Last week, the European Union announced that it had reached an agreement in principle on a new framework for transatlantic data flows with the United States, letting companies like Meta and Google breathe a sigh of relief.
"It will enable predictable and trustworthy data flows, balancing security, the right to privacy and data protection. This is another step in strengthening our partnership," said Ursula von der Leyen, president of the European Commission, on 25 March.
The previous framework for transferring data between the US and the EU, which was in effect for four years, was thrown out by a European court in 2020.
Ever since, US-based tech giants and their products – particularly cloud services – have faced increasing scrutiny from European data protection authorities. Meta had even threatened to leave Europe.
The announcement of a new deal has been welcomed by Facebook and Google. "With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running," said Meta's head of global affairs, Nick Clegg.
However, there are concerns that the new deal doesn't make enough changes when it comes to user privacy.
Safe Harbour, Privacy Shield: The Old Deals
In October 2015, the Court of Justice of the European Union (CJEU) invalidated the long standing US-EU Safe Harbour Framework, which Facebook used as a basis for transferring data of European citizens to the US.
The decision is referred to as Schrems I, in reference to activist and lawyer Maximilian Schrems, who initially filed the complaint.
This was in light of allegations that the US National Security Agency (NSA) collected user data from companies like Facebook and Google under the PRISM surveillance program.
Less than a year later, in July 2016, the EU and the US agreed to a new transfer framework for data called the Privacy Shield, which Schrems referred to as "ten layers of lipstick on a pig".
The agreement was thrown out in July 2020 by the CJEU, which confirmed that the Privacy Shield provided US authorities the right to collect personal data about EU residents without adequate safeguards and effective means of redressal.
The judgment, called Schrems II, continues to affect American companies, including Google, Microsoft, and Amazon, whose cloud services have become a crucial part of modern internet usage.
"If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services," Meta had said in its annual report.
It had added that it would "likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe."
Meta later said that it has no plans to pull its services from Europe.
US Releases New Framework Fact Sheet
While the details of the agreement will be chalked out over the coming months, the US has released a fact sheet with the general outline of the framework.
The US has committed to:
Implementing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives.
Creating a new multi-layer mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The mechanism will include an independent Data Protection Review Court whose decisions would be binding.
What these commitments translate to in the real world will only be clear once the final framework is published.
Maximilian Schrems, however, isn't optimistic. He believes that the US is not planning to change its surveillance laws and that there seems to be no update to the Privacy Shield principles for commercial data usage.
"The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time," he said in a statement.
"It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty," he added.