Neil Richards, the Koch Distinguished Professor in the School of Law at Washington University in St. Louis, addressed a Dec. 9 hearing of the Senate Committee on Commerce, Science, and Transportation, where he pushed for passage of a comprehensive law that would provide appropriate safeguards, enforceable rights and effective legal remedies for consumers when it comes to their personal data.
The hearing was aimed at discussing U.S. privacy legislation and a response to the invalidation of the European Union (EU)-U.S. Privacy Shield, which ended in July.
Richards, who co-directs the university’s Cordell Institute for Policy in Medicine and Law, is a renowned expert on domestic and international privacy law.
He served as an independent expert witness in the so-called “Schrems 2” court case, in which the European Court of Justice ruled that the “Privacy Shield” was invalid under European law because it failed to protect Europeans against the exposure of their data held by American companies to American spy agencies. The ruling called into question the future of the vast and highly lucrative international data flows between the European Union and the United States.
“The Schrems litigation is a creature of distrust,” Richards told the committee. “This distrust comes from the inadequacy of existing federal consumer privacy safeguards, rights and remedies, and also from Edward Snowden’s 2013 surveillance revelations that led Mr. Schrems to sue in the first place.”
Two dimensions of the Schrems 2 holding are of paramount importance to Congress as it confronts privacy reform, he testified.
“One is that any successor to the Privacy Shield will require Congress to enact surveillance reform that limits the scope of surveillance and provides meaningful and binding individual remedies to challenge illegality,” Richards said.
“The other consequence of Schrems 2 is of particular relevance to this committee,” he said during the hearing. “U.S. privacy laws are not yet sufficient to meet EU law’s cross-border requirement of ‘adequacy,’ which is to say that U.S. privacy laws do not yet offer protections for personal data held by companies that are ‘essentially equivalent’ to those in the EU. This matters because ‘adequacy’ would let EU data flow from Ireland to the U.S. as easily as it can currently flow from Germany to France. Adequacy would make ‘second-best’ mechanisms like the model contractual clauses and Privacy Shield arrangement unnecessary.”
“The Schrems litigation has created problems for American law and commerce, but it has also created a great opportunity,” Richards said. “That opportunity lies before this committee — the chance to regain American leadership in global privacy and data protection by passing a comprehensive law that provides appropriate safeguards, enforceable rights and effective legal remedies for consumers. Passing such a law would not just safeguard the ability to share personal data across the Atlantic.
“If done right, it will build trust between the United States and our European trading partners and between American companies and their European and American customers. The way forward requires us to recognize that strong, clear, trust-building rules are not hostile to business interests, that we need to preserve effective consumer remedies and state-level regulatory innovation, and seriously consider a duty of loyalty. In that direction, I believe, lies not just consumer protection, but international cooperation and economic prosperity.”
At the hearing, Richards also discussed with senators of both parties his proposal for a duty of loyalty to be placed on companies in their use of consumers’ personal data. That proposal, which was requested by the committee, is based upon a draft article written by Richards, which can be accessed here.