The world of personal data transfers from the European Union to the United States has been in chaos since mid-2020, when the Schrems II ruling from the EU’s highest court determined that the US was not an adequately secure data partner under the terms of the General Data Protection Regulation (GDPR) and struck down the existing Privacy Shield data transfer agreement.
Nearly two years later, an answer to this complex legal problem may be in sight. The EU and US have reached an agreement in principle on a Privacy Shield replacement, but details of the data transfer deal are not yet available to the public and it remains to be seen if it will face a similar legal challenge.
Privacy Shield replacement could be on the horizon
The data transfer agreement was announced at a joint press conference held by European Commission President Ursula von der Leyen and US President Joe Biden. The agreement was touted as a means to restore “predictable, trustworthy data flows” across the Atlantic, something that has disproportionately impacted the US-based social media giants that deal in personal data harvesting for targeted advertising purposes. In February, Meta was handed a draft decision by EU regulators that ended its set of legal challenges to the Schrems II ruling; the company responded by raising the specter of pulling services such as Facebook and Instagram out of Europe entirely if it is ordered to stop transferring personal data.
Data transfers between the EU and US have been in rocky waters since at least 2015, years before the GDPR would facilitate the Schrems II complaints and ultimate judicial decision. The prior agreement, Safe Harbor, was invalidated by the European Court of Justice (CJEU) following the Edward Snowden leaks and the revelation that US intelligence agencies were indiscriminately sweeping up the personal data of foreign parties. One of the central complaints about Safe Harbor was that it was a self-certification program without adequate enforcement mechanisms, something that Privacy Shield sought to address.
But privacy crusader Max Schrems challenged Privacy Shield on the same grounds, and the GDPR ended up providing extra ammunition for his case. EU-US data transfers were ruled invalid under the GDPR requirements in 2020, leaving thousands of companies scrambling to come up with alternate transfer systems that managed to be in compliance with EU law.
It is difficult to evaluate the data transfer agreement’s chances of survival given the lack of information about it at present. Thus far, the White House has only provided the public with a limited “fact sheet” that talks mostly about the intent of the agreement rather than the legal specifics. However, it does promise that the US is making new “commitments” to safeguards for signals intelligence activities, redress mechanisms and oversight of information gathering. It claims that signals intelligence collection will only take place to further national security objectives, that there will be a new “multi-layer” redress mechanism for EU residents backed by a new and independent Data Protection Review Court, and that intelligence agencies will adopt new procedures that incorporate privacy and civil liberties concerns. The White House indicated that it planned to establish these things with an executive order in the near future.
The fate of the new deal will ultimately rest with the European Court of Justice, which invalidated the Privacy Shield agreement, should Schrems or another party bring a similar challenge to it. Schrems issued an early statement in response to the news of the agreement, indicating that he saw this as another iteration of Privacy Shield and a “patchwork” approach that will not hold up, but also indicating that he would “wait and see” what the details of the agreement are. A statement issued through his privacy group noyb indicates that he would intend to have the data transfer agreement in front of the court again within “months” if he takes issue with it.
EU-US data transfers continue to face great uncertainty
The agreement in principle still has some steps to go through before it becomes final, but both sides seem committed to it. The issuance of executive orders by the White House would be a good indication that the deal is definitely going forward.
That is only the first step, however, with the next likely being a legal challenge in Europe by noyb. The US estimates that some $7.1 trillion in economic activity is hinging on a Privacy Shield replacement that can survive GDPR scrutiny being put into place before tech companies are ordered to cease and desist data transfers at the EU end.
Victor Platt, Head of Security & Privacy at integrate.ai, is not optimistic about this new agreement surviving: “Global data flows are crucial to fostering innovation and collaboration. The sentiment is great, but it’s not enough – radically new thinking is needed to underpin fundamental privacy rights in international data transfers. Political solutions providing blanket license to transfer data have been shown to result in harmful data proliferation and render practical accountability near impossible. This time feels no different.”
Mandar Shinde, CEO of Blotout, agrees with this assessment on the basis of an expected challenge from noyb rooted in known US intelligence agency and law enforcement practices: “It’s good to see the EU and the U.S. politically moving towards each other on this issue. But unfortunately, the crucial details are unclear and so two opposing philosophies continue to face each other, American permission for surveillance vs. the European Union’s protection of personal data. As long as this tension is not clearly resolved, any other political idea is likely will fail before the European Court of Justice and thus it still remains a gamble to rely on third-party providers for the processing of personal data. This has been recognized by the European companies we are in contact with. They have long since realized that such high stakes are not worth it for a technology that is long outdated and completely derailed by users and technology giants like Apple. Instead, the future lies in empowering companies to build their own data assets. Innovators have been aware of this for a long time, and politicians will, most likely, only recognize it well later.”