6 Months of "agreement in principle", EU-US agreement in fact still missing

Sep 25, 2022

Half a year of political announcements, but no agreement on EU-US data transfers.

On 25 March 2022, in the wake of the war on Ukraine, US-President Joe Biden and European Commission President Ursula von der Leyen announced an "agreement in principle" on EU-US data transfers, despite two Court of Justice (CJEU) rulings striking down the previous "Safe Harbor" and "Privacy Shield" agreements.

Political agreement hits legal reality. Despite various promises in the original announcement, colorful European fact sheets (PDF) and promises in US black and white fact sheets (link), no further tangible result was published in the past six months. Instead, rumors are being spread that the US will in fact not provide the hailed "Data Protection Review Court", but at best some form of executive tribunal, similar to previous Privacy Shield Ombudsperson, already rejected by the CJEU. Equally, the US is said to go back on their promise that US mass surveillance will be limited to what is "necessary and proportionate". Instead, the US will introduce even weaker language, that will allow to continue mass surveillance practices as previously rejected by the CJEU.

Max Schrems, plaintiff in the "Schrems I" and "Schrems II" litigation and chair of noyb.eu: "Originally, we were promised a perfect solution by the end of the year. Now we may see the first steps by the end of the year. What I hear is also that these first steps are not solutions, but steps towards a third flawed deal. It is astonishing that two democracies that agree on principles like judicial approval of surveillance cannot come to a proper agreement. It seems, the US still supports the idea that non-US persons shouldn't have fundamental rights."

EU and US businesses continue to break the law. While politics are not solving the issues at hand, EU and US businesses struggle with the situation. While some gradually switch to providers that do not fall under US surveillance laws, many keep breaking the GDPR, hoping that a new deal will remedy the situation. noyb's 101 model complaints on EU-US data transfers have lead to some results in the meantime, as the AustrianDanish, French, Italian or European data protection authorities have issued decisions that Google Analytics may not be used in the EU anymore.

Max Schrems: "It is now two years since the second CJEU judgment. While some data protection authorities have taken individual actions based on complaints, we still lack general compliance with the law and proper enforcement. The announced new deal is one of the factors that currently cool enforcement actions."

New deal will likely be back at CJEU. If the new EU-US data transfer framework does not provide for proper protection of users' privacy, the new deal will likely be referred to the CJEU another time and see another clear ruling. It would be unfortunate if current legal uncertainty, created by the European Commission and the United States government, would continue under a new data transfer deal.