Conference. Ms. Raynal referred to the U.S.-U.K. Cloud Agreement that was agreed in 2019 to give law enforcement authorities easier access to data for criminal investigations. It hasn’t yet taken effect.

Talks between European and U.S. officials are much further behind. Only preliminary discussions on a successor agreement to the Privacy Shield have taken place since the July decision, Ralf Sauer, an EU official who works with Mr. Gencarelli said last week. “There’s still certainly a lot of work ahead. The devil will lie in the detail,” he said. However, Mr. Sauer said U.S. negotiators want to reach an agreement and referred to Gina Raimondo, President Biden’s nominee for Commerce secretary, who named the privacy deal a priority during her Senate confirmation hearing last week.

In the absence of adequacy decisions, many companies rely on standard contractual clauses to export data from the EU, contractual language that is preapproved by the European Commission.

But the EU court ruling last summer said the existing version didn’t include strong enough provisions to protect data from foreign surveillance. European officials plan to publish a new version in March. A previous draft of the clauses published in November included requirements for companies to assess foreign countries’ laws before determining how to move data.

Write to Catherine Stupp at [email protected]

This post first appeared on wsj.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

More than 100 animal species are found living on ruins of a 2,000-year-old warship near Sicily

The underwater remains of a ship lost in battle more than 2,000…

Another step closer to giving men the Pill! British men to trial hormone-free contraceptive that experts hope will make pregnancy prevention a ‘shared responsibility’

British men have become the first in the world to test a…

The 10 Best Games on Xbox Game Pass (June 2023)

Even when budgets are tight, Xbox Game Pass is one of the…

The 20 Best Amazon Prime Day (2020) Deals for $50 or Less

Instant Pot 6 Qt in Vintage Floral for $49 ($50 off) at…