U.S. President Joe Biden’s visit to Europe amid the Ukraine-Russia conflict has had an unexpected development: an agreement over a new but undrafted framework that will succeed Privacy Shield to govern transatlantic data transfers and sharing between the EU and the U.S.
The United States and the European Union have reached an agreement on how to proceed over transatlantic data sharing after nearly two years following the invalidation of Privacy Shield. The announcement may come as a relief to Meta, Google, and hundreds of other companies that rely on European users’ data processed in the U.S.
Meta had even threatened, although the company later clarified it was simply stating its position, to shut some social media services in the EU if a new deal that enables said data sharing doesn’t come into effect.
The Privacy Shield enabled data sharing and transfers between the EU and the U.S. The legal framework was explicitly designed to safeguard the privacy of European users. It was believed to entail rigorous protection measures once the data was transferred to the U.S., until Max Schrems, an Austrian data privacy activist, filed a lawsuit to quash the framework following damning revelations by Edward Snowden.
Schrems, other privacy advocates, and EU lawmakers believed that once the data leaves the EU, they have no way of knowing who will access it. The U.S. does not have federally-imposed GDPR-like privacy protection laws, thus stripping away EU citizens or EU companies of their entitlement to an appropriate compensation if their data is misused.
The ECJ concluded the same and found a lack of appropriate safeguards to prevent U.S. government organizations like the NSA, CIA, etc., from surveilling Facebook and other platforms’ users. As a result, the ECJ struck down Privacy Shield in mid-2020, declared that data isn’t safe once it goes out of the EU to the U.S., and called for stricter privacy regulations.
Since then, transatlantic data sharing has been valid under a temporary measure known as Standard Contractual Clauses (SCCs) as negotiations for a new pact/framework were taking shape. According to a joint statement from the European Commission and the White House, a new preliminary contract is ready.
“We have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties,†saidOpens a new window the European Commission President Ursula von der LeyenOpens a new window at a press conference accompanied by U.S. President Joe Biden.
Biden added, “This framework underscores our shared commitment to privacy, to data protection, and to the rule of law. And it’s going to allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.â€
Meta’s president of global affairs Nick Clegg took to Twitter to welcome the new agreement.
With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running. It will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.
— Nick Clegg (@nickclegg) March 25, 2022Opens a new window
See More: Why Security Does Not Equal Privacy
Meanwhile, Google was also facing the heat from two European privacy watchdogs, France’s Commission nationale de l’informatique et des libertés (CNIL) and Austria’s Datenschutzbehörde (DSB). Both CNIL and DSB had stated that using Google Analytics by EU users breaches GDPR.
Kent Walker, the president of global affairs at Google, also welcomed the new framework, commending “the work done by the European Commission and U.S. government.†However, details or even the name of the new framework/agreement remain under wraps.
Caitlin FennessyOpens a new window , the chief knowledge officer at the International Association of Privacy Professionals (IAPP), said, “While we have yet to see the details, it seems both sides were working toward a lasting solution. If they wanted a temporary fix, they could have wrapped up talks months ago. Time will tell whether they got there.â€
“Overcoming the CJEU’s necessity and proportionality critiques is a big hurdle. Necessity and proportionality were long perceived as EU-centric terms tied to long histories of CJEU and European Court of Human Rights jurisprudence,†added Fennessy, who also served as the Privacy Shield director for the U.S. Department of Commerce between 2018 and 2019.
“If the US Government can effectively address necessity and proportionality concerns, that will place the U.S. and EU on the same side of the table in future more multilateral negotiations on privacy and surveillance.†But there are no known proceedings in the U.S. that seek to bring in GDPResque regulations in the U.S. federally.
Schrems echoed the same and stated his, along with privacy-focused non-profit noyb’s (None of Your Business), intention to pursue the matter legally at the ECJ. He said, “We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the U.S. did not move.â€
Schrems is talking about Safe Harbor, a framework governing EU-U.S. data transfers before Privacy Shield. Schrems noted that,
- Currently, there’s only a political announcement, nothing concrete
- Doubts the U.S. government’s executive assurances and the fact that they have no privacy law implementation plans that would pass ECJ’s test.
- No such agreement can be bilateral and is subject to review by European Data Protection Board (EDPB)
- The time to adopt an agreement with no text draft will take months.
Schrems said, “The final text will need more time, once this arrives we will analyze it in depth, together with our U.S. legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.â€
Schrems added, “It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!