By Samantha Brunn
On Friday, March 25, 2022, U.S. President Joe Biden announced at a news conference in Brussels that the U.S. reached an “agreement in principle” with European Union leaders to create a new Privacy Shield law that would replace a previous agreement that was struck down in 2021.[1]
The previous EU-U.S. Privacy Shield[2] was a legal mechanism by which companies on both sides of the Atlantic could comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.[3] But that agreement was ruled to be invalid in July 2020 under the Court of Justice of the European Union’s (CJEU) ruling in Schrems II,[4]which struck down the Privacy Shield framework that was adopted in 2016,[5] saying it did not go far enough to protect EU citizens’ data,[6] thereby further complicating U.S. compliance issues with the EU’s General Data Protection Requirements (GDPR).[7]
Since the start of its enforcement in May 2018, the GDPR has put considerable pressure on U.S. companies and government entities to comply with data protection principles. Then, once the Privacy Shield was invalidated, chaos ensued.[8] U.S. businesses and other stakeholders, including non-profit organizations, government agencies, and even private individuals who hope to conduct business in the EU, have been stuck trying to navigate the convoluted data privacy landscape with little formal guidance since the data transfer agreement was invalidated in July 2020.
Now, with President Biden’s announcement, it seems as though that pressure has finally pushed to the top of the federal government. Some of the largest tech companies in the world, including Meta (Facebook’s parent company) and Google had urged the U.S. to take action on the data transfer issue, with Meta explicitly saying the company would shut down Facebook services in Europe if no agreement was reached.[9]
President Biden said the new agreement includes “unprecedented protections for data privacy and security for our citizens.”[10] European Commission President Ursula von der Leyen said the agreement “will enable predictable, trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”[11]
In a statement, Google quickly welcomed the leaders’ announcement. “People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders,” a Google spokesperson told TechCrunch on Mar. 25, 2022.[12] “We commend the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”
However, the details of the new agreement are not yet released.[13] Time will tell whether the U.S. is ready to meet the EU’s demand for strong privacy protections. It is more than likely that privacy advocates will challenge the new agreement if it fails to live up to its promised protections. “If it is not in line with EU law, we or another group will likely challenge it,” said Max Schrems, a privacy activist who has initiated the past two lawsuits invalidating the Privacy Shield framework.[14] Schrems went further to express his doubts about the new agreement on Twitter, saying “This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the U.S. side. Let’s wait for [the legislative] text, but my [first] bet is it will fail again.”
[1] David McCabe & Martina Stevis-Gridneff, U.S. and European Leaders Reach Deal on Trans-Atlantic Data Privacy, N.Y. Times (Mar. 25, 2022), https://www.nytimes.com/2022/03/25/business/us-europe-data-privacy.html.
[2] Rachel F. Fefer & Kristin Archick, Cong. Rsch. Serv., IF11613, U.S.-EU Privacy Shield (2021), https://crsreports.congress.gov/product/pdf/IF/IF11613/4.
[3] Privacy Shield Program Overview, International Trade Administration (last visited Nov. 6, 2021), https://www.privacyshield.gov/program-overview.
[4] Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited (Schrems II), ECLI:EU:C:2020:559 (July 16, 2020), http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=11629969; see also Jane E. Kirtley, CJEU Strikes Down EU-U.S. Privacy Shield, Confirms Validity of Standard Contractual Clauses, in Communications Law In The Digital Age 2020, at §§ VI.A. (2020).
[5] See Jane E. Kirtley, CJEU Ruling Allows Privacy Authorities in Any EU Country to Enforce the GDPR Against Facebook, Other Tech Companies, in Communications Law In The Digital Age 2021, at §§ III.A. (2021).
[6] Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited (Schrems II), ECLI:EU:C:2020:559 (July 16, 2020), http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=11629969.
[7] See Art. 5, Data Protection: Rules for the Protection of Personal Data inside and outside the EU, https://gdpr-info.eu/art-5-gdpr/. See generally Matt Burgess, What is GDPR? The summary guide to GDPR compliance in the UK, Wired UK (Mar. 24, 2020), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.
[8] Adam Satariano, E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact, N.Y. Times (July 16, 2020), https://www.nytimes.com/2020/07/16/business/eu-data-transfer-pact-rejected.html (“Eduardo Ustaran, a lawyer specializing in privacy and cybersecurity at the law firm Hogan Lovells in London, said that while average people were unlikely to notice any major changes as a result of the decision, it left thousands of companies in legal limbo. ‘The practical effect is actually huge,’ he said. ‘Any company that wants to transfer data overseas must now check the powers of other countries to have access to that data.’”) .
[9] David McCabe & Martina Stevis-Gridneff, U.S. and European Leaders Reach Deal on Trans-Atlantic Data Privacy, N.Y. Times (Mar. 25, 2022), https://www.nytimes.com/2022/03/25/business/us-europe-data-privacy.html.
[10] Id.
[11] Natasha Lomas, EU, US agree on data transfer deal to replace defunct Privacy Shield, Tech Crunch (Mar. 25, 2022), https://techcrunch.com/2022/03/25/eu-and-us-agree-data-transfer-deal-to-replace-defunct-privacy-shield/.
[12] Id.
[13] McCabe, supra note 9.
[14] Id.