Having a deal in place is important for the tech sector, which heavily relies on easy data flows between the two markets
Detail yet to be ironed out: On 25 March, the European Commission and the US Government announced yet another framework to govern the flow of personal data between the EU and the US. This is the third attempt the two sides have made to put a data privacy framework in place, after the first two did not survive legal challenges brought before the European Court of Justice. For the time being, the two sides have only reached an agreement in principle, with a lot of details yet to be ironed out. It could still be several months before the two jurisdictions agree on the full text of the framework. It is therefore too early to say whether the new deal will finally succeed where Safe Harbour and Privacy Shield previously failed.
What will need to be different this time? The new agreement will have to address the two key shortcomings of Privacy Shield that led the ECJ to strike it down in 2020. These are the lack of limitations to US authorities’ powers to access data, and the absence of an effective redress mechanism before courts against them. Under Privacy Shield, this was left to an ombudsperson, which had to be independent from the US Government. Promisingly, the new agreement pledges “necessary and proportionate” surveillance activities, and a new redress mechanism for those who believe they are unlawfully targeted by them. The final text will have to reflect these principles to minimise the risk of new challenges. Max Schrems, who successfully led the challenges against the two previous agreements, has already signalled he could take action against the new one if needed. Given the outcome of previous cases, the ECJ could side with him again if the legal tests are not met.
A crucial agreement for the tech sector, including the UK’s: Providing certainty to businesses is another good reason to have a watertight transatlantic data framework in place. Under the GDPR, adequacy decisions are not the only legal basis to ensure the flow of data between the EU and a third country – but they are by far the most convenient, since they allow businesses to transfer data without any additional safeguards. In the absence of an adequacy decision, businesses can use other instruments such as standard contract clauses or binding corporate rules – but these can be costly and particularly burdensome for SMEs. Even UK businesses have much to gain from an effective EU–US agreement, since the UK framework is still modelled on the GDPR and the tech sector heavily relies on the ability to easily transfer personal data across both markets.