The European Commission is braced for fresh challenges by privacy campaigners to transfers of data to the United States, even before the details of a potential new deal have been worked out with Washington.
Businesses are keen for clarity on how data can be sent across the Atlantic for processing, while privacy campaigners are wary of personal information being exposed to the surveillance powers of the US, and will scrutinise any deal vigorously for grounds for legal appeal.
The European Commission and the US government jointly announced a deal in principle when President Joe Biden visited Brussels last week, as the two sides sought to strengthen transatlantic ties and show a common front towards Russian aggression in Ukraine.
A deal would replace the Privacy Shield agreement that facilitated data flows until it was struck down by a landmark ruling by the EU's top court in 2020 over concerns that the data would be at risk of intrusion due to US surveillance law, in the culmination of a long legal battle begun in 2013 by the Austrian privacy activist Max Schrems.
An agreement could offer more legal clarity at a time when European data-protection agencies have begun to challenge the flow of personal data through services such as Stripe and Google Analytics.
Mr Schrems has already indicated that he expects the deal not to fix the problems found by the court in 2020, and the commission is anticipating future challenges too.
What does the deal in principle mean, what obstacles remain and what should be expected next?
What’s in the deal?
On Friday the European Commission and US jointly announced they had “agreed in principle on a new transatlantic data privacy framework”.
The agreement would “foster transatlantic data flows and address the concerns” raised by the European Court of Justice in 2020, the statement read.
On the US side, Washington committed to “implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities”.
The US agreed to new safeguards to ensure surveillance is “necessary and proportionate in the pursuit of defined national security objectives”.
It pledged to introduce a two-level redress mechanism, with the authority to order “remedial measures”, which the EU side said would include a data-protection review court.
In addition, it agreed to increased oversight of surveillance “to ensure compliance with limitations” on such activities.
Companies would have to continue to commit to uphold obligations of data protections, including by self-certifying their adherence to the principles of the agreement through the US department of commerce.
How is it linked to the situation in Ukraine?
The announcement came alongside another deal for the US to supply the EU with liquid natural gas shipments to help reduce its dependence on Russia for gas.
The agreements were announced on a day when President Biden attended back-to-back G7, Nato and EU summits in Brussels, and were intended to signal a reaffirmation of the transatlantic alliance in the face of Russia's invasion of Ukraine.
How does it all stack up?
The details still haven’t been worked out. While the announcement is the result of talks between the US and EU, they have not agreed any legal texts. Most of the hard work of negotiation goes into agreeing legal documents, so this announcement is an “agreement to agree”, with the main pillars of a deal set out but much hard work (and potential for failure) still lying ahead.
What happens next?
The two sides will now negotiate to draw up texts, something likely to take months at least. To come into force, Washington would issue an executive order, while the European Commission would issue a data “adequacy decision” for the US.
The European Parliament will be kept informed but does not need to approve such an adequacy decision, which is the responsibility of the commission.
However, the decision by the commission does have to be reviewed and approved by the European Data Protection Board, which is made up of representatives of EU’s national data-protection authorities that have the responsibility for enforcing GDPR. It also has to win the approval of a committee of representatives of member states.
Would a new data arrangement be challenged again?
The EU side believes that the introduction of a redress system in the US would be key to quelling the concerns of the EU court. However, privacy activists are already expressing concerns.
In a statement, campaigner Max Schrems said that while proper analysis would be possible only once a legal text was available to be scrutinised, he doubted that the deal met his concerns because the US had not announced it would change its surveillance laws.
“We expect this to be back at the court within months” of any adequacy decision being issued by the commission, Mr Schrems said.
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement . . . Customers and businesses face more years of legal uncertainty.”
In an interview with Reuters on Monday, European commissioner Margrethe Vestager predicted more court battles but insisted the agreement would stand up to scrutiny.
“My guess is here that it will be tested indeed in court, but I know how much they have worked for this to be solid, but of course it remains to be seen,” she said.