With last Friday’s announcement of a much-awaited cross-border data privacy framework between the EU and U.S., global data flows are once again front and center in the data privacy world. This spring, I’m fortunate to be co-teaching a seminar with Professor Alex Joel at American University Washington College of Law on Privacy Across Borders. At the same time, Professor Joel has also launched the Privacy Across Borders (PAB) initiative that brings together a range of experts and practitioners to develop much-needed practical, actionable recommendations for ensuring the viability of cross-border data flows.
There is an old saying that necessity is the mother of invention. The PAB initiative is addressing a decades-long necessity to maintain data flows from the EU to the US. The challenge is to find a viable, long-term solution that provides certainty to individuals, businesses, and governments regarding the legitimate flow of information while respecting data protection frameworks from both sides of the Atlantic.
In a recent class, Alex and I explored the use of international agreements to facilitate the cross-border flow of data in a privacy-sensitive manner. We quickly reviewed twenty years of history to illustrate the extent of the challenge. In the wake of September 11, the US negotiated the 2004 Passenger Name Record Data Transfer agreement (US-EU PNR agreement) as a mechanism to assist with cooperation against terrorism. The US-EU-PNR agreement required European airlines to supply PNR data to US authorities within 15 minutes of a plane taking off. During my tenure at the Department of Homeland Security, one of my first assignments was to organize the first EU-U.S. joint review of that agreement. In 2007, I later served as a subject matter expert for the DHS team in negotiating a new agreement, when the European Court of Justice invalidated the PNR agreement in 2006. Finally, in 2012, a third PNR agreement was approved and adopted by the European Parliament. (An official EU timeline of these agreement can be found here).[AJ1] Despite these efforts, some commentators believe the latest PNR agreement is in jeopardy.
In that class, we also discussed an agreement involving an organization that has been in the news recently given Russia’s invasion of Ukraine and the worlds’ response. After 9/11, the U.S. Department of Treasury initiated the Terrorist Finance Tracking Program to “follow the money” as part of the government’s counterterrorism efforts. In 2010, the Treasury Department and the European Union put in place an agreement governing the transatlantic transfer of SWIFT [AJ2] data to the Department of Treasury in response to Treasury subpoenas, subject to multiple layers of controls and oversight (when Alex was in government, he participated in several joint U.S./EU reviews of that program).
Yet another example is the so-called EU-U.S. Umbrella Agreement, a comprehensive high-level data protection framework for cross-border law enforcement cooperation that took over five years to negotiate and concluded in 2016. As with other agreements between the EU and the U.S., it contains a range of commitments “to ensure a high level of protection of personal information.”
From my experience with the PNR agreements, I sought to make my own contribution to the effort by compiling existing information sharing agreements in a reference guide, The Guide to U.S. Government Practice on Global Information Sharing (now in its third edition with co-author Neal Cohen). My goal was to provide a reference source to future negotiators to show that there has been an established practice for international sharing of personal data between the US government and other governments around the world. While it may seem as if Safe Harbor was the first EU-U.S. cross-border agreement on personal information, the US has engaged in a long-standing practice–dating back to the 1970s–to share personal information.
These agreements show that despite the differences between the EU and U.S. legal frameworks, it is possible to reach an agreement on how to transfer data in a way that meets the needs of public safety and security, on the one hand, and privacy and data protection, on the other. Both sides have many years of intensive experience developing, implementing, and overseeing such agreements, to their mutual benefit.