Bloomberg Law
Oct. 11, 2022, 9:05 AM

Legal Questions Loom Over Latest Trans-Atlantic Data Flows Deal

Andrea Vittorio
Andrea Vittorio

US government commitments toward a new data privacy pact with Europe are expected to face tough legal scrutiny that could call free information flows into question again.

The measures, announced Oct. 7, are meant to respond to a European Union court’s concerns that personal data leaving the bloc’s borders is subject to sweeping US government surveillance. These concerns toppled an earlier EU-US agreement known as the Privacy Shield.

Policy actions toward its replacement, the Trans-Atlantic Data Privacy Framework, change the US legal framework “in ways that the government hopes will address the concerns raised,” said Alex Joel, a former US intelligence officer who’s currently a law professor at American University.

President Joe Biden issued an executive order Oct. 7 outlining safeguards for US intelligence gathering. The Justice Department also is setting up a new court to hear claims from people who believe they’ve been illegally surveilled.

Questions remain about whether these steps go far enough to limit the scope of allowable surveillance and provide meaningful oversight for improper activities, said Greg Nojeim, senior counsel at the nonprofit Center for Democracy and Technology.

“It might not meet the test that the European court established,” Nojeim said.

European authorities still must endorse the policy actions, a process that’s expected to take about six months.

The deal also faces scrutiny from Max Schrems, the Austrian privacy activist whose case in the EU Court of Justice invalidated the Privacy Shield. Schrems is analyzing the announcement and plans to bring another court challenge if the details don’t line up with EU privacy law, his privacy advocacy group said in a statement.

Legal Limbo

More than 5,000 businesses certified their compliance with the Privacy Shield. Questions surrounding the EU-US data transfer regime have left companies such as Meta Platforms Inc.‘s Facebook and Alphabet Inc.‘s Google in legal limbo.

Facebook has warned that it may need to stop offering its products in the EU if legal issues aren’t resolved, while European privacy regulators have cast doubt on the continued use of Google’s web analytics tools. Microsoft Corp. turned to keeping data locally in Europe to facilitate compliance with the bloc’s privacy rules.

But it’s not just tech companies that are impacted. The ability to send information about European citizens overseas or to access it remotely from another location is important for human resources reasons, too. HR management software provider Workday Inc. issued a statement welcoming the US policy offerings toward a new data transfer framework with the EU.

“The seamless transfer of data between the EU and the US is vital to the global economy,” said Barbara Cosgrove, chief privacy officer at Workday.

Without a reliable legal framework, companies that transfer data across the Atlantic have faced confusion, higher compliance costs, and challenges for EU-US business relationships, according to Caitlin Fennessy, former Privacy Shield director for the US.

“For more than two years, data flows from the EU to the US have been legally questionable,” said Fennessy, who’s now vice president and chief knowledge officer at the International Association of Privacy Professionals.

Companies have waited “with bated breath” for the data privacy framework to be reinstated, said Lisa Sotto, a partner at Hunton Andrews Kurth LLP. Alternative transfer mechanisms, including the use of contractual clauses between businesses, have become so complex that they’re difficult to implement, Sotto said.

Policy Solution

Part of the reason why it’s taken time to replace the defunct Privacy Shield is because EU and US negotiators were “laser focused” on finding a solution that would address the earlier agreement’s failings, said John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council. The council represents companies including Meta, Google, and Microsoft.

Without the Privacy Shield to rely on, companies subject to European data protection regulations must assess the prospect of government surveillance in countries where their information is headed. Now they’ll be able to point to added features of the US regime, including a new Data Protection Review Court to field European complaints about surveillance activities.

The authority, housed in the Justice Department, replaces a State Department role tasked with handling spying complaints. The European Court of Justice faulted its former placement for not being politically independent or possessing the power to influence intelligence-gathering activities.

To tackle these issues, legal scholars suggested a court within the Justice Department because its work could be insulated from interference and its decisions would be legally binding. It also avoids barriers to granting Europeans standing to sue in standard US courts.

“These issues are very tricky,” said Peter Swire, a law professor at Georgia Tech and senior counsel with Alston & Bird LLP. “It’s not a compromise,” Swire said of the new arrangement. “It’s a Rubik’s Cube.”

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editors responsible for this story: Tonia Moore at; Jay-Anne B. Casuga at