Infosecurity Europe
4-6 June 2024
ExCeL London

The Future of EU-US Data Transfers: Challenges to the New Agreement

The EU and US finalised a new Data Privacy agreement in 2023, paving the way for organisations to exchange personal data between the two regions without developing additional, often complex, safeguards.

This framework has replaced the previous Privacy Shield arrangement between the two regions, which was ruled unlawful by the Court of Justice of the European Union (CJEU) under the GDPR in the ‘Schrems II’ case in 2020.

Following this ruling, the process for of transferring personal data from the EU to the US has become far more complex, with organisations having to use alternative mechanisms like standard contractual clauses (SCCs).

Unsurprisingly, it soon became apparent that as with Privacy Shield, the new agreement would face legal challenges relating to data privacy law.

Immediately after the European Commission adopted its adequacy decision for the EU-US Data Privacy Agreement, Noyb - European Center for Digital Rights, the non-profit organisation founded by privacy campaigner Max Schrems, confirmed it will be challenging the decision in the courts. 

Impact of the EU-US Data Privacy Framework

The EU’s European Commission believes the new Data Privacy arrangement overcomes the primary issue in Schrems II, that EU citizens’ personal data were not adequately protected from being accessed by US law enforcement agencies.

A major element in this belief relates to the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities, signed by US President Joe Biden in October 2022, which provides additional safeguards for EU citizens’ data that is transferred to the US. This includes binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.

Shortly after the EU-US agreement was confirmed, the UK announced it had established its own ‘data bridge’ with the US to allow for the free flow of personal data, representing an extension to the EU-US arrangement.

The mechanisms were met with relief by relevant governments and business leaders, who highlighted the significant economic benefits enabled by seamless data flows.

However, industry experts recently discussed the chances of the new agreement being struck down and what the potential implications would be of such an occurrence in the EU and UK.

Schrems III on the Horizon

Max Schrems, who brought the previous Schrems I and II cases that invalidated the Safe Harbour and Privacy Shield agreements between the EU and US, was given approval by Ireland’s High Court in February 2024 to participate in two cases connected to Meta being barred from transferring EU user data to the US. 

Joe Jones, Director of Research and Insights at the IAPP, told Infosecurity: “All roads look like they’re heading to a Schrems III.”

As with the Schrems II, Jones expects such a case, when it arrives at the CJEU, to centre around US government surveillance.

On this occasion, however, he believes there have been significant developments that make any Schrems challenge less likely to succeed.

This includes the new restrictions limiting US intelligence authorities access to data in Biden’s Executive Order, which also includes the establishment of an independent and impartial redress mechanism for EU citizens.

This mechanism establishes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.

In addition, Jones said there has been a lot of work in the EU since the Schrems II case to clarify the commonalities in the EU in regard to their government surveillance practices. This means the courts now have a reference point from which to judge US practices against, which he believes will help the defence of the new privacy framework.

“There have been various significant developments on both sides of the Atlantic that will be before the judges this time that will be pretty important,” noted Jones.

Realistic Prospect of Schrems III Succeeding

Speaking during an International Association of Privacy Professionals (IAPP) event in London, Eduardo Ustaran, Partner at law firm Hogan Lovells said that as things stand, a court would likely rule that US data privacy practices are adequate with GDPR provisions.

However, he noted that with the US Presidential election taking place in 2024, there is a realistic prospect of US law changing, including Biden’s October 2022 Executive Order being revoked.

“What happens if US law changes, if there’s a different administration in the US government that changes the law and increases the power of surveillance? That will alter the equilibrium,” said Ustaran.

This demonstrates how political the issue is, and how quickly the facts can change that may impact any EU court decision, he added.

The impact of a Schrems III case succeeding would be far bigger than the previous cases, according to Jones.

He said that all the indications are that the US has gone as far as it believes it can go to meet EU standards, making another data transfer agreement unlikely.

“It’s hard to see another round of negotiations happening. The stakes are really high,” stated Jones.

Ustaran pointed to a ruling by the Irish Data Protection Commission (DPC) in May 2023 to highlight the enormous scale of the economic impact of the data privacy framework being invalidated.

In this case, social media giant Meta was fined €1.2bn for relying on SCCs to transfer personal data to the US. The DPC found that this was not a valid mechanism to make such transfers.

Therefore, if the new framework is invalidated, it would leave EU organisations with very limited options to facilitate the transfer of personal data to the US.

“If the data privacy framework collapses, say goodbye to data going to the US because we already have data protection authorities telling us SCCs are not sufficient to overcome the powers of the US government’s access to data and surveillance,” explained Ustaran.


How UK Firms Will be Impacted if the Data Privacy Framework is Invalidated

The UK’s data bridge agreement with the US, an extension to the EU-US framework, provides another conundrum should a Schrems III case succeed.

In this scenario, there would not be a mechanism through which to transfer personal data from the EU to the US, but there would from the UK to the US. The prospect of the UK becoming a “backdoor” for EU data being sent to the US would put the UK’s own adequacy arrangement with the EU into serious jeopardy, according to Jones.

“I think it will be very hard for the EU and UK to maintain the current status quo,” he said.

Despite the likely legal challenges to the EU-US data privacy framework, experts are still advising UK and EU organisations to utilise the framework and take advantage of the advantages it will give to businesses operating across these regions.

Ustaran said: “Embrace it, because ultimately it is the way forward. There’s no point worrying about something we cannot control.”

Enjoyed this article? Make sure to share it!

Looking for something else?