Preliminary agreement between EU and US on the Trans-Atlantic Data Privacy Framework

[German]The European Union (EU) and the USA seem to have reached a preliminary agreement on the exchange of user data (Trans-Atlantic Data Privacy Framework) between these regions. The successor agreement is necessary because the European Court of Justice overturned two previous agreements. While the US IT giants are rejoicing, data protectionists are critical of the whole thing.


The fact that a preliminary agreement has been reached was announced by US President Biden and European Commission President Ursula von der Leyen in Brussels on Friday 25 March 2022. This agreement, called the Trans-Atlantic Data Privacy Framework, must now be filled in with text, need to be ratified by the bodies on both sides of the Atlantic (e.g. EU Parliament).

If the Trans-Atlantic Data Privacy Framework agreement comes into being, it would solve one of the most sensitive open problems between the two economic areas: Namely, the fact that currently no personal data of European citizens may be transferred to the US, as the US Cloud Act allows US authorities to access this data.

The Trans-Atlantic Data Privacy Framework

The White House has published its fact sheet on the Trans-Atlantic Data Privacy Framework here on 25 March 2022. There, one learns that the United States and the European Commission have reached an agreement on a new transatlantic data privacy framework. According to the publication, the Trans-Atlantic Data Privacy Framework is intended to promote transatlantic data traffic and address concerns about previous regulations.

In 2020, the European Court of Justice (ECJ) had declared the "Privacy Shield" data protection agreement concluded between the USA and the EU as illegal. This affected all cloud services hosted in the USA (see also my blog post European Court cancels EU-US "Privacy Shield"). The predecessor agreement, called Safe Harbor, had also been canceled by the ECJ. After these two rulings, the legal transfer of personal data of EU citizens between the EU and the USA was no longer possible. This hit US cloud providers like Amazon, Google, Microsoft, but also Apple or Facebook in particular – and it was clear that there had to be a follow-up agreement.

Now the US and the European Union says, they have reached a tentative agreement that allows data on Europeans to be stored on American soil, averting a growing threat to the transatlantic operations of thousands of companies, cheers the Wall Street Journal in this article. But frankly spoken: This preliminary agreement is just "vapor ware" – as you can read below from noyb.

Smell the money

US President Joe Biden, announcing the preliminary framework for the agreement, said it underscored a shared commitment to privacy, data protection and the rule of law. The agreement would allow EU authorities to re-authorise transatlantic data flows. This would help facilitate a $7.1 trillion economic relationship with the EU. Follow the money.


The framework of the agreement

The Trans-Atlantic Data Privacy Framework now under discussion shall addresses two concerns of the EU Court of Justice in relation to US Cloud Act surveillance laws:

  • The scope and proportionality of permissible US national security surveillance measures; and
  • the availability of remedies for Europeans whose personal data is unlawfully collected and used by US intelligence agencies.

write the white house. According to the US administration, the new framework presumably clarifies that US surveillance practices must be both necessary and proportionate. In addition, the agreement promises the possibility for Europeans affected by unlawful surveillance to seek effective review and redress before an independent data protection tribunal. Here are the key points from the White House release:

  • 'The collection of data [by US authorities] may occur only when necessary to further legitimate [US] national security objectives and may not disproportionately affect the protection of privacy and civil liberties';
  • EU individuals will be able to appeal to a new multi-level redress mechanism, including an independent data protection review tribunal composed of individuals who are not members of the US government, with full authority to rule on complaints and order remedies where appropriate;
  • US intelligence agencies will establish procedures to ensure effective oversight of the new privacy and civil liberties standards.
    Sounds good, for US companies – for EU citizens who want to enforce their data protection rights, the road will be burdensome and rocky, in my estimation.

Sounds good, what the white house is saying, especially for US provider.

For EU citizens who want to enforce their data protection rights, the road will be costly and rocky, in my estimation.

Legal execution

A new US data protection court and the obligation to limit disproportionate data collection by US executive order are to be created, according to EU Commission and US government officials. However, negotiators and observers from the US and the EU are already assuming that the new agreement, if it is ratified by the relevant bodies and comes into being, will again be challenged in the European Court of Justice.

The whole thing can be summed up succinctly as "all back to square one". Whether the agreement will come, and whether the Trans-Atlantic Data Privacy Framework will pass the EU Court (ECJ) test this time, is still open.

Facebook, Google & Co. rejoice

The agreement under consideration is likely to ease the concerns of companies such as Meta Platforms Inc. (Facebook) and Alphabet Inc. (Google). This is because US companies have faced increasing legal challenges to data transfers from the EU. The ability of companies to use US-based data centres to, for example, sell online advertising, measure traffic on their website or manage their company's payroll in Europe was at stake – and now there is a "free ride in sight". Microsoft has already responded with the blog postEU-U.S. data agreement an important milestone for data protection, Microsoft is committed to doing our part.

A picture from noyb

Of course, I also captured the first reaction of Max Schrems, who successfully sued against the previous data protection agreements with his organisation noyb.

noyb zum Trans-Atlantic Data Privacy Framework

The above picture summarises what Max Schrems writes in his first statement of noyb in this article. According to Schrems, it is only a political announcement, not a text that can be analysed. As far as noyb is informed, such a text does not yet exist and it will take several months to draft it.

The lawyers still have to find solutions to the problems raised by the European Court of Justice (ECJ). So far, despite two years of discussions, no fully workable solutions have been delivered. What noyb is hearing, Schrems says, is that the US has no plans to change its surveillance laws, but only provides for executive assurances (using EU language like "proportionality").

It is unclear to Schrems how this will even remotely pass the ECJ's scrutiny, as the ECJ has already ruled US surveillance not "proportionate". Previous agreements have failed twice in this regard. Most importantly: there seems to be no update of the "Privacy Shield" principle for commercial data use. And this despite the fact that the General Data Protection Regulation (GDPR) has been in force since the adoption of the Privacy Shield.

Schrems writes: Any new agreement would not be a bilateral agreement, but an executive decision of the European Commission, which would first have to be examined by the European Data Protection Board (EDPB). This process can only be initiated once a legal text is available. An actual "adequacy decision" would therefore still take a few months.

Companies cannot use an agreement until it is formally adopted, which will take months. And very importantly, a decision can be quickly challenged before the European Court of Justice. noyb expects that any new agreement that does not meet the requirements of EU law can be challenged before the ECJ within a few months, e.g. through civil litigation and injunctions. The ECJ can even take interim measures if an agreement clearly violates previous rulings.

Some people sees the whole thing as a "possible agreement under the sign of the Ukraine crisis". Schrems' conclusion, which I can agree with: All in all, this all seems to be a political announcement, on the occasion of the US President's visit to Europe, which for the time being does not generate any legal certainty without a solid text.

The "powerful" statements of the White House and of Google, Facebook, Microsoft etc. mentioned above are smoke on the water in this context – this has to be filled with life (aka execution directives and texts) – and then we'll see. If nothing changes with regard to the US laws, it is said that this third attempt will also be canceled by the ECJ.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *