Relief for Big Tech: EU, US Reach New Agreement on Data Transfers

Last week, the European Union announced that it had reached an agreement in principle on a new framework for transatlantic data flows with the United States, letting companies like Meta and Google breathe a sigh of relief.

"It will enable predictable and trustworthy data flows, balancing security, the right to privacy and data protection. This is another step in strengthening our partnership," said Ursula von der Leyen, president of the European Commission, on 25 March.

The previous framework for transferring data between the US and the EU, which was in effect for four years, was thrown out by a European court in 2020.

The announcement of a new deal has been welcomed by Facebook and Google. "With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running," said Meta's head of global affairs, Nick Clegg.

However, there are concerns that the new deal doesn't make enough changes when it comes to user privacy.

In October 2015, the Court of Justice of the European Union (CJEU) invalidated the long standing US-EU Safe Harbour Framework, which Facebook used as a basis for transferring data of European citizens to the US.

The decision is referred to as Schrems I, in reference to activist and lawyer Maximilian Schrems, who initially filed the complaint.

Less than a year later, in July 2016, the EU and the US agreed to a new transfer framework for data called the Privacy Shield, which Schrems referred to as "ten layers of lipstick on a pig".

The agreement was thrown out in July 2020 by the CJEU, which confirmed that the Privacy Shield provided US authorities the right to collect personal data about EU residents without adequate safeguards and effective means of redressal.

"If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services," Meta had said in its annual report.

It had added that it would "likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe."

Meta later said that it has no plans to pull its services from Europe.

While the details of the agreement will be chalked out over the coming months, the US has released a fact sheet with the general outline of the framework.

The US has committed to:

• Implementing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives.

• Creating a new multi-layer mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The mechanism will include an independent Data Protection Review Court whose decisions would be binding.

What these commitments translate to in the real world will only be clear once the final framework is published.

Maximilian Schrems, however, isn't optimistic. He believes that the US is not planning to change its surveillance laws and that there seems to be no update to the Privacy Shield principles for commercial data usage.

"The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time," he said in a statement.

"It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty," he added.