A full year after 'Schrems II,' will a US-EU solution ever arrive?

A full year after Europe’s top court dynamited the transatlantic data bridge known as Privacy Shield, the namesake for the “Schrems II” decision said EU and US negotiators have accomplished little in the quest for a solution but “deflection and finger-pointing.”

“Only a fraction of European businesses have realised that the underlying conflict between EU data protection and US surveillance law will not be solved in the short-term, and have moved towards hosting personal data in Europe, or other safe regions, instead of engaging in an endless compliance nightmare over US law,” data-protection activist Max Schrems said today. He issued the written statement on the one-year anniversary of the July 16, 2020, European Court of Justice decision that nullified Privacy Shield, in a case initiated by Schrems.

US negotiators insist they're making progress toward a lasting solution. But American companies are growing increasingly restless, with the US Chamber of Commerce saying today that “the need for a new data transfer framework has only grown more urgent” as US companies find themselves locked out of European markets because of the legal uncertainty around international data transfers.

Some US companies, such as Cisco Systems, are finding workarounds to the Privacy Shield morass.

A new Cisco data center near Frankfurt, Germany, coupled with an existing data center near Amsterdam, allows Cisco to offer its European Webex video chat customers the ability to have “EU data residency.” That eliminates the need for legally problematic international data transfers to the US and other countries, the company’s EU president, Wendy Mars, said in a blog post this week which was — perhaps coincidentally — timed just before the Schrems II anniversary.

“This means that European customers will be able to store and process their data within the EU — including meeting recordings, shared files, or chats — all part of our customers’ daily Webex experience,” Mars said in another blog post last month that described Cisco’s EU data residency in more detail.

Republicans in the U.S. Congress, meanwhile, used today’s Schrems II anniversary as a reason to call attention to what they say is a lack of leadership by Democrats in Congress and President Joseph Biden on privacy, noting that the US stands nearly alone among western democracies in failing to pass a comprehensive national data protection law.

“The decision to invalidate the EU-US Privacy Shield Framework was a major setback for the privacy protections of Europeans and Americans and a significant disruption to cross-border data flow that so many charities, NGOs, and small businesses rely on,” US Representatives Cathy McMorris Rodgers of Washington and Gus Bilirakis of Florida said in a written statement. “This anniversary is a sharp reminder of the need for Congress to step up and do its job.”

A lead US Department of Commerce negotiator, Christopher Hoff, insisted on a recent webinar organized by the International Association of Privacy Professionals that, despite the lack of visible progress, the EU and US are not stuck at Square One in their talks.

"I definitely would assuage anyone’s fears that we are at the beginning of this negotiation. We are not at the beginning of this negotiation,” Hoff said.

Don’t hold your breath for a permanent fix, Schrems has been saying. During a webinar yesterday, he predicted the US will never significantly cut back the bulk data collection and other electronic surveillance activities of its intelligence agencies — one element of the privacy problem the ECJ cited in nullifying Privacy Shield.

“I don't see much opportunity for a solution,” Schrems said. “We have a lot of trying to cover this up with a lot of paper.”

US officials' inability to show actual concrete progress does little to assure anyone that Schrems has it wrong. One party conspicuously quiet on the Schrems II birthday today was the Commerce Department, where new Commerce Secretary Gina Raimondo has insisted finding a legal replacement for Privacy Shield is a top priority.

Asked early in the day for a comment about the progress on Privacy Shield talks on the first anniversary of Schrems II, a Commerce Department spokesperson said a statement was forthcoming. Later in the day, the spokesperson said it had been drafted, but was awaiting review in the secretary’s office. Hours passed.

Like a solution to the Privacy Shield crisis during the first year after Schrems II, the statement never arrived.