The EU is now close to finalising a new data-sharing deal with the US to replace Privacy Shield.
A new framework for transatlantic data transfers and storage has been agreed in principle by EU and US leaders, potentially ending a long debate about how companies can move data between these jurisdictions.
European Commission chief Ursula von der Leyen tweeted today (25 March) that an “agreement in principle” has been struck for data flows with the US after talks with president Joe Biden, who is on an official visit to Brussels this week.
The new deal, a draft text for which has not been released yet, will “enable predictable and trustworthy EU-US data flows, balancing security, the right to privacy and data protection,” according to von der Leyen.
Context
This is not the first time a deal has been struck over data sharing and storage. Privacy Shield, a data privacy tool that allowed for the transfer of European data to US companies, was struck down by the European Court of Justice (ECJ) in the Schrems II case in 2020.
Privacy Shield was an attempt to improve on a previous agreement, Safe Harbour, which was dismantled following complaints made by Austrian privacy advocate Max Schrems.
The Schrems II case said transfers of personal data from the EU could only take place if there is a sufficient level of protection. The EU does not consider US data protection to be adequate, and so data transfers can only take place through mechanisms such as the standard contractual clauses used by companies including Google and Facebook.
Meta threatened last month to pull Facebook and Instagram from the European market if new regulation around EU-US data transfers does not come to fruition soon, after Ireland’s Data Protection Commission suggested the company’s use of standard contractual clauses in respect of European user data does not comply with GDPR.
Response
While still waiting for the full text, Schrems has expressed disappointment with today’s announcement. A response on his campaign website, NYOB, leads with an image of a pig wearing lipstick and dubs the new deal ‘Privacy Shield 2.0’.
Seems we do another #PrivacyShield especially in one respect: Poltics over law and fundamental rights.
This failed twice before. What we hear is another "patchwork" approach but no substantial reform on the US side. Let's wait for a text, but my frist bet is it will fail again. https://t.co/y6RFUyB8eG
— Max Schrems 🇪🇺 (@maxschrems) March 25, 2022
The group said that because it was only a political announcement with no text available that can be analysed, they believe that “such a text does not exist yet” and suggested that lawyers are yet to find solutions to the issues raised by the ECJ in 2020.
“What NYOB hears is that the US is not planning to change its surveillance laws, but only foreseen executive reassurances. It is unclear how this would remotely pass the test by the ECJ,” the group wrote. “Previous agreements failed twice in this respect.”
The primary concern is that if the US does not change its surveillance laws, which allow federal agencies to ask companies to submit data for national security reasons, the data of EU citizens will be at risk when transferred and stored in US servers.
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty,” Schrems added.
‘Legal certainty’
EU officials and business leaders are more optimistic about the deal. Didier Reynders, EU chief for justice, said that the agreement “strengthens further our alliance, economic ties and protects citizens’ fundamental rights”.
Belgian MEP Tom Vandenkendelaere said that the deal will provide “legal certainty after two years in legal limbo” to businesses. “I expect the agreement to contain sufficient fundamental rights safeguards to stand the test of time,” he tweeted.
Meanwhile, Meta’s new president of global affairs also came out in support of the deal after criticising the EU last month for failing to secure an agreement around an issue that was damaging data-driven companies “just as we seek a recovery from Covid-19”.
“With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running,” Nick Clegg tweeted today.
“It will provide invaluable certainty for American and European companies of all sizes, including Meta, who rely on transferring data quickly and safely.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.