The European Union has just announced reaching an agreement in principle with the US on a revived transatlantic data flows deal — potentially signalling an end to the many months of legal uncertainty that has dogged cloud services after a landmark court ruling in July 2020 which struck down the EU-US Privacy Shield.
“We have found an agreement in principle on a new framework for transatlantic data flows,” said European Commission president, Ursula von der Leyen, speaking at a joint press conference with US president Joe Biden today.
“This will enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties.”
The legal uncertainty hanging over EU-US data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts and Stripe, among others.
Facebook’s lead EU regulator also finally sent a revised draft decision to Meta last month, in a multi-year complaint related to its EU-US data flows, after the company had exhausted legal challenges against an earlier preliminary suspension order in fall 2020.
Although the social networking giant still hasn’t actually been ordered to suspend its EU-US data flows — and may now dodge that bullet entirely if EU regulators agree to suspend data transfer enforcements now that there’s a political agreement in place with the US, as they did when Privacy Shield has been agreed in principle, allowing a grace period of suspended enforcements during however many months are needed to secure final agreement and adopt the new EU-US data flows deal.
That will surely be what Meta has been hoping would happen as it sought to delay earlier enforcement.
The detail of what has been agreed by the EU and US in principle — and how exactly the two sides have managed to close the gap between what remain two very differently oriented legal systems — is not clear. And since the sustainability of the deal will hinge on exactly that fine detail there is little that can be taken away from today’s announcement, beyond the political gesture.
The uncertainty over EU-US data transfers actually extends far further than 2020 — as a much longer-standing predecessor agreement, called Safe Harbor, was invalidated by the Europe’s top court in 2015 over the same core clash between EU privacy rights and US surveillance laws.
This dynamic means that any replacement deal faces the daunting prospect of fresh legal challenges to test how robust it is when it comes to ensuring that EU citizens’ rights are adequately protected when their data flows to the US.
“We managed to balance security and the right to privacy and data protection,” von der Leyen suggested in further brief remarks during a far-more wide-ranging press conference. She also couched the agreement reached as “balanced and effective” but provided no specifics on what has actually be decided.
The Commission had very similar things to say about Privacy Shield (and Safe Harbor) — until the court took a very different view, of course. So it’s important to understand that a full and final assessment does not and cannot rest with EU commissioners or their US counterparts.
Only the European Court of Justice can weigh in.
Max Schrems, the privacy lawyer and campaigner whose name has become synonymous with striking down transatlantic data transfer deals (aka, Schrems I and Schrems II) was quick to sound a note of scepticism over what’s been cooked up this time.
Responding to von der Leyen’s announcement in a tweet, he wrote: “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights.
“This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text but mu [first] bet is it will fail again.”
Schrems famously — and correctly — called Privacy Shield lipstick on a pig. So his assessment of the text, when it emerges, will arguably have rather more weight that the Commission’s.
Via his privacy advocacy not-for-profit, noyb, Scherms also said he expects to be able to get any new agreement that does not meet the requirements of EU law back to the CJEU “within a matter of months” (e.g. via civil litigation and preliminary injunction).
“[O]nce [the final text] arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” he noted in a statement, adding: “It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”
The response from the tech industry to the news of another revived data transfer deal was predictably positive.
Google, which along with Meta has been pressing hard in recent months for the two sides to come up with a viable compromise, was quick to welcome the announcement.
In a statement a company spokesperson told us:
“People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders. We commend the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”
The CCIA tech industry association, which has also lobbied hard for a replacement to Privacy Shield, welcomed today’s announcement as “good news”. Although its director, Alexandre Roure, found a little space in his response statement to express needling displeasure with incoming EU rules on industrial and connected device data reuse — which he suggested will introduce fresh “data restrictions”.
This report was updated with additional comment