A new Congressional Research Service report on EU-US Privacy Shield invalidation and its aftermath lists possible options for Congress to facilitate US-EU data flows and a potential enhanced Privacy Shield accord. They include:
- Exploring changes when authorizing and overseeing surveillance programs to better protect data privacy or otherwise address EU concerns;
- Strengthening the Privacy and Civil Liberties Oversight Board (PCLOB) by urging the Administration to fill the open positions and considering whether to amend the Board’s responsibilities to specifically include oversight of intelligence community activities with regards to Privacy Shield to ensure protection of individual rights;
- Considering comprehensive national privacy legislation to protect US personal data with data protection provisions that may align to some extent with GDPR requirements and provide some level of certainty to EU businesses and individuals while recognizing the limits that privacy legislation would have to address national security surveillance concerns;
- Considering if a federal privacy law, combined with specific steps to address U.S. surveillance concerns, would provide sufficient safeguards and guarantees so that the EU could grant a full U.S. “adequacy” decision, eliminating the need to rely on special arrangements like Privacy Shield; or
- Providing greater authority to FTC to bring privacy enforcement actions and enforce Privacy Shield by removing limitations on the FTC’s jurisdiction with respect to common carriers and nonprofits.
The report notes that the Biden Administration has expressed its intention to assuage EU concerns about US government access to personal data, as well as the availability of judicial redress through executive orders and administrative action. That could enable a successor accord to be reached more quickly.