Marketers Can Breathe a Sigh of Relief After EU Signs Transatlantic Data Deal. Here’s What To Know

Business organizations, and particularly marketers, on both sides of the Atlantic, can breathe a sigh of relief as the European Union restored a decision that allows for lucrative transatlantic data exchanges between the U.S. and the EU this week.

If that sounds a little dense, here’s what you need to know.

The new decision ends the three-year stalemate that found tech giants such as Google and Meta, as well as smaller and mid-sized companies in legal limbo and cut off U.S. companies trying to target EU audiences, missing out on reaching millions of consumers and leading to revenue loss. In one such case, roughly 10% of Meta’s ad revenue came from ads delivered to Facebook users in EU countries, the company said in its Q1 earnings this year.

Now, the free data flow between the regions is allowing a $7.1 trillion U.S.-EU economic relationship, according to the White House.

“This is positive news for businesses in U.S. and EU who need the data transfer for their business models,” said Joe Jones, research and insights director at IAPP.

So, what’s new this time?

In its third iteration, the EU’s new framework, known as the adequacy decision, recognized the law reforms in the U.S. that now, due to significant surveillance upgrades, offer sufficient guardrails for Europeans’ data.

“Following the agreement in principle I reached with President Biden last year, the U.S. has implemented unprecedented commitments to establish the new framework,” said Ursula Von Der Leyen, president of the European Commission, in a statement.

The framework also gives EU residents several rights, including the ability to access their data and request correction or deletion of inaccurate or unlawfully handled data by U.S. companies.

The new framework also limits U.S. authorities from accessing EU individuals’ data and will be allowed to do so only when deemed necessary, such as for investigating a serious crime, according to Jones.

Meanwhile, EU residents can take their complaints to a U.S.-based Data Protection Review Court (DPRC), which will be composed of former U.S. judges and senior lawyers. The court will be tasked with reviewing complaints and assessing if the data collected violated the new guardrails, and if so, will be able to order the deletion of the data.

Why has it taken so long?

Working through significant U.S. surveillance reforms to determine what is considered adequate under the EU law was always going to be a sensitive, high-stakes and constitutionally a complex endeavor, according to Jones.

The reforms, he said, necessitated significant on-the-ground changes to how U.S. agencies collect and process data—something which naturally requires a considerable amount of time.

Ultimately, the new framework replaces the Privacy Shield with new guardrails put in place by the U.S.

That sounds familiar. What was the issue previously?

EU regulators were previously concerned with the lack of a real data privacy framework in the U.S. that ensured the data safety of EU residents.

As a result, in 2020, the EU courts invalidated the governments’ previous data agreements, known as the Privacy Shield, alongside a 2000 deal called Safe Harbor, over fears of U.S. intelligence agencies’ access to Europeans’ data.

The ripple effect was felt by companies, mostly small and medium-sized firms, who could no longer transfer personal data from the EU unless they complied with the Standard Contractual Clauses (SCCs).

Although SCCs weren’t a substitute for Privacy Shield, they allowed a more regulated data flow via non-negotiable pre-written clauses and conditions mutually agreed upon by both, the sender and receiver of personal data. However, SCCs are very expensive, according to Jones.

But these were temporary solutions. Ireland’s Data Protection Commission (DPC) threatened to potentially suspend Facebook’s data sharing between the EU and the U.S. last year.

Around the same time, Google Analytics faced a regulatory pushback over data spying concerns in the U.S. by French watchdogs.

Are we at the end of hearing about this?

Not exactly. The agreement ends the EU-U.S. negotiations, albeit temporarily. Not everyone is satisfied.

Max Schrems, the Austrian activist who filed lawsuits that struck down the previous data agreements, said in a statement that he would likely challenge the new deal in court by the end of August. According to Schrems, the new framework is “largely a copy of the failed Privacy Shield” and there were little changes in U.S. law. Schrems expects his complaint to come to the European Court of Justice in early 2024.

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong,” he said.

What will happen next?

According to Jones, the resolution of Schrems’ court challenge could potentially take more than a year and a half.

In the meantime, he recommends that organizations could opt to join the new data transfer framework, but it is advisable to also continue testing alternative mechanisms such as SCC contracts.