September 29, 2020

The Honorable Jeffrey A. Rosen
Deputy Attorney General
U.S. Department of Justice

The Honorable Keith Krach
Under Secretary for Economic Growth, Energy, and the Environment
U.S. Department of State

The Honorable Joseph C. Semsar
Acting Under Secretary for International Trade
U.S. Department of Commerce

The Honorable Neil Wiley
Acting Principal Deputy Director of  National Intelligence
Office of the Director of National Intelligence

Dear Deputy Attorney General Rosen, Under Secretary Krach, Acting Under Secretary Semsar, & Acting Principal Deputy Director Wiley:

The undersigned associations represent thousands of U.S. companies of all sizes and from a broad range of industry sectors. Despite the many differences in our businesses and the customers we serve, our companies are united by the need to transfer data daily across the Atlantic. Cross-border data flows between the United States and the European Union are the largest in the world and underpin a $7.1 trillion bilateral trade and investment partnership. Recent and rapidly unfolding legal developments in the EU, however, threaten the ability of our companies to engage in transatlantic commerce, scientific collaboration, and research and development, with potentially severe ramifications for the post-pandemic economic recovery.

Earlier this month, the Irish Data Protection Commissioner (“IDPC”) reportedly proposed to “suspend” all transfers of Facebook user data to the U.S. indefinitely, finding that the company can no longer rely on Standard Contractual Clauses (“SCCs”) approved by the European Commission for enabling flows of personal information across the Atlantic. The IDPC’s unprecedented action purports to rely on a European Court of Justice (“Court”) decision from July, which invalidated the U.S.-EU Privacy Shield Agreement. The Court based its ruling on concerns that EU personal data may be collected by U.S. intelligence agencies, although the Court chose not to pronounce on this question definitively, instead deferring to the IDPC and other data protection authorities to evaluate the full nature and scope of U.S. legal safeguards. An expansive reading of the Court’s decision, such as the one proposed by the IDPC, threatens to halt transatlantic data flows, which would affect broad sectors of the U.S. economy, including, but not limited to financial services, healthcare, human resources, hospitality, information technology, manufacturing, logistics, and retail.

We applaud the Administration’s efforts to negotiate a successor to the Privacy Shield. Securing an enhanced data transfer agreement is important to avoid further disruptions to transatlantic commerce. At the same time, the Administration should request European regulators refrain from enforcement actions until further guidance on SCCs is provided by the European Data Protection Board. Businesses acting in good faith to protect the privacy of EU citizens should not bear risks stemming from the Court’s lack of clarity, including the risk of becoming subject to enforcement actions by individual data protection authorities.

We urge the Administration to convey to European regulators and governments, both at the Member State and European level, a complete and accurate representation of the legal safeguards adhered to by the U.S. intelligence community. U.S. companies cannot be expected to explain U.S. government surveillance practices as they defend their use of SCCs for commercial transfers. We strongly encourage you and your colleagues to ensure that, where possible, European data protection regulators and governments understand these safeguards, including those not accounted for by the Court. We welcome the Administration’s publication of a white paper outlining U.S. privacy safeguards relevant to SCCs and other EU legal bases for data transfers. The paper represents an important step forward in the Administration’s engagement with European governments and regulators on these vital issues. Actions such as these provide additional room for the Department of Commerce to negotiate a successor framework to the Privacy Shield and encourage European regulators to issue clear guidance and practical options for how companies can lawfully transfer personal data to the United States.

We and our members stand ready to work with you on these important issues and appreciate your consideration of our views.

Sincerely,

ACT | The App Association
AdvaMed
American Bankers Association
American Council of Life Insurers
American Property Casualty Insurance Association
Biotechnology Innovation Organization
Bank Policy Institute
Coalition of Services Industries
Computer & Communications Industry Association
Electronic Transactions Association
Engine
Interactive Advertising Bureau
Internet Association
National Retail Federation
Securities Industry & Financial Markets Association
SIIA
U.S. Council for International Business
U.S. Chamber of Commerce

cc: Robin Colwell, National Economic Council
Joshua Steinman, National Security Council