EU-US Data Sharing Agreement: Has an Agreement been Reached?

EU-US Data Sharing Agreement: Has an Agreement been Reached?

Nov 22, 2022 / Kron

Considering that both Privacy Shield and Safe Harbor have been overturned by the European Court of Justice in recent years, experts are wondering whether US President Biden's executive order on the new Trans-Atlantic Data Policy Framework will share the same fate.

The thousands of companies expecting a data transfer agreement between the US and the EU to become official in the near future and facilitate cross-border data transfer, which is a serious legal burden, should not get their hopes up. While US President Joe Biden's executive order, which includes regulations for implementing the Trans-Atlantic Data Policy Framework agreed upon earlier this year, is a step in the right direction, according to public policy and legal experts, the new agreement will not go into effect until next spring at the earliest. However, it seems unavoidabler that the agreement will encounter legal hurdles after it goes into effect.


The executive order, signed by Biden on October 7th, imposes new restrictions on US intelligence agencies' electronic surveillance authority and provides new opportunities for European citizens to file complaints when they feel their personal information has been unlawfully used by US intelligence agencies.

The agreement was drafted two years after the European Court of Justice annulled the former EU-US data-sharing agreement, known as the Privacy Shield, since adequate measures had not been taken by the United States to protect personal data, particularly from the surveillance of government agencies.

The latest Trans-Atlantic Data Policy Framework, is thought to improve the measures taken by the US to protect personal data and will replace the Privacy Shield. After the anticipated objections, it is expected it will be meticulously examined and hopefully approved by the European Court of Justice this time around. However, according to Jonathan Armstrong, a compliance and technology lawyer at the UK-based compliance company Cordery, despite statements by both the Biden Administration and the European Commission in support of the new data agreement, the process is far from complete.

When expressed his opinion, Armstrong said "Both the White House and the European Commission might be saying that they are confident, but we’ve been down this road before, with both sides saying that Privacy Shield would stand up to judicial scrutiny. It didn’t."

What's next for the Trans-Atlantic Data Policy Framework?

In the first phase, the EU will examine whether the new regulations, enacted by Biden's signing of the executive order, meet the trans-Atlantic standards designed to offer privacy measures equivalent to the EU General Data Protection Regulation (GDPR).

According to a statement from the  European Commission, the EU's executive branch, after consultation with the European Data Protection Board (EDPB) and obtaining approval from a committee composed of representatives of EU member states, a draft adequacy decision will be submitted to the Commission for approval and an implementation procedure will be commenced, in the coming months.  

Armstrong also stated that it is possible that the European Parliament would like to examine the agreement before it is ratified.

Meanwhile, Austrian activist and lawyer Max Schrems, whose complaint about Facebook for GDPR violations led to the overturn of the Security Shield and the previous Safe Harbor agreement, said he could lobby against the agreement through NOYB, his pressure group.

"At first sight it seems that the core issues were not solved and it will be back to the CJEU [Euopean Court of Justice] sooner or later,” Schrems said in a statement issued by the NOYB.

Data transfer opposers target mass surveillance

According to Schrems and other opposers, one of the main problems with Biden's executive order and the Trans-Atlantic Data Policy Framework is that these documents do not consider mass surveillance by US intelligence agencies with the seriousness it is due.

According to the executive order, intelligence activities will be carried out by the United States " only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority." However, according to NYOB, while EU law addresses proportional surveillance, there is no indication  the way mass surveillance carried out by the United States will change.

What’s more, although Biden's executive order requires the US Department of Justice to establish a Data Protection Review Court to handle surveillance-related complaints, according to the NYOB, this is not a “real court” but simply a body of the US government's judicial branch.

The NYOB also pointed out that this executive order is not a law, but a directive given by the US president to the federal government body.

The lobby group American Civil Liberties Union (ACLU) also seems to be in agreement with the NYOB on this matter.

In a statement by the ACLU, Ashley Gorski, senior staff attorney with the ACLU National Security Project, said: “To protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform. Until that happens, U.S. businesses and individuals will continue to pay the price."

Tash Whitaker, a UK-based global compliance consultant, echoed the comments made by those opposing the new data agreement, saying it was unlikely that it would meet the requirements of a suitable agreement. “In addition, there is a need for judicial redress for data subjects within domestic law. The executive order suggests that this happening by referring to a 'Data Protection Review Court'.”, Whitaker said. 

Why do businesses want a new Privacy Shield?

According to Lartease Tiffith, vice president of public policy at the New York-based business group Interactive Advertising Bureau (IAB), businesses want to expedite the painstaking legal processes that the transatlantic data transfer agreement is subject to, and do so in a way that meets EU standards and avoids any sanctions from EU Data Protection Authorities (DPAs).

Tiffith noted that in the absence of a Privacy Shield or similar agreement, companies have to verify that data transfers are made in accordance with GDPR with standard contractual provisions and said: “The problem with that is that they are very laborious—I wouldn’t even call them standard contractual clauses because in some ways you have to negotiate every single one of them, so standard is probably a misnomer."

Tiffith said almost 70% of the more than 5,000 US companies that enlisted in Privacy Shield are small companies that do not have the resources to negotiate multiple contracts with all their data providers, and this is also a burden for large companies.

According to Tiffith, the objective of the Privacy Shield and the new emerging agreement is to eliminate the obligation to enter into individual data privacy agreements with each supplier after the companies have declared that they comply with the established guidelines.

Tiffith continued: " The other consideration is that even with the standard contractual clauses, companies are subject to DPA enforcement, if they find you don't have a sufficient clause or it didn't cover everything it should."

Data transfer agreement expected to encounter legal hurdles

Tiffith said that the executive order signed by Biden is a step in the right direction and laid the groundwork for a definitive agreement. He emphasized that establishing data flow without hindrance is of paramount importance for the development of technologies in medicine, cybersecurity, and various other sectors, as well as media and advertising and, the trade of consumer goods.

He also stated that despite all this, the agreement "could encounter legal hurdles", taking into account the initial criticisms of the executive order.

Armstrong, a compliance and technology lawyer at Cordery, joined Tiffith in warning businesses not to take the encouraging words of the US and EU officials too seriously. “There’s too much at stake for businesses to rely on those words of comfort especially given the issues which remain with data transfer and the likely challenges,” said Armstrong.

Armstrong said that the new plan would be delayed due to the EU approval process and potential obstacles and that it would not be possible for the regulation to take effect until late spring 2023 at the earliest. Armstrong stated that, even in this event, most organizations would only be willing to accept this agreement on a temporary basis while they work on different compliance measures and go over data transfer security measures, especially with the organizations they send data to.

Whitaker said: " All in, it is possible that the US does get some sort of EU adequacy off the back of this, but it will likely be short lived as the lobbyists will be challenging it in court faster than you can say GDPR."

Source: Computer World

Other Blogs