There are a few hot topics such as hefty fines, Google, Facebook, and new laws such as Virginia Consumer Data Protection Act (VCDPA) that usually take the limelight when it comes to privacy.
One privacy concern that has captured the interest of privacy professionals, business owners, and news outlets lately is the new data transfer agreement that would provide a mechanism for personal data to be transferred from the European Union (EU) to the United States (US).
While this agreement is still in its infancy stage, it will significantly impact how companies manage privacy and data transfers, and thus it is essential to understand it.
This article will discuss why this agreement is needed, the history of data transfers from the EU to the US, and what you need to know about this agreement to prepare for the future.
Why is an EU-US data transfer mechanism needed?
The European Union’s privacy law, the General Data Protection Regulation (GDPR), aims to protect the privacy of individuals residing in the European Union.
Since GDPR has a stringent set of requirements for companies to follow to provide privacy rights to individuals, the lawmakers of the EU were understandably concerned that residents of the EU would lose quite a few, if not all, of those privacy rights and protections if their personal data was transferred to another country that does not provide those rights and protections.
To ensure that residents of the EU do not lose their privacy rights and protections, GDPR allows data to be transferred outside of the EU only if one of the following conditions are met:
- The third country to which the data is sent has been deemed to provide a level of privacy protections that is adequate to that which is provided in the EU. Currently, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK, and Uruguay have been found to provide such protections. The United States is not on the list of countries that are deemed to be adequate by the EU;
- Data transfer is subject to appropriate safeguards such as a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard data protection clauses, an approved code of conduct, or an approved certification mechanism.
In this case, the EU and US are working together on creating a legally binding and enforceable instrument between the two regions that would allow personal data to flow freely between the EU and the US.
Background of data transfer agreements between the EU and the US
If the idea of an EU-US data transfer agreement sounds familiar, it is because the EU and US already had such a transfer agreement in place, which was called the EU-US Privacy Shield Framework.
The EU-US Privacy Shield was a set of requirements that companies needed to meet to transfer data from the EU to the US. However, this agreement was struck down in 2020 due to a complaint that privacy activist Max Schrems brought against Facebook’s transfers of his personal data to the United States.
The complaint argued that Facebook’s data transfer to the US was unlawful as US intelligence agencies could access the data.
On July 16, 2020, the Court of Justice of the European Union agreed with Max Schrems. It held that the EU-US Privacy Shield was invalid for transferring data from the EU to the US because US intelligence agencies could access that data, thereby violating the privacy rights of EU residents.
After the EU-US Privacy Shield was struck down, companies were left scrambling for a solution to legally transfer data through contractual requirements and technical safeguards to ensure that data was protected in the United States.
The EU and the US governments started working on a potential replacement for the EU-US Privacy Shield.
The new EU-US data transfer agreement
In late March 2022, US President and European Commission President announced that a new agreement had been reached in principle to allow for transfers of data from the EU to the US.
The main challenges to an EU-US data transfer agreement are ensuring that US intelligence agencies do not continue to have indiscriminate access to the data of EU residents, that individuals are provided with certain privacy rights and protections, and that individuals residing in the EU have adequate redress mechanisms for when their privacy rights are violated.
While the exact details of this new agreement are not published yet, the US has agreed to make the following commitments to agree:
- Curb the collection of personal data by US intelligence agencies to be limited to only where necessary to advance legitimate national security objectives;
- Establish a redress mechanism that includes an independent court that individuals would populate outside of the US Government;
- Ensure that US intelligence agencies adopt procedures necessary to ensure effective oversight of new privacy and civil liberties standards.
It is important to note that this new agreement is not finalized yet – it is still an agreement “in principle” and thus is not a legally binding agreement yet. This means that the new agreement cannot be used to legally transfer data from the EU to the US until it is finalized.
In fact, the Danish Data Protection Authority stated that while it welcomes this new agreement, companies should be cautious and should still use the existing transfer requirements to transfer data.
In addition, officials that are involved in the negotiations of this agreement have stated that we should expect a final agreement to be in place by the end of 2022, so companies should be ready to continue on the same path for at least the next half a year.
What happens after the agreement is finalized?
Once the agreement is finalized and adopted by both countries, companies will have to look at its requirements, meet those requirements, and probably certify with the government that they meet those requirements. In addition, once the agreement is finalized, we will probably start seeing legal challenges to it.
Max Schrems has stated that he is skeptical about this new agreement and whether it will truly curb US surveillance and protect the privacy of EU residents.
In fact, his office states that it will only be a matter of months before he brings a new case before the European Court of Justice once this new agreement is finalized.
Thus, it is very likely that this new agreement will be challenged in courts right after it is finalized, making the future of data transfers for those who rely on these types of agreements uncertain at best.
The real suggestion for companies that want to future-proof their privacy programs is to rely on the other data transfer mechanisms for the time being and only to use this new agreement once it is finalized and battle-tested.