The United States and European Union have reached a tentative agreement on how to handle transatlantic data flows, a thorny issue that has resulted in lawsuits involving U.S. tech giants and social media firms and led European companies to wonder if they can continue using those services.
European Commission President Ursula von der Leyen, speaking at a joint press conference with U.S. President Joe Biden in Brussels on Friday, said she was, “Pleased that we found an agreement in principle on a new framework for transatlantic data flows.”
Biden, in a transcript of the press conference published on the White House website, said: “This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy. Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative, new approaches to knit our economies and our people closer together, grounded on shared values.”
Officials on both sides of the Atlantic had expressed optimism in recent months that a deal was progressing.
The crux of the problem with the former Privacy Shield is the United States and European Union disagree on the level of access their governments can have to the personal information of their citizens, particularly data held in the vast databases of some of the world’s largest tech companies, including Google, Apple, and Meta (formerly Facebook).
The status of data flows between the United States and European Union has been caught in legal limbo since the EU’s top court ruled in July 2020 that U.S. law does not provide a similar level of data protection as the European Union under the latter’s General Data Protection Regulation (GDPR).
The Privacy Shield was set up in 2016 to protect the personal data of Europeans when transferred across the Atlantic for commercial use. More than 5,300 companies had signed up to the program, which allowed (on paper, at least) validated companies safe access to EU citizens’ data without fear of legal reprisals under EU privacy law. The European court struck down a similar agreement, Safe Harbor, in 2015.
In a one-page document, the European Commission highlighted the key principles of the new data transfer framework, including “binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security” and “a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court.”
The full details of the framework will be key, as it will not be politicians on either side who decide whether the new agreement allows data to flow freely between the United States and European Union—it will be the Court of Justice of the European Union.
Max Schrems, a prominent privacy activist who played a key role in the scrapping of both Safe Harbor and the Privacy Shield, expressed skepticism this third data flow agreement would end up any more effective than the first two.
“This failed twice before,” Schrems wrote Friday on Twitter in response to the news. “What we hear is another ‘patchwork’ approach but no substantial reform on the U.S. side.” He added he thinks “it will fail again.”