For companies which depend on cross border data transfers, some needed relief may come in the form of a new agreement on EU-US data transfers.
The European Union and the U.S. recently announced that they had reached an agreement “in principle” on a new framework for cross-border data transfers. This is expected to bring some much-needed relief to tech giants like Meta and Google, which have been severely affected by the invalidation of the Privacy Shield in July 2020. Several companies have faced legal issues over EU-US data transfers, and have had to find alternative ways of doing business which would not require such transfers. This was easier for some companies than others. One in particular, Meta (formerly Facebook) even recently considered shutting down operations in Europe, in the absence of a framework for cross-border data transfers. The new agreement is expected to make a major difference for these companies. It will “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties,” Ursula von der Leyen, President of the European Commission said recently.
EU and US officials have been trying to find an appropriate replacement framework since the invalidation of the Privacy Shield in 2020.
Since the invalidation of the Privacy Shield in July 2020, Facebook and other companies that had relied on the mechanism for their EU-US data flows struggled to adapt their business operations to the restrictions in the EU-US data flows. The CJEU ruled in favor of Max Schrems, a privacy activist who argued that the existing framework did not protect Europeans from US surveillance. Since then, officials on either side of the Atlantic have been trying to negotiate a new deal to replace the previously held Privacy Shield, which allowed firms to share data from the EU to the US.
This update will likely bring much needed relief to large tech companies which have faced legal issues since the invalidation of the Privacy Shield almost two years ago.
News of the agreement will undoubtedly be welcomed by tech giants like Meta and Google who have been gravely affected by the invalidation of the Privacy Shield. Companies were being urged to find alternatives to Google Analytics, while Meta considered pulling Facebook and Instagram out of Europe. Meta’s president of global affairs, Nick Clegg, said the deal “will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.” He took to Twitter stating that “With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running,” In addition, Google’s president of global affairs, Kent Walker, was also quoted as saying “People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders,” in a recent report from CNBC. He went on to say “We commend the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”
Max Schrems, the Austrian privacy activist who initially questioned the level of protection provided by the current framework, says he is prepared to challenge any discrepancies in the new agreement as well.
Many officials believe that it is too early to say whether the new agreement will stand the test of time. Privacy Shield, which replaced Safe Harbor, an earlier EU-US data pact, was found to offer insufficient protection and was challenged and later invalidated. Schrems, who was instrumental in challenging both the Privacy Shield and Safe Harbor, said that he expects the “final text” of the new agreement to take more time to come together. However, he added he’s prepared to challenge it as well “if it is not in line with EU law.” According to Schrems,“In the end, the [EU] Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,”
“While this is a most long-awaited update and a significant step forward, businesses should not forget that there is no agreement officially approved yet, therefore a valid mechanism under the GDPR/ UK GDPR such as the Standard Contractual Clauses and a Data Transfer Impact Assessment are still required for any data transfers to the US, as it is the case with data transfers to any other third-country” points out Cristina Contero Almagro, Partner in Aphaia.