Privacy Shield 2.0: EU and U.S. agree to a new data transfer deal
After more than a year, the European Union and the United States have reached an agreement "in principle" on a new framework for cross-border data transfers. Read about it here.
After more than a year, the European Union and the United States have reached an agreement "in principle" on a new framework for cross-border data transfers, providing much-needed relief to tech behemoths such as Meta and Google, since this means that data transfers for online businesses to the U.S. will be simplified.
In a joint press conference with U.S. President Joe Biden, European Commission President Ursula von der Leyen announced that the European Union has reached an agreement in principle with the United States on a resurrected trans-Atlantic data flows agreement, potentially signaling an end to the many months of legal uncertainty that have dogged cloud services since a landmark court ruling in July 2020 that struck down the EU-U.S. Privacy Shield.
Von der Leyen said the new agreement “will enable predictable and trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties,” without going into much detail about how it will work. Since the sustainability of the deal will hinge on the details of the agreement, very little can be understood from today’s announcement beyond the political gesture.
Pleased that we found an agreement in principle on a new framework for transatlantic data flows.— Ursula von der Leyen (@vonderleyen) March 25, 2022
It will enable predictable and trustworthy 🇪🇺🇺🇸 data flows, balancing security, the right to privacy and data protection.
This is another step in strengthening our partnership. pic.twitter.com/7Y0wslR7Go
Biden stated that by reaching a new agreement, the United States and the European Union are finding new ways to bind their economies closer together. The framework, according to the US president, demonstrates the two countries' shared commitment to privacy, data protection, and the rule of law.
The dispute stems from a complaint filed nearly a decade ago by Austrian lawyer and privacy activist Max Schrems, who was concerned about how Facebook handled his data in light of revelations about U.S. government cybersnooping from a former U.S. National Security Agency contractor.
Along the way, the CJEU ruled that the Privacy Shield agreement covering transatlantic data transfers was invalid because it did not meet the EU's stringent data privacy standards. As a result, European data protection authorities issued orders limiting the flow of personal data through products such as Google Analytics, Google Fonts, and Stripe, among others.
This legal dispute raised the possibility that Facebook would have to revamp its data centers in order to keep European data out of the United States.
The new agreement “will help keep people connected and services running,” Facebook head of global affairs Nick Clegg tweeted. “It will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.”
The work on reaching the agreement was praised by Google as the EU and U.S. recommit to “safeguard transatlantic data transfers.”
Schrems, also the privacy lawyer and campaigner whose name has become synonymous with striking down trans-Atlantic data transfer deals (aka Schrems I and Schrems II Decision), quickly expressed his skepticism. See more on the EDPB Schrems II.
“Customers and businesses face more years of legal uncertainty,” he said, responding to von der Leyen’s announcement, saying it could get tied up in the courts because his Vienna-based group NOYB would analyze it in depth and challenge anything that’s not in line with EU law.
He further tweeted: “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights. This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the U.S. side. Let’s wait for a text but my [first] bet is it will fail again.”
GDPR vs. India's DPDPA: Analyzing the Data Protection Bill and Indian Data Protection Landscape
Explore the differences and similarities between the General Data Protection Regulation (GDPR) in the European Union and the Digital Personal Data Protection Act (DPDPA) in India. Learn about key provisions, compliance challenges, and the importance of data protection for businesses.
- Europe GDPR
GDPR Certification: Benefits of Getting Certified in GDPR Data Protection
Discover the General Data Protection Regulation (GDPR), its significance, and how GDPR certification can benefit your organization. Learn about Secure Privacy's comprehensive GDPR certification course and become an expert in data protection and compliance.
Data Privacy Training Platform: Online Courses to Protect Your Personal Data
Explore Secure Privacy's online data privacy training platform and discover a range of courses designed to safeguard personal data. Enhance your data protection skills and stay ahead in today's privacy-conscious world.