EU, US agree on data transfer deal to replace defunct Privacy Shield

The European Union has just announced reaching an agreement in principle with the U.S. on a revived trans-Atlantic data flows deal — potentially signaling an end to the many months of legal uncertainty that has dogged cloud services after a landmark court ruling in July 2020 that struck down the EU-U.S. Privacy Shield.

“We have found an agreement in principle on a new framework for trans-Atlantic data flows,” European Commission President Ursula von der Leyen said at a joint press conference with U.S. President Joe Biden today.

“This will enable predictable, trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”

The legal uncertainty hanging over EU-U.S. data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts and Stripe, among others.

Facebook’s lead EU regulator also finally sent a revised draft decision to Meta last month, in a multiyear complaint related to its EU-U.S. data flows, after the company exhausted legal challenges against an earlier preliminary suspension order in fall 2020.

Although the social networking giant still hasn’t actually been ordered to suspend its EU-U.S. data flows — and may now dodge that bullet entirely if EU regulators agree to suspend data transfer enforcements now that there’s a political agreement in place with the U.S., as they did when Privacy Shield was agreed in principle, allowing a grace period of suspended enforcements during however many months are needed to secure final agreement and adopt the new EU-U.S. data flows deal.

That will surely be what Meta has been hoping would happen as it sought to delay earlier enforcement.

The detail of what has been agreed by the EU and U.S. in principle — and how exactly the two sides have managed to close the gap between what remain two very differently oriented legal systems — is not clear. And since the sustainability of the deal will hinge on exactly that fine detail, there is little that can be taken away from today’s announcement beyond the political gesture.

The uncertainty over EU-U.S. data transfers actually extends back further than 2020. A much longer-standing predecessor agreement, called Safe Harbor, was invalidated by Europe’s top court in 2015 over the same core clash between EU privacy rights and U.S. surveillance laws.

This dynamic means that any replacement deal faces the daunting prospect of fresh legal challenges to test how robust it is when it comes to ensuring that EU citizens’ rights are adequately protected when their data flows to the U.S.

“We managed to balance security and the right to privacy and data protection,” von der Leyen suggested in further brief remarks during a wide-ranging press conference. She also couched the agreement reached as “balanced and effective” but provided no specifics on what has actually been decided.

Update: The White House has now released this “fact sheet” on the transatlantic data framework agreement which sheds a little light on where the two sides have focused — noting for example that EU peoples will be able to seek redress from “a new multi-layer redress mechanism that includes an independent Data Protection Review Court” that the U.S. administration says would consist of individuals “chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed”.

The Commission had very similar things to say about Privacy Shield (and Safe Harbor) — until the court took a very different view, of course. So it’s important to understand that a full and final assessment does not and cannot rest with EU commissioners or their U.S. counterparts.

Only the European Court of Justice can weigh in.

Max Schrems, the privacy lawyer and campaigner whose name has become synonymous with striking down trans-Atlantic data transfer deals (aka Schrems I and Schrems II) was quick to sound a note of skepticism.

Responding to von der Leyen’s announcement in a tweet, he wrote: “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights.

“This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the U.S. side. Let’s wait for a text but my [first] bet is it will fail again.”

Schrems famously — and correctly — called Privacy Shield lipstick on a pig. So his assessment of the text, when it emerges, will arguably have more weight than the Commission’s.

Via his privacy advocacy not-for-profit, noyb, Schrems also said he expects to be able to get any new agreement that does not meet the requirements of EU law back to the CJEU “within a matter of months” via civil litigation and preliminary injunction.

“[O]nce [the final text] arrives we will analyze it in depth, together with our U.S. legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” he noted in a statement, “It is regrettable that the EU and U.S. have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

The response from the tech industry to the news of another revived data transfer deal was predictably positive.

Google, which along with Meta has been pressing hard in recent months for the two sides to come up with a viable compromise, was quick to welcome the announcement.

In a statement, a company spokesperson told us:

“People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders. We commend the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”

The CCIA tech industry association, which has also lobbied hard for a replacement to Privacy Shield, welcomed today’s announcement as “good news.” Although its director, Alexandre Roure, found a little space in his response statement to express needling displeasure with incoming EU rules on industrial and connected device data reuse — which he suggested will introduce fresh “data restrictions.”

Editor’s note: This report was updated with additional comment and a pointer to the White House fact sheet