White House releases new EU-U.S. data privacy standards 

But the deal is far from done just yet.
14 October 2022

Exchanging the gift of data with the EU – Solved?

President Biden has signed an executive order to adopt new U.S. intelligence gathering data privacy standards. The new standards were outlined in March this year, and, if they’re accepted by the European Court of Justice, are expected to free thousands of companies from an executive limbo over data flow between the US and the European Union.

A White House briefing paper said the new data transfer framework will “restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.”

The flow of data between the U.S. and the EU – and between any two countries in the modern online world – is crucial to allow companies to exist in the web-enabled economic reality of the 21st century. But concerns over the potential for U.S. surveillance of personal EU user data saw the European Court of Justice refuse to be bound by previous attempts to set an agreement in place, despite thousands of companies, large and small, complying with those previous standards.

Not a done deal

It’s as yet by no means certain that the Court will accept this version either – European officials are likely to take around six months to comb through the proposal and grind it through a complex approval process.

But there’s significant hope that this version of the data privacy standards will be a lot more acceptable to the Court than the previous version. In particular, the last iteration of the data privacy standards failed to get agreement from Europe because redress in the case of alleged data privacy breaches had only a single level, and that was referral to an ombudsperson within the U.S. administration.

The new proposed standards contain a two-layered redress process, bypassing the U.S. ombudsperson altogether. The first level of redress in the new proposals would be to an intelligence agency watchdog – to determine whether, for instance, whether U.S. surveillance of personal EU data took place (and any reasonable rationale for it having done so). The second level would be much more significant – EU citizens would have redress to a court with independent judges, who could if they see good cause, overrule and bind even the intelligence agencies.

A secondary bolster

It’s that significant strengthening of the redress process that leads the White House to hope it can break the log jam on EU-U.S. data privacy standards. The hope is underlined by the fact that back in March, even European Commission President Ursula von der Leyen agreed that the provisional plans addressed the Court’s concerns.

In what would normally be the stuff of a Jimmy Stewart movie, even if the proposals get the approval of the Court of Justice and the U.S. government, they also need to withstand scrutiny from one other person. Austrian privacy activist Max Schrems brought a case to the Court of Justice when the previous Privacy Shield was in place, and, without too much ceremony – broke it. He has said that if the new data privacy measures don’t align with EU law, he will launch a brand new challenge, and send the White House back to the drawing board.

The big hitters

The issue with all this is that, as we say, thousands of U.S. companies had previously certified their compliance with the now-defunct Privacy Shield – and that includes huge players in the tech market, such as Meta and Alphabet, leaving the likes of Google, Facebook, and Instagram in U.S.-EU data rule limbo.

In fact, the situation has become so serious that Facebook has warned that it may actually stop offering its products in the EU unless the legal data-sharing issues aren’t resolved.

Meanwhile, European privacy regulators have said they may have to stop using Google’s analytics tools, and even Microsoft has taken to housing its data locally within Europe to get around the headache of an unresolved data-sharing situation.

So it’s definitely not only the Biden administration that needs a win from these new data privacy standards.

A workable solution on data privacy?

Those are just a handful of the major players who need the issue resolved. The likes of LinkedIn, HR companies, and essentially, any US firm that wants to securely send or receive data into and out of Europe needs final, applicable clarity on the sharing protocols they have to obey to satisfy both sides.

Do these proposals go far enough to square the circle and replace the Privacy Shield with something that in fact works as a privacy shield? The double-layered redress process definitely feels like a step forward, and the initial welcome of the standards by Commission President von der Leyen looks promising. U.S. Commerce Secretary Gina Raimondo said the executive order “is the culmination of our joint effort to restore trust and stability to transatlantic data flows” and “will ensure the privacy of EU personal data.”

But ultimately, only the next six months will tell.