The European Union and United States made a breakthrough in their yearslong battle over the privacy of data that flows across the Atlantic with a preliminary agreement Friday that paves the way for Europeans’ personal information to be stored in the U.S.
President Joe Biden and European Commission President Ursula von der Leyen announced the deal during Biden’s stop in Brussels while on a European tour amid Russia’s war in Ukraine.
Business groups hailed the announcement, saying it will provide relief to thousands of companies, including tech giants like Google and Facebook, that faced uncertainty over their ability to send data between the U.S. and Europe, which has much stricter regulations on data privacy.
The agreement came hours after EU officials agreed on sweeping new digital rules to rein in the power of big tech companies such as Facebook and Google.
“Today we’ve agreed to unprecedented protections for data privacy and security for our citizens,” Biden said. “This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States, and help companies — both small and large — compete in the digital economy.”
Von der Leyen said the agreement “will enable predictable and trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
The data includes “any information that we voluntarily provide or generate when using services and products online,” said Alexandre Roure, an official with the tech trade group CCIA. That includes names, ID numbers and geolocation data, online identifiers like IP addresses and emails, and other information that tech companies use to target ads.
The deal stems from a complaint filed a decade ago by Austrian lawyer and privacy activist Max Schrems, who was concerned about how Facebook handled his data in light of revelations about U.S. government cybersnooping from former U.S. National Security Agency contractor Edward Snowden.
Along the way, a ruling by the EU’s top court struck down the Privacy Shield agreement covering transatlantic data transfers because it fell afoul of stringent data privacy standards in the 27-nation bloc. Companies were forced to rely on stock legal contracts to continue the transfers, while some scrambled to localize their data or suspend transfers.
In a joint statement, the U.S. and EU said the agreement addresses concerns raised by the court, with the U.S. bringing in reforms to beef up privacy and civil liberties protections “applicable to signals intelligence activities,” referring to the collection of emails, text messages and other electronic communications by intelligence agencies.
The U.S. will put in place “new safeguards to ensure signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives,” the statement said.
The dispute had raised the prospect that Facebook would have to revamp its data centers to ensure European data is kept out of the U.S.
The new agreement “will help keep people connected and services running,” Facebook head of global affairs Nick Clegg tweeted. “It will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.”
Google said it commended the work by the EU and U.S. to “safeguard transatlantic data transfers.”
Schrems said the latest deal could get tied up in the courts because his Vienna-based group NOYB would analyze it in depth and challenge anything that’s not in line with EU law.
“Customers and businesses face more years of legal uncertainty,” Schrems said.