U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known. 

In a press conference from Brussels, Biden said, "Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy." He added, "This framework underscores our shared commitment to privacy, data protection, and the rule of law. And it’s going to allow the European Commission to once again authorize trans-Atlantic data flows that facilitate $7.3 trillion in economic relationships with the EU." 

Von der Leyen said both sides "found an agreement in principle for a new framework for trans-Atlantic data flows. This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties. And I really want to thank  Commissioner (Didier) Reynders and Secretary (Gina) Raimondo for their tireless efforts over the past month to finish a balanced and effective solution."

The news comes as Biden visits Europe amid a flurry of activity aimed at strengthening ties with the EU in response to the Russian invasion of Ukraine, including the creation of an energy task force to help the EU avoid using Russian oil. 

Though the announcement has been rumored in recent days and weeks, some of the details underpinning the arrangement were highlighted in this White House release. It's those details that will ultimately determine the longevity of a new framework, which has been successfully challenged in court twice by Max Schrems, honorary chairman of EU-based NGO NOYB. 

The recent history of EU-U.S. data flows is a rocky one to say the least. In 2015, the Court of Justice of the EU invalidated the Safe Harbor framework. After intense negotiations between the Obama administration and the European Commission, both sides created Safe Harbor's replacement: Privacy Shield. However, in the summer of 2020, the CJEU invalidated the trans-Atlantic agreement, creating an uncertainty for thousands of companies that regularly exchange data across the Atlantic. 

Two main obstacles that have been challenging for an agreement in the wake of the July 2020 CJEU decision are building a workable redress mechanism for EU citizens in the U.S. and whether the U.S. can meet the CJEU's standards for necessity and proportionality. 

IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, who was former Privacy Shield director for the U.S. Department of Commerce, said, "While we have yet to see the details, it seems both sides were working toward a lasting solution. If they wanted a temporary fix, they could have wrapped up talks months ago. Time will tell whether they got there." 

Alton & Bird Senior Counsel Peter Swire, CIPP/US, who co-authored an article on a potential workable redress mechanism, said, "I don’t see redress as an issue for compromise, where one side or the other wins. Instead, redress is like a Rubik’s cube — you only get a lasting solution if you meet all the requirements of EU and U.S. law, within all the limits set by each side’s constitutions." 

Of course, if a new agreement is ultimately finalized, all eyes will be on legal challenges in the EU, particularly from NOYB and Schrems.

In a press release, Schrems said, "We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now." He added, "The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the (CJEU) will decide a third time. We expect this to be back at the Court within months from a final decision.

To add on to potential legal issues, last week, the American Civil Liberties' Union's Patrick Toomey and Ashley Gorski wrote an opinion piece for The Hill arguing that a recent U.S. Supreme Court decision, FBI v. Fazaga, "will make it significantly harder for people to pursue surveillance cases, and for U.S. and European Union negotiators to secure a lasting agreement for transatlantic transfers of private data." 

Though uncertainty remains, and it appears it could be some time before we see final text, many in the privacy profession are expressing optimism.

Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said, "We should acknowledge the will of both parties to find a formula that meets the test created by the (CJEU). We should also have confidence in the work undertaken and certainly not dismiss it before the agreed mechanism to provide limitations to the powers of access to data and effective remedies to individuals is even revealed. This is good news for privacy professionals everywhere, not only because it provides a route to more flexible EU-U.S. data flows, but because it shows that it is possible to find a solution to the requirement to apply European data protection standards wherever that data goes." 

Considering the necessity and proportionality portion of the CJEU standard, Fennessy said, "Overcoming the CJEU’s necessity and proportionality critiques is a big hurdle. Necessity and proportionality were long perceived as EU-centric terms tied to long histories of CJEU and European Court of Human Rights jurisprudence. If the US Government can effectively address necessity and proportionality concerns, that will place the US and EU on the same side of the table in future more multilateral negotiations on privacy and surveillance." 

BBB National Programs Senior Vice President, Privacy Initiatives Dona Fraser issued an emailed statement on Friday's announcement, saying the organization, which operates the BBB EU Privacy Shield independent recourse mechanism, "applauds the work of negotiators." 

Fraser continued: "We are well-positioned and ready to ensure that businesses that have opted to remain self-certified to Privacy Shield ... will experience a smooth transition to an enhanced Privacy Shield. In addition, we welcome those businesses who have chosen to pause their Privacy Shield self-certification back into the BBB National Programs’ BBB EU Privacy Shield program."