Privacy Shield 2.0: EU and U.S. agree to a new data transfer deal
After more than a year, the European Union and the United States have reached an agreement "in principle" on a new framework for cross-border data transfers. Read about it here.
After more than a year, the European Union and the United States have reached an agreement "in principle" on a new framework for cross-border data transfers, providing much-needed relief to tech behemoths such as Meta and Google, since this means that data transfers for online businesses to the U.S. will be simplified.
In a joint press conference with U.S. President Joe Biden, European Commission President Ursula von der Leyen announced that the European Union has reached an agreement in principle with the United States on a resurrected trans-Atlantic data flows agreement, potentially signaling an end to the many months of legal uncertainty that have dogged cloud services since a landmark court ruling in July 2020 that struck down the EU-U.S. Privacy Shield.
Von der Leyen said the new agreement “will enable predictable and trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties,” without going into much detail about how it will work. Since the sustainability of the deal will hinge on the details of the agreement, very little can be understood from today’s announcement beyond the political gesture.
Pleased that we found an agreement in principle on a new framework for transatlantic data flows.— Ursula von der Leyen (@vonderleyen) March 25, 2022
It will enable predictable and trustworthy 🇪🇺🇺🇸 data flows, balancing security, the right to privacy and data protection.
This is another step in strengthening our partnership. pic.twitter.com/7Y0wslR7Go
Biden stated that by reaching a new agreement, the United States and the European Union are finding new ways to bind their economies closer together. The framework, according to the US president, demonstrates the two countries' shared commitment to privacy, data protection, and the rule of law.
The dispute stems from a complaint filed nearly a decade ago by Austrian lawyer and privacy activist Max Schrems, who was concerned about how Facebook handled his data in light of revelations about U.S. government cybersnooping from a former U.S. National Security Agency contractor.
Along the way, the CJEU ruled that the Privacy Shield agreement covering transatlantic data transfers was invalid because it did not meet the EU's stringent data privacy standards. As a result, European data protection authorities issued orders limiting the flow of personal data through products such as Google Analytics, Google Fonts, and Stripe, among others.
This legal dispute raised the possibility that Facebook would have to revamp its data centers in order to keep European data out of the United States.
The new agreement “will help keep people connected and services running,” Facebook head of global affairs Nick Clegg tweeted. “It will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.”
The work on reaching the agreement was praised by Google as the EU and U.S. recommit to “safeguard transatlantic data transfers.”
Schrems, also the privacy lawyer and campaigner whose name has become synonymous with striking down trans-Atlantic data transfer deals (aka Schrems I and Schrems II Decision), quickly expressed his skepticism. See more on the EDPB Schrems II.
“Customers and businesses face more years of legal uncertainty,” he said, responding to von der Leyen’s announcement, saying it could get tied up in the courts because his Vienna-based group NOYB would analyze it in depth and challenge anything that’s not in line with EU law.
He further tweeted: “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights. This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the U.S. side. Let’s wait for a text but my [first] bet is it will fail again.”
This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.
The Data Protection and Digital Information Bill: Data Privacy Reform in the UK Government
The introduction of Bill 143 to the House of Commons on July 18, 2022, follows the UK Government’s consultation in September 2021. The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit and is a big step towards achieving the planned reform of the UK's data protection framework, with many significant proposed changes for companies to be aware of. To get started, here are some key provisions to consider about this new data protection legislation.
CPRA Guide | Full Text Summary
If you need to comply with the CCPA, you must also comply with the California Privacy Rights Act (CPRA). Here we have the full text of the CPRA. California legislature bodies have written it in legalese, of course, but we added notes at the beginning of each section to help you understand what that specific section is about.