The European Union and the United States agreed on the principle of the Privacy Shield in 2016, allowing personal data to flow freely from the EU to certified companies in the US. However, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield process, leaving the two jurisdictions to negotiate a more robust EU-US data transfer agreement.
It found that there were two main issues with the agreement as it stood:
- Surveillance laws in the US took primacy over the Privacy Shield in that territory, meaning that it could not offer European citizens the protection required.
- The mechanisms for redress following misuse of data were not sufficient to satisfy EU law.
Austrian privacy activist Max Schrems, who had previously challenged the now-invalid Safe Harbor privacy principles, was instrumental in the legal fight against the Privacy Shield, citing Facebook Ireland’s use of standard contractual clauses (SCC) for data transfers to its American parent company. The case, Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, is now known as Schrems II.
This judgement caused consternation for companies such as Meta, Amazon and Google, which rely on data flows from the EU to the US. Meta even suggested it could shut down Facebook and Instagram in the EU unless there was a new agreement.
However, in March 2022, European Commission President Ursula von der Leyen hailed a new data transfer agreement between the EU and the US that would “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties.”
1. What’s new in the EU-US data transfer agreement?
The new Trans-Atlantic Data Privacy Framework includes the following features with a view to facilitating data flows between the EU and US without compromising the rights of European users.
- Binding safeguards to prevent US intelligence agencies from accessing data for any reason other than national security
- New processes within the US intelligence services to meet the requirements for privacy and civil liberties
- A two-tier redress system that EU citizens can use to complain about non-compliant data access
- Development of a Data Protection Review Court
- New systems for monitoring and review
2. The EU-US data transfer agreement explained
2.1 Key principles:
2.1.1 Data will be able to flow freely and safely
Experts have estimated the data flow between the two jurisdictions to be worth more than US$1 trillion (€985,665,000,000). There are around 5,300 companies that rely on sharing personal data across the Atlantic, and this includes some of the most prominent tech giants, such as Amazon, Twitter, Meta and more.
The new data transfer agreement will facilitate this flow in a manner that is deemed safe by the stringent standards of the European Union. But it is not just a deal that aids the major corporations. The White House issued a statement claiming the free flow of data will “enable businesses of all sizes to compete in each other’s markets,” adding that “data flows are critical to the trans-Atlantic economic relationship and for all companies large and small across all sectors of the economy. In fact, more data flows between the United States and Europe than anywhere else in the world.”
2.1.2 Ensure the privacy of EU personal data
When the legal agreement is drafted, the European Commission will assess the details and decide whether it satisfies the General Data Protection Regulation (GDPR).
Article 45 of GDPR requires the EC to consider whether a third country offers an “adequate level of protection” for consumers. The agreement for the Trans-Atlantic Data Privacy Framework aims to resolve the issues of previous legislation, particularly with regard to surveillance from US signals intelligence.
The right of American intelligence services to monitor data overruled the Privacy Shield agreement, meaning that EU citizens did not receive the privacy and civil liberties safeguards that they do within their own jurisdiction. As a result, the CJEU ruled against the Privacy Shield.
With the Trans-Atlantic Data Privacy Framework, any surveillance by intelligence services in the US must be necessary and proportionate in the pursuit of defined national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties. The US agencies must implement procedures to ensure compliance with these standards.
2.1.3 Establish a new redress mechanism with independent and binding authority
There will be a multi-layer redress mechanism under the new agreement. This includes the formation of a Data Protection Review Court, which will be an independent body that rules on cases where EU citizens feel that a company or body has impinged on their privacy or civil liberties.
The White House stated that it would look only outside of the US government to appoint members to the court, and they will have the full power to adjudicate on complaints and to deliver sanctions to bodies that contravene the agreement.
Some American commentators have welcomed this development, noting that it would also improve the patchy privacy protection legislation across the United States. At the same time, it will ensure EU citizens receive the same level of privacy they enjoy at home.
2.1.4 Strong obligations for companies
The requirements for companies under the Privacy Shield continue to apply under the new data transfer agreement. They must self-certify with the US Department of Commerce that they commit to adhere to the principles of the agreement.
2.2 Benefits of the deal
Benefit | Explanation |
Protection for Europeans | Given the disparity between the privacy laws in the US and EU, this agreement will force American authorities to level up the way they treat data, protecting the rights of EU citizens. |
Safe and secure data flows | Europeans can be confident that the US will uphold their privacy rights when accessing some of the world’s most popular websites. |
Durable and reliable legal basis |
In the event of any issues, having a defined route for redress will also instil faith in the system. The independence of the Data Protection Review Court and its ability to rule and sanction should provide a deterrent to bad actors and streamline the legal process. |
Competitive digital economy and economic cooperation |
Organisations that transfer data across the Atlantic can continue to do so and will be able to remain Facilitating data flows more easily helps reduce |
3. How the agreement affects whistleblowing
In most circumstances, you will collect and store data relating to whistleblowing within the European Union under the scope of GDPR. Even if your company is based in both the EU and US, it would be likely that you would store the data in the jurisdiction in which you collected it.
However, there may be situations where you have to transfer data across the Atlantic. In this case, the data would be protected under the new agreement. The American branch of your business would have to get certified by the Department of Commerce that it pledged to remain compliant with the data transfer framework.
Until the agreement comes into action, companies that use US-based whistleblowing platforms could be in contravention of GDPR. There have been similar cases already. For example, the Bavarian DPA found an EU entity guilty of inputting its mailing list into a US email management solution. The same could happen if you are handling whistleblowers’ details in an American system.
To ensure compliance, you can use an EU-based system such as IntegrityLog, which adheres to the EU Whistleblowing Directive and GDPR.
4. FAQs
4.1 Can GDPR data be transferred out of the EU?
The European Commission must assess the adequacy of any third country before you can transfer GDPR data to that jurisdiction. It makes an assessment based on a number of factors, including the human rights record of the country, the existence of an independent supervisory body dealing with data protection, the rule of law and more.
4.2 Can EU data be transferred to the US?
Since the ending of the Privacy Shield, companies should not transfer EU data to the US. The new agreement will enable businesses to resume transfers in a compliant manner.
4.3 What is the EU-US Umbrella Agreement?
The umbrella agreement requires that data transferred between two jurisdictions can be used only for the prevention, detection, investigation and prosecution of criminal offences.
5. Conclusion
The EU-US data transfer agreement will improve the ability of businesses to transfer data between jurisdictions in a manner that maintains the strict privacy laws and civil liberties enjoyed by the citizens of the European Union. For whistleblowing, it will allow companies that work across both areas the ability to transfer data in a compliant manner, which is not possible at the moment.
If you want to ensure you always collect whistleblowing data in a compliant manner, try IntegrityLog. Request a free demo for your company or request a 14-day free trial today.
6. References and further reading
Share this post
Article Summary
- 1. What’s new in the EU-US data transfer agreement?
- 2. The EU-US data transfer agreement explained
- 2.1 Key principles
- 2.1.1 Data will be able to flow freely and safely
- 2.1.2 Ensure the privacy of EU personal data
- 2.1.3 Establish a new redress mechanism with independent and binding authority
- 2.1.4 Strong obligations for companies
- 2.2 Benefits of the deal
- 3. How the agreement affects whistleblowing
- 4. FAQs
- 4.1 Can GDPR data be transferred out of the EU?
- 4.2 Can EU data be transferred to the US?
- 4.3 What is the EU-US Umbrella Agreement?
- 5. Conclusion
- 6. References and further reading