The US and European Union (EU) have reached a preliminary agreement to reopen the free flow of data between the two regions. The announcement was made today during US President Joe Biden’s visit to Europe to discuss the Russia-Ukraine crisis at the NATO Summit, the G7 and the European Council.
The newly agreed framework is designed to revamp the previous Privacy Shield arrangement between the two regions, which was ruled unlawful in the Schrems II case by the Court of Justice of the European Union in 2020 under GDPR. This was due to concerns that US law enforcement agencies could access data transferred from the EU to the US.
As a result of this ruling, the process of transferring personal data from the EU to the US has become far more complex, with organizations having to use alternative mechanisms like standard contractual clauses.
In a statement with President Biden, President of the European Commission, Ursula von der Leyen, said: “I am very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties. I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past months to find a balanced and effective solution. This is another step in strengthening our partnership. We manage to balance security and the right to privacy and data protection.”
President Biden added that the agreement will “once again authorize transatlantic data flows that help facilitate $7.1tn in economic relationships.”
The announcement will come as huge relief to organizations that engage in transatlantic data flows. Victoria Espinel, President and CEO of BSA, stated: “Moving data freely and securely across the Atlantic is critical to businesses of all sizes and in all industry sectors.
“Today’s announcement will help restore trust, provide legal certainty, and support the digital transformation of thousands of businesses in Europe and the United States.”
Commenting on the announcement, Caitlin Fennessy, VP of the International Association of Privacy Professionals (IAPP), outlined: “With the just-announced Privacy Shield deal, privacy professionals around the world can finally exhale. They have been holding their breath for months given the lack of water-tight data transfer compliance options, the borderless nature of internet-based services and escalating enforcement. While we have yet to see the details, it seems both sides were working toward a lasting solution. If they wanted a temporary fix, they could have wrapped up talks months ago. Time will tell whether they got there.”
However, there are currently no details about how the new privacy shield framework will work and how it will overcome the issues identified in the Schrems II judgment. It is likely the deal when formally agreed will be challenged in the courts by privacy campaigners. Max Schrems, the privacy lawyer and campaigner who brought the case that led to the Privacy Shield being invalidated, tweeted: “Seems we do another #PrivacyShield especially in one respect: Politics over law and fundamental rights. This failed twice before. What we hear is another “patchwork” approach but no substantial reform on the US side. Let’s wait for a text, but my first bet is it will fail again.”
Last year, the EU formally granted the UK adequacy status to allow data to flow seamlessly between the two regions following Brexit.