Why has it taken so long?
Working through significant U.S. surveillance reforms to determine what is considered adequate under the EU law was always going to be a sensitive, high-stakes and constitutionally a complex endeavor, according to Jones.
The reforms, he said, necessitated significant on-the-ground changes to how U.S. agencies collect and process data—something which naturally requires a considerable amount of time.
Ultimately, the new framework replaces the Privacy Shield with new guardrails put in place by the U.S.
That sounds familiar. What was the issue previously?
EU regulators were previously concerned with the lack of a real data privacy framework in the U.S. that ensured the data safety of EU residents.
As a result, in 2020, the EU courts invalidated the governments’ previous data agreements, known as the Privacy Shield, alongside a 2000 deal called Safe Harbor, over fears of U.S. intelligence agencies’ access to Europeans’ data.
The ripple effect was felt by companies, mostly small and medium-sized firms, who could no longer transfer personal data from the EU unless they complied with the Standard Contractual Clauses (SCCs).
Although SCCs weren’t a substitute for Privacy Shield, they allowed a more regulated data flow via non-negotiable pre-written clauses and conditions mutually agreed upon by both, the sender and receiver of personal data. However, SCCs are very expensive, according to Jones.
But these were temporary solutions. Ireland’s Data Protection Commission (DPC) threatened to potentially suspend Facebook’s data sharing between the EU and the U.S. last year.
Around the same time, Google Analytics faced a regulatory pushback over data spying concerns in the U.S. by French watchdogs.
Are we at the end of hearing about this?
Not exactly. The agreement ends the EU-U.S. negotiations, albeit temporarily. Not everyone is satisfied.
Max Schrems, the Austrian activist who filed lawsuits that struck down the previous data agreements, said in a statement that he would likely challenge the new deal in court by the end of August. According to Schrems, the new framework is “largely a copy of the failed Privacy Shield” and there were little changes in U.S. law. Schrems expects his complaint to come to the European Court of Justice in early 2024.
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong,” he said.