The European Union and the US have reached a high-level agreement to allow transatlantic data sharing under a deal that promises better privacy rights for EU citizens and stronger oversight of US intelligence gathering.
President Joe Biden and Ursula von der Leyen, president of the European Commission, announced that the EU and the US had reached agreement on a successor to the Privacy Shield data sharing agreement, ruled unlawful in July 2020 by an EU court.
The White House said the US agreed to expand its oversight of US signals intelligence, strengthen civil liberties safeguards, and create a new binding legal mechanism that will give EU citizens rights of redress if they believe their data has been abused.
The Trans-Atlantic Data Privacy Framework promises an end to nearly two years of legal uncertainty, particularly for small and medium-sized companies which largely relied on Privacy Shield as their sole legal basis for sharing data between Europe and the US.
But questions remain whether any deal will fully meet concerns raised by the European Court of Justice over EU citizens’ rights of redress in the US if their privacy is violated if, as is likely, the new agreement is subject to a legal challenge in the European Court of Justice.
Biden told a press conference that the EU and the US had reached a “major breakthrough” after the US agreed to “unprecedented protections for data privacy and security”.
“This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States and help companies both small and large compete in the digital economy,” he said.
The deal would allow the European Commission to authorise data flows that help to facilitate $7.1tn in economic relationships with the EU.
Ursula von der Leyen said the agreement would safeguard privacy and civil liberties while enabling “predictable and trustworthy” data flows between the EU and the US.
The decision was welcomed by Big Tech companies. Nick Clegg, president of global affairs at Facebook owner, Meta, which is subject to an imminent decision by the Irish Data Protection Commissioner on the legality of its EU-US data transfers, said the decision provided much needed certainty.
“With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running. It will provide invaluable certainty for American and European companies of all sizes, including Meta, who rely on transferring data quickly and safely,” he wrote on Twitter.
Data Protection Review Court
The White House said that a new data sharing framework would give EU citizens the right of redress if they believe their privacy has been compromised, through an independent Data Protection Review Court staffed by non-government officials.
The US also gave assurances that signals intelligence collection would only be “undertaken where necessary to advance legitimate national security interests” and would not “disproportionately” impact individuals’ privacy rights and civil liberties.
US intelligence agencies “will adopt procedures to ensure effective oversight of new privacy and civil liberties standards,” according to a White House briefing.
The headline agreement follows more than a year of detailed negotiations between US and EU officials.
The White House said that organisations that sign-up to the new framework would be expected to comply with the principles of Privacy Shield. As with Privacy Shield, they will be able to self-certify their compliance with the new framework through the US Department of Commerce.
The US said that EU citizens would have access to “multiple avenues of recourse” to resolve complaints about US organisations’ use of their data. This would include alternative dispute resolution and binding arbitration.
Biden will introduce legal measures required in the US to implement the agreement through an Executive Order, which will be assessed by the European Commission before it makes a data adequacy decision about the US.
Legal challenge likely
It is unclear whether the concessions made by the US will be enough to prevent a further legal challenge over the lawfulness of EU-US data sharing, following decisions by the European Court to strike out Privacy Shield in 2020 and its predecessor, Safe Harbour in 2015.
Both cases were brought by the Austrian activist lawyer, Max Schrems, who said that that he would take any new agreement that does not comply with EU law back to the European Court of Justice within months of it being finalised.
“The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” he said
The finalisation of an agreement will end more than 18 months of legal uncertainty for US and EU organisations that share data.
Within a year of the decision to strike down Privacy Shield, in what became known as the Schrems II case, some businesses were choosing to localise data or stop data transfers altogether.
There has also been an increase in regulatory enforcement against businesses, which has made it more difficult to transfer data overseas, said Caitlin Fennessy, vice president and chief knowledge officer of the International Association of Privacy Professionals (IAPP).
“Enforcement has escalated, narrowing companies’ compliance options, and increasing the risks and challenges associated with transferring data. This has led to increased interest in data localisation and made some EU companies question the legality of working with long-standing foreign partners,” she told Computer Weekly.
EU and US officials, the intelligence community, and politicians, have been negotiating a replacement for Privacy Shield since 2020.
Over the past three months, EU commissioner Didier Reynders and US secretary for commerce Gina M. Raimondo, have led more detailed talks.
EU and US negotiators will now hammer out the fine details of the agreement, which will require the approval of EU member states.
Small and medium-sized companies
Thomas Boué, director general, for policy for Europe at BSA, a software trade group, told Computer Weekly that a revised Privacy Shield would have significant benefits for small and medium-sized companies.
Currently businesses are required to use legal agreements, known as Standard Contractual Clauses (SCCs), which require complex negotiations and changes to contracts to be put in place, he said.
“Privacy Shield is a much easier way to transfer data as there is an agreement between the EU and the US that their data protection is equivalent, so there is no need for accredited companies to take further steps,” he said.
IAPP’s Fennessy told Computer Weekly that she expected the replacement Privacy Shield framework to be tested by regulators and the courts “almost immediately”. But she said the EU and the US had an interest in negotiating a lasting agreement.
“US and EU negotiators certainly recognised this and share individuals’ and businesses’ interest in a durable framework. While we have not seen the details, we know that this deal was not hammered out overnight,” she said.
Guillaume Couneson, data protection partner at global law firm Linklaters in Brussels, said the ability to transfer personal data across the Atlantic through a new Privacy Shield agreement would boost economic growth.
“For companies with a presence in both the EU and the US, the possibility to transfer personal data safely across the Atlantic and in compliance with applicable data protection rules is business critical,” he said.