Illustration: Eniola Odetunde/Axios

Some businesses fear growing liability while others worry that small and mid-sized firms will get hurt as the U.S. and Europe begin work to replace Privacy Shield, the pact that let thousands of firms transfer data across the Atlantic without breaking EU privacy rules.

Why it matters: Without a replacement in place after the EU's high court struck Privacy Shield down last month, thousands of businesses will be stuck complying with an agreement that no longer applies in the EU while scrambling to figure out how to get data over from Europe without exposing themselves to legal risks.

What's new: This week, the Department of Commerce and European Commission announced they have started discussions to come up with a new framework to govern data transfers between the EU and the U.S.

  • Flashback: When a European judge struck down an earlier agreement, called the Safe Harbor, it took about six months to agree on a new one.
  • Things could go quicker this time because the ruling gives officials a guide to issues they need to consider in any new agreement, Guido Lobrano, vice president of policy for Europe at the Information Technology Industry Council, told Axios.
  • Still, COVID-19 could complicate matters, as officials can’t huddle in person.

Where it stands: Businesses that relied on Privacy Shield to certify that they were being responsible with user data now face three key challenges.

1. Privacy Shield is still the law of the land in the U.S.

  • That means fines and compliance obligations won't stop even though the agreement is no longer valid in the EU. FTC Chairman Joe Simons said at a recent Congressional hearing the agency would still be enforcing it.
  • This is because many companies have built data protection promises made under Privacy Shield into vendor contracts and their terms of service. If they stop complying, the FTC could consider it a deceptive act.
  • "It's a tough situation for a lot of companies," David Bender, a data and privacy lawyer at Covington and Burling, told Axios. "Frustrated and confused is how I'd describe the general mood."

2. Privacy Shield's absence could entrench tech giants' dominance.

  • Some 5,300 businesses relied on Privacy Shield to safely transfer data. Most of them are small and midsize, while their larger counterparts instead protect themselves by customizing more complex "standard contractual clauses" drafted by the EU, an approach that's more expensive and complex.
  • After the July 16 decision, Microsoft, Google Cloud, Amazon Web Services and Facebook all sought to reassure users and customers that transfers would be uninterrupted.
  • It's another example of Big Tech firms' deep pockets and crack legal teams helping them weather regulatory uncertainty more easily than smaller companies, even as their size and power is being questioned worldwide.
  • "As with any compliance concern, it's a matter of capacity for small and medium businesses," Cobun Zweifel-Keegan, deputy director of privacy initiatives at BBB National Programs, which administers a Privacy Shield dispute resolution program for 1,100 businesses, told Axios.

3. The U.S. and EU may never deliver an agreement that can pass legal muster.

  • The court's chief rationale for killing Privacy Shield was that digital surveillance by the American government makes it impossible to ensure that Europeans' data can be protected once it enters the U.S.
  • That was also the main reason the court struck down the Safe Harbor. It's unclear if it's even possible to create an agreement that can survive a court challenge absent a radical change in U.S. surveillance practices — and the Trump administration has agitated for more digital surveillance, not less.

The big picture: The uncertainty and complications raised by the end of Privacy Shield only threaten to push the U.S. and Europe further apart as the global internet grows increasingly balkanized.

Editor’s note: This story has been corrected to show that ITI’s Guido Lobrano said the conditions are right for a new privacy agreement to be reached more easily this time, not that it would take longer.

Go deeper

Updated Sep 20, 2020 - Technology

Trump agrees to TikTok deal

Illustration: Sarah Grillo/Axios

President Trump on Saturday said he approved "in concept" a deal whereby TikTok will be allowed to continue operating in the U.S., with Oracle as its "trusted technology partner."

Why it matters: TikTok has nearly 100 million U.S. users, and is still growing fast. Trump has threatened to ban it, due to data privacy concerns related to TikTok's ownership by Chinese tech company.

Mike Allen, author of AM
5 mins ago - Politics & Policy

Trump sees court fight as virus respite

Spotted at Trump's rally last night at Harrisburg International Airport in Middletown, Pa. Photo: Joshua Roberts/Reuters

At a rally in Pennsylvania last night, President Trump basked in adulation for Judge Amy Coney Barrett and said: "She should be running for president!"

Why it matters: She might as well be. The Trump campaign is thrilled to be talking about something besides the president's handling of COVID, and is going all-in to amp up the court conversation.

Mike Allen, author of AM
5 mins ago - Politics & Policy

Democrats feel boxed in on strategy for Barrett confirmation fight

Photo: Chen Mengtong/China News Service via Getty Images

Democrats privately fear that going too hard on Judge Amy Coney Barrett in her confirmation hearings could wind up backfiring, if senators are perceived as being nasty to an accomplished woman.

Driving the news: Yesterday afternoon, NBC posted video of Coney Barrett outside her house in South Bend, Ind., loading four of her seven children — two of the seven adopted from Haiti, and another with Down Syndrome — into her Honda Odyssey minivan, then driving them all to her Air Force ride to Washington. "Good luck, Democrats," a Republican tweeted.