Danielle McNamara
Associate Editor
Loyola University Chicago School of Law, JD 2023
After the EU invalidated the previous data transfer agreement between the EU and the US in July of 2020, many big tech companies have been left unsure how to keep business flowing from Europe without the ability to store data within the US. To the relief of these companies, the Biden Administration has reached a preliminary agreement for a new deal with the EU. Coined the Trans-Atlantic Data Privacy Framework, this new agreement works to address concerns raised by the EU.
Previous data-sharing arrangement
In 2016, the EU and the US had worked out a plan titled Privacy Shield to allow data sharing between the US and Europe. Privacy Shield was designed by the US Department of Commerce and the European Commission and Swiss Administration to provide a mechanism to comply with data protection requirements while transferring data from the EU and Switzerland to the US. The arrangement was deemed appropriate to enable data transfers under EU law on July 12, 2016, and on January 12, 2017 in Switzerland.
However, on July 16, 2020, the Court of Justice of the European Union issued a judgment declaring the EU’s 2016 decision invalid for failing to adequately protect Europeans’ data. This decision marks the second time in the recent past that the EU Court of Justice has deemed US safeguards on Europeans’ data insufficient citing its failure to provide effective means to challenge surveillance of their data by the US government while in the US. Following suit just two months later, the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland likewise concluded that the Privacy Shield Framework did not provide adequate levels of protection for data transfers from Switzerland to the US.
US tech companies struggle to move data across boarders
Without an agreement allowing data-sharing from Europe to the US, companies like Meta and Google have faced legal challenges while attempting to effectively transfer data. Specifically, these companies have faced uncertainty with their ability to use US-based data centers to measure their website traffic, sell online ads, or run company payroll in Europe. In a recent annual report, Meta said it is considering shutting down Facebook and Instagram in Europe altogether if it can no longer transfer user data back to the US. Meta emphasized that many businesses, services, and organizations rely on data transfers between the EU and the US to operate global services.
What is the Trans-Atlantic Data Privacy Framework?
In late March 2022, the US and EU announced that they have reached a preliminary agreement for a new data transfer deal. The deal, deemed the Trans-Atlantic Data Privacy Framework, aims to address concerns the EU Court of Justice raised in its July 2020 judgment declaring Privacy Shield inadequate. Specifically, the Framework plans to establish an appeals process for EU individuals. This will be done through an independent Data Protection Review Court. The Court will have binding authority to adjudicate claims and impose regulations.
According to a statement released by the White House Administration, the new framework aims to “strengthen the privacy and civil liberties protections applicable to US signals intelligence activities.” President Biden has stated that the new deal will emphasize commitment to privacy and “once again authorize trans-Atlantic data flows that help facilitate $7.1 trillion in economic relations with the EU.”
Relief and reservations following the announcement
Expectedly, representatives of big tech companies like Meta are thrilled with the news of the preliminary agreement. Nick Clegg, president of global affairs at Meta stated the framework was an important step toward providing certainty for companies that rely on transferring data quickly and safely between American and Europe. Moreover, Victoria Espinel, president and CEO of the software industry trade group BSA, emphasized that the movement of data freely and securely will help to support the technical transformation of thousands of businesses in Europe and the United States.
However, others are hesitant as to whether the new framework will provide adequate protection. Particularly, Australian privacy campaigner Max Schrems, an activist in the group Noyb, has led efforts to get the data-transfer agreement invalidated. He said in a statement that if it is discovered the deal is not in line with EU law, his activist group or another would likely challenge it. Schrems has notably disapproved of the way corporations like Meta have gone about data transfers, suing Facebook in 2014 over its data collection methods.
Status of the deal
As of now, the Trans-Atlantic Data Privacy Framework still needs to be translated into a legal document approved by both the US and the EU. According to a fact sheet released by The White House, the US commitments to the deal will be included in an Executive Order, forming the basis of the Commission’s assessment of the deal’s adequacy. While many are hopeful that the deal will gain approval, others are unsure whether the remedies proposed will be sufficient to gain the approval of the EU.