Data Transfers between EU and EEUU
The United States and the European Union have recently announced that they have reached a new agreement, the Trans-Atlantic Data Framework, which aims to provide an adequate level of protection for the personal data of European citizens in the context of international data transfers.
However, this is not the first attempt to regulate international data transfers, and there is a complex (and rather turbulent) history behind international data transfers between the European Union and the United States, which has definitely had a big impact on the new agreement.
A troubled path to a new Framework
It ‘s official. The European Commission and the United States have announced that they have finally reached an Agreement to establish a Privacy and Data Protection Framework, which is called the Trans-Atlantic Data Privacy Framework.
Economic development, the emergence of new forms of communication, business relationships, all of this begins and ends in one place: personal data. The fact that companies need to transfer data between different countries to carry out their activities is an increasingly forceful reality, and countries need a global legal framework that allows them to do so safely.
Examples such as Meta and their difficulties to comply with European privacy regulations show us that we are not dealing with a simple or inconsequential issue.
In February 2022, Markus Renish, Vice President of Public Policies in Europe at Meta, clarified that at “no time” did they consider leaving Europe nor did they “threaten” to leave. The reality for Meta and for many other companies (from their point of view) is that they rely on international data transfers between Europe and the United States to be able to operate globally, and not only them, but also companies around the world.
The need to establish a clear and secure framework for transferring data between the two territories became increasingly necessary, and all of this shows that international data transfers are key in our time, in our daily lives, in the services that we use everyday.
However, the story to get here has not been simple, quite the opposite. Invalidations, long negotiations, constant conflicts between the laws of both countries. In a few words: a very turbulent story.
But why is it so complex to transfer data outside the European Union? How did we get here? What past have we had to overcome to reach the new agreement? We are going to take a rather hectic journey through time to answer all these questions, in what has seemed like an endless story between the two of them.
History between EU and EEU: the path to the new Framework and next steps
Before the cause of many of the negotiations came into force, the General Data Protection Regulation (GDPR), the first antecedent that we have to mention is the “Safe Harbor” Agreement of 2000, which allowed US companies to carry out international data transfers in a simple and (apparently) legitimate way.
In Europe, Directive 95/46/EC had established that personal data could only be transferred to those countries outside the European Union that offer an adequate level of protection.
In this context, everything flowed harmoniously and the data traveled “safely” to US companies, in an ideal and protected framework without any type of risk, which respected the rights of European citizens at all times.
But was it really so? The answer is no. It all turned out to be a false appearance of security.
The “Snowden Case” would later reveal that the principles and guarantees of protection of the personal data of European citizens were not being guaranteed in these transfers, and would also reveal the first suspicions of “massive surveillance”
Max Schrems would later win a decisive trial in the history of transfers against the American giant: Facebook.
Schrems launched a legal battle against a giant like Facebook, which would lead to one of the most important privacy decisions in recent years. Schrems said (given the revelations made by Snowden), that there were suspicions of massive surveillance of the American information services, and that the idealized “adequate level of protection” is not guaranteed.
In 2015, the Court of Justice of the European Union would dictate a crucial sentence than would be known as “Schrems I“, given the important breaches in the security of personal data that were taking place on the part of the United States.
All this would have as a bitter end the declaration of invalidity of the “Safe Harbor” agreement by the CJEU.
But our turbulent history does not end here.
The ruling of the CJEU would lead to new negotiations to solve this stumbling block in international data transfers, which would lead us to a new agreement, the “Privacy Shield“. that it came to ensure the protection of European citizens, to comply with the requirements imposed by Schrems I, and that it limited any type of interference by US public authorities in the fundamental rights of individuals to what was strictly necessary to achieve the legitimate objectives in question.
We did not have to wait long (four years) for the Court of Justice of the European Union to invalidate the Privacy Shield, in another crucial sentence known as “Schrems II”.
Schrems would reveal the invalidity of the Privacy Shield, where its direct clash with the General Data Protection Regulation could be seen. For its part, Facebook would try to argue that other instruments were valid for international data transfers (concepts such as Standard Contractual Clauses or Binding Corporate Rules).
But the CJEU did not give in to the arguments put forward by Facebook, and was in favor of Schrems once again, thus annulling the Privacy Shield.
All this eventful history leads to the Trans-Atlantic Data Privacy Framework, a new milestone in this battle to achieve an effective framework for the protection of personal data, and a new opportunity to finally achieve a space where they can be carried out legitimately, safely and respectful international data transfers between these two territories.
We still have to see and verify how this agreement materializes, and if it is finally positioned as a lasting and stable relationship that allows secure transfers of personal data.