The Privacy Shield Framework logo is displayed on a smartphone screen.
Pavlo Gonchar | Sopa Images | Lightrocket | Getty Images
Businesses can continue transferring data from the European Union to the U.S. as normal after the two superpowers this week agreed a landmark data-sharing pact.
The framework, which replaces a previous agreement that was invalidated in 2020, is a major development with implications for U.S. tech giants, which rely on the pact to transfer data on their European users back to America.
Without it in place, these companies faced the risk of costly initiatives to process and store user data locally — or withdraw their business from the bloc altogether. So the agreement of the new rules will provide some relief to Meta and other U.S. companies which share gargantuan amounts of user data around the world.
However, the rules already face the threat of legal challenges from privacy activists, who are unhappy with the level of protection the measures offer European citizens. They say it isn’t that different from an earlier framework called Privacy Shield.
CNBC runs through all you need to know about the new EU-U.S. privacy framework, why it matters, and its chances of success.
What’s the new EU-U.S. Data Privacy Framework?
The new data-sharing pact, called the EU-U.S. Data Privacy Framework, aims to ensure that data can flow safely between the EU and U.S., without having to put in place additional data protection safeguards.
In a statement Monday, EU executive body the European Commission said it concluded that U.S. data protection laws offer an “adequate level of protection” for European citizens, and introduced new safeguards limiting access to EU data by U.S. intelligence services to only what is “necessary and proportionate.”
A new Data Protection Review Court will be established for Europeans to issue privacy complaints. It will have powers to order firms to delete users’ data if it finds the information collected was in breach of the new safeguards.
Why was a new data transfer agreement needed?
The Data Privacy Framework replaces a prior agreement, called Privacy Shield, which allowed companies to share data on Europeans to the U.S. for storage and processing locally in their domestic data centers.
This was struck down in July 2020, when the European Court of Justice, the EU’s top court, sided with Austrian privacy campaigner Max Schrems, who alleged U.S. law did not offer sufficient protection against surveillance by public authorities.
Schrems said that revelations from NSA whistleblower Edward Snowden about U.S. surveillance meant that American data protection standards couldn’t be trusted.
He raised a complaint against the social network Facebook which, like many other firms, was transferring his and other user data to the States, as well as the Irish Data Protection Commission, which is Facebook’s main regulatory authority when it comes to data privacy in Europe.
It reached the European Court of Justice, which in 2015 ruled that the then Safe Harbour Agreement, a previous mechanism for allowing European users’ data to be moved to the U.S., was not valid and did not adequately protect European citizens.
It was replaced with the Privacy Shield, however, this was subsequently scrapped too.
In the meantime, companies have relied on separate mechanisms known as Standard Contractual Clauses to ensure they can still move data across the Atlantic.
These tools, too, are under threat.
The Irish DPC in May ruled that Meta’s use of SCCs for transfers of personal data to the U.S. is in breach of the EU’s General Data Protection Regulation. The U.S. tech giant was fined a record $1.3 billion.
Why does it matter?
Multinational companies operate in various jurisdictions, and they need to move data on their customers across borders in a way that’s both secure and complies with data protection regulations.
U.S. tech giants share data on their European users back home all the time. It’s part and parcel of the internet being an open, interconnected platform.
But the way data is handled by these tech companies has come under heavy scrutiny by regulators and privacy campaigners.
Meta, Google, Amazon and others collect huge amounts of data on their users, which they use to inform their content recommendation algorithms and personalize ads.
There have also been countless examples of scandals surrounding the misuse of people’s data by tech firms — not least Meta’s improper sharing of data with Cambridge Analytica, the controversial political consulting firm.
Europe has tough regulations when it comes to processing internet users’ data.
In 2018, the General Data Protection Regulation, or GDPR, came into force introducing tough requirements for organizations to ensure they handle user data safely and securely. This is a law that applies across all the countries within the EU.
The U.S., on the other hand, does not have a singular federal data protection law in place that covers the privacy of all types of data.
Instead, individual U.S. states have come up with their own respective regulations for data privacy, with California leading the charge.
“There has been intense regulatory and political scrutiny on EU-U.S. data transfers, so there are notable differences in the U.S. law protections implemented to support the new framework,” Holger Lutz, partner at law firm Clifford Chance, told CNBC via email.
“Changes to U.S. law have been made in parallel to enhance protections for EU personal data and rights for EU citizens in connection with that data. Those protections are not limited to the new framework – they also protect EU-U.S. personal data transfers outside the framework, and can be taken into account when making such transfers based on other legal instruments such as the EU standard contractual clauses.”
Will it succeed?
The approval of a new data privacy framework means that businesses will now have certainty over how they can process data across borders going forward.
Had there not been an agreement, some companies may have been forced to close their operations in Europe. Indeed, Meta warned this was a risk in February 2022.
Still, obstacles lie ahead.
Schrems, the Austrian privacy activist who helped bring down Privacy Shield, has already said he plans to launch a legal challenge to rip up the new data-sharing pact.
In a statement, Schrems said his law firm Noyb has “various options for a challenge already in the drawer.”
“We currently expect this to be back at the Court of Justice by the beginning of next year,” Schrems said.
“The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not.”
Privacy activists say the measures are not sufficient as U.S. privacy laws do not extend protections to non-U.S. citizens, meaning people in the EU don’t have the same level of protection.
“Whether the framework is successful will be a matter of whether the European courts consider the protections for personal data in the US do enough to deliver essential equivalence to the EU protections,” Lutz of Clifford Chance told CNBC.
“Businesses will be carefully considering these potential challenges in their scenario planning.”