After the famous Schrems II judgment, a new Transatlantic Agreement on the flow of personal data between the US and the EU is now in the works. We are optimistic about the potential that this agreement can bring to innovation and startup ecosystems, in terms of legal certainty and predictability. 

What is the status quo? 

The invalidation of the Privacy Shield by the European Court of Justice in 2020 created an atmosphere of uncertainty for actors that were using it to transfer personal data to the other side of the Atlantic. Indeed from its outset, the number of firms relying on the Privacy Shield skyrocketed, surpassing 5,000 businesses in 2019. These ranged from companies offering almost any kind of product and service.

Startups suffered the heaviest blow as their options were limited to further increasing compliance costs, changing data storage locations, or refraining from any kind of data transfer. Studies show that the Privacy Shield has been the key transfer mechanism mostly for small enterprises. This is not hard to imagine as a small business can’t afford to run on a case-by-case basis, considering the complex assessments required by alternative transfer mechanisms, such as Standard Contractual Clauses. This would entail a comprehensive evaluation of whether a third country’s laws and regulations ensure an equivalent level of protection to that of the EU, and further, determine what kind of technical additional measures should be implemented. And even after conducting this assessment, the transfer could still be considered illegitimate,

What’s in the new agreement?

On the 25th of March, US President Biden and EC President Von Der Leyen announced that “an agreement in principle on a new framework for transatlantic data flows” was found. Although specifics aren’t yet available, we hear that this new Transatlantic Data Privacy Framework will consist of two main pillars. First, a renewed system of procedures to ensure that intelligence agencies will respect proportionality and necessity principles in carrying out their surveillance activities, and second, the establishment of an ad-hoc Data Protection Review Court. Indeed, one of the main reasons behind the invalidation of Privacy Shield was, according to the ECJ, that EU citizens were not able to effectively challenge unlawful access to their own personal data by US intelligence authorities. The former existing redress mechanism under US law, the so-called Ombudsman, was deemed unable to ensure an essentially equivalent level of protection as required by the EU Charter of Fundamental Rights citing a lack of independence. On the contrary, the press release fact sheet on the new agreement refers precisely to a new multi-layered redress system specifically designed to cope with EU individuals’ privacy concerns, that will enjoy such a high degree of independence from the US Government and full authority to direct any necessary remedial measures.

 Why is it important that it’s legally robust?

Before the Privacy Shield invalidation, 41% of firms participating in it had a yearly revenue lower than 5 million dollars. These firms have been in a legal limbo twice, first in 2015 with the Safe Harbour and again in 2020 with the Privacy Shield. For any startup, adapting to sudden changes in the regulatory landscape requires time and resources they often don’t have and can pose a significant survival challenge.  This is why we encourage policymakers to build a future-proof, easily accessible, and robust new framework, so entrepreneurs across the Atlantic can focus on what they do best – innovate.