April 9, 2022

Privacy Shield 2.0: EU and U.S. agree to a new data transfer deal

After more than a year, the European Union and the United States have reached an agreement "in principle" on a new framework for cross-border data transfers. Read about it here.

After more than a year, the European Union and the United States have reached an agreement "in principle" on a new framework for cross-border data transfers, providing much-needed relief to tech behemoths such as Meta and Google, since this means that data transfers for online businesses to the U.S. will be simplified. 

In a joint press conference with U.S. President Joe Biden, European Commission President Ursula von der Leyen announced that the European Union has reached an agreement in principle with the United States on a resurrected trans-Atlantic data flows agreement, potentially signaling an end to the many months of legal uncertainty that have dogged cloud services since a landmark court ruling in July 2020 that struck down the EU-U.S. Privacy Shield.

Von der Leyen said the new agreement “will enable predictable and trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties,” without going into much detail about how it will work. Since the sustainability of the deal will hinge on the details of the agreement, very little can be understood from today’s announcement beyond the political gesture.

Biden stated that by reaching a new agreement, the United States and the European Union are finding new ways to bind their economies closer together. The framework, according to the US president, demonstrates the two countries' shared commitment to privacy, data protection, and the rule of law.

The dispute stems from a complaint filed nearly a decade ago by Austrian lawyer and privacy activist Max Schrems, who was concerned about how Facebook handled his data in light of revelations about U.S. government cybersnooping from a former U.S. National Security Agency contractor. 

Along the way, the CJEU ruled that the Privacy Shield agreement covering transatlantic data transfers was invalid because it did not meet the EU's stringent data privacy standards. As a result, European data protection authorities issued orders limiting the flow of personal data through products such as Google Analytics, Google Fonts, and Stripe, among others.

This legal dispute raised the possibility that Facebook would have to revamp its data centers in order to keep European data out of the United States.

The new agreement “will help keep people connected and services running,” Facebook head of global affairs Nick Clegg tweeted. “It will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.”

The work on reaching the agreement was praised by Google as the EU and U.S. recommit to “safeguard transatlantic data transfers.”

Schrems, also the privacy lawyer and campaigner whose name has become synonymous with striking down trans-Atlantic data transfer deals (aka Schrems I and Schrems II Decision), quickly expressed his skepticism. See more on the EDPB Schrems II.

“Customers and businesses face more years of legal uncertainty,” he said, responding to von der Leyen’s announcement, saying it could get tied up in the courts because his Vienna-based group NOYB would analyze it in depth and challenge anything that’s not in line with EU law. 

He further tweeted: “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights. This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the U.S. side. Let’s wait for a text but my [first] bet is it will fail again.”