Communications Litigation Today was a Warren News publication.
US Legislation Sought

EC Preparing Modernized Data Transfer Draft Document

The European Commission will “very soon” issue a draft for modernized standard contractual clauses, said International Data Flows and Protection Head Bruno Gencarelli during a Technology Policy Institute panel Monday. There’s a vital need to maintain international data flows after the Schrems II decision (see 2009250071), but it must be balanced with privacy protections, he said. The EC didn’t comment about an exact timeline.

A European Data Protection Board task force is developing additional information and recommendations for data controllers, said EDPB Chair Andrea Jelinek. The board is working on recommendations that exporters may follow in collaboration with importers to identify supplementary measures to reach an “adequate level of protection,” she said. The recommendations should be ready in six weeks “at the latest,” she added: The EDPB is “acutely aware” of the need for tools to legally transfer data. She noted the new SCCs could include important qualifications for data controllers.

Panelists urged U.S. legislators to pass privacy legislation. The U.S. would gain significant credibility if it set baseline privacy rights relatively in line with EU’s general data protection regulation and an agency to properly oversee them, said Atlantic Council Senior Fellow Kenneth Propp.

FTC Consumer Protection Bureau Director Andrew Smith and former acting Chairman Maureen Ohlhausen, now at Baker Botts, spoke about the need for limited rulemaking authority to be included in any federal legislation. Ohlhausen supports the FTC having limited rulemaking authority where Congress sets parameters and the commission writes rules. Definitions will change with the technology, so the agency should have the ability to adjust to keep up, she said. Rulemaking authority should be “carefully cabined,” Smith said: Congress needs to make the big choices, and the FTC should have rulemaking authority to augment.

IBM Chief Privacy Officer Christina Montgomery said she would like the agency to have limited rulemaking authority over privacy regulations and the ability to levy fines without entering consent decrees first. She noted the company’s maintaining principles for artificial intelligence and other privacy-related technology. She said the broader tech industry should adopt principles for data minimization, purpose limitations, deletion guidelines, privacy by design principles and inclusivity mandates.

COVID-19 accelerated the demand for digital technologies, said Ohlhausen. She said the pandemic hasn’t affected potential language for legislation, but it reinforced the idea that a national privacy law is needed. She said the major privacy proposals introduced by Senate Commerce Committee members seek to keep the FTC as the main privacy enforcer. Smith agreed, saying the agency should have a role under any new law.

International privacy authorities shouldn’t leave the standard-setting process to actors who might not share privacy values of many democratic nations, said Gencarelli. He listed the EU, the U.S. and Japan as countries and regions to offer potential solutions.