Skip to content

Illustration by Security Management; iStock

Europe and United States Announce ‘Agreement in Principle’ to Replace Privacy Shield

After years of negotiations, the European Union and the United States announced Friday they have made an “agreement in principle” on a new framework for transatlantic data flows.

European Commission President Ursula von der Leyen shared the news in a press conference with U.S. President Joe Biden in Brussels early Friday morning. She added that the agreement “will enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties.”

Details of the framework are not available yet, but Biden said the new agreement builds upon the Privacy Shield Framework and will help companies of all sizes compete in the digital economy. 

“This framework underscores our shared commitment to privacy, to data protection, and to the rule of law,” Biden said. “And it’s going to allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.”

Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP), shared her thoughts with Security Management on the announcement of the deal—calling it a chance for privacy professionals around the world to “finally exhale.”

Prior to her role at IAPP, Fennessy worked for the International Trade Commission and helped craft the Privacy Shield agreement. “While we have yet to see the details, it seems both sides were working toward a lasting solution,” she explains. “If they wanted a temporary fix, they could have wrapped up talks months ago. Time will tell whether they got there.”

If enacted, this new agreement would be the third data transfer agreement to go into effect between the European Union and the United States. The previous agreements (Safe Harbor and Privacy Shield) were struck down by the European Court of Justice (CJEU) following cases brought by Austrian Maximilian Schrems, who said Facebook’s transfer of his personal data from its Irish data center to the United States violated his privacy rights under the EU General Data Protection Regulation. The CJEU ruled in Schrems’ favor both times because it found that Safe Harbor and Privacy Shield did not provide adequate protections for EU citizens’ and residents’ data. Instead, the U.S. intelligence community was able to gain access to EU citizens’ and residents’ data beyond what was “strictly necessary.”

“In the view of the court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary,” the court wrote in a press release on its 2020 decision on Privacy Shield. “The court adds that, although those provisions lay down requirements with which the U.S. authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the U.S. authorities.”

On Twitter, Schrems commented on Friday’s announcement, saying it placed politics above the law and fundamental rights. 

“This failed twice before,” Schrems wrote. “What we hear is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text, but my first bet is it will fail again.”

In a statement, Schrems added that he expects he—or another group—will challenge the final agreement and the case will end up before the CJEU a third time. 

Along those lines, Fennessy says that when details of the new data sharing agreement do emerge, she will be looking closely at how it addresses the European Court of Justice’s decision on Privacy Shield—known as the Schrems II decision.

“The CJEU’s Schrems II decision raised two core concerns that EU and U.S. negotiators have been working to address for well over a year,” Fennessy adds. “These are the necessity and proportionality of U.S. surveillance practices and the powers and independence of the U.S. redress mechanism to address EU individuals’ complaints. A durable transatlantic data transfer framework must meet the CJEU’s standards on both fronts. Once established, the new framework and the redress mechanism will certainly be tested by individuals and scrutinized by regulators, courts, and the public at large, almost immediately.”

In the meantime, Fennessy says privacy and security practitioners should watch the next steps and timeline that the EU and U.S. authorities roll out for the agreement.

“We should see more details on the agreement itself and the timeline for the European Commission to make an adequacy determination, a process which requires a vote by EU member states. Once an adequacy determination is in place, commercial data will be able to flow much more efficiently, underpinned by the new agreed protections concerning government access to data, which we expect will apply regardless of the transfer mechanism used,” she explained. “An adequacy determination should eliminate the need for additional safeguards on top of standard contractual clauses or Privacy Shield participation, allowing companies to focus on commercial privacy safeguards rather than on preventing government access to data. Since the negotiations were focused squarely on enhancing protections in the national security sphere, it is unlikely that data protection requirements will change significantly for Privacy Shield participants, if they change at all.”


U.S. President Biden is in Europe to work with leaders on negotiating a major energy initiative to reduce the continent’s dependence on Russian energy resources. In the press briefing where he discussed the data sharing agreement, Biden said that the European Union and the United States have agreed on a “game plan” towards the Russian energy reduction goal and a more sustainable energy future. 

“The United States and the European Union are going to work together to take concrete measures to reduce the dependence on natural gas—period—and to maximize the availability and use of renewable energy,” Biden said. “We’re going to accelerate widespread adoption of energy-efficient technologies and equipment, like smart thermostats…and work to electrify heating systems all across Europe.”

Later on Friday, Biden will also meet U.S. troops that are stationed on NATO’s eastern flank in Poland and receive briefings on the refugees who have fled Ukraine since Russian’s invasion.

“The visit to Rzeszow, a city 60 miles from the Ukrainian border, follows a whirlwind series of meetings Biden held in Brussels around an emergency NATO summit,” The Washington Post reports. “While in Brussels, Biden announced plans for the United States to accept 100,000 Ukrainian refugees, urged Russia’s expulsion from the G-20 and vowed to respond ‘in kind’ if Moscow uses chemical weapons against Ukraine. Western allies also pledged collectively to impose new sanctions on Russia, and increase humanitarian contributions to Ukraine.” 

Ukrainian President Volodymyr Zelensky shared a video address on Thursday night, calling on Ukrainians to continue the resistance against Russian forces. He also spoke at an emergency NATO summit in Brussels, asking for Western allies to provide planes, tanks, rockets, air defense systems, and other weapons to help in the effort of “defending our common values,” the Associated Press reports. 

Other Stories We’re Watching…

As always, it’s been a major week for security-related news. Here are some of the stories that we’ve been following during the week and headed into the weekend:

  1.  The United Nations Human Rights Monitoring Mission in Ukraine said more than 1,000 civilians have been killed and at least 1,650 have been injured since Russia invaded Ukraine. “The extent of civilian casualties and the destruction of civilian objects strongly suggests that the principles of distinction, of proportionality, the rule on feasible precautions and the prohibition of indiscriminate attacks have been violated,” said Matilda Bogner, head of the UN Human Rights Monitoring Mission in Ukraine, in a statement. “To give you two examples: on 3 March, 47 civilians were killed when two schools and several apartment blocks in Chernihiv were destroyed, and all indications are that these were the result of Russian airstrikes.” 

    2. The European Union adopted the Digital Markets Act, which creates new rules to reign in major technology companies by restricting combining personal data from different sources, mandating allowing users to install apps from third-party platforms, prohibiting bundling of services, and eliminating self-preference practices. “The Digital Markets Act puts an end to the ever-increasing dominance of Big Tech companies,” said MEP Andreas Schwab. “From now on, Big Tech companies must show that they also allow for fair competition on the Internet.” 

    3. The U.S. Department of Justice charged four Russian government employees for their alleged roles in hacking campaigns that targeted the global energy sector, compromising organizations in 135 countries. The campaigns are said to have led to emergency shutdowns at a foreign targeted facility. For more context into what happened, check out this story from E&E News.

    4. New Orleans residents are working to rebuild once again, this time after a tornado ripped through the city, killing one person and damaging or destroying dozens of homes in an area that was also impacted by Hurricane Katrina. 

    5. U.S. intelligence analysts claim that Russia’s military is behind a cyberattack against a satellite broadband service that disrupted Ukraine’s military communications. The Washington Post spoke to sources familiar with the matter, but the U.S. government has not made the attribution publicly. 

    6. French anti-terror prosecutors opened an inquiry into Ahmed Nasser Al-Raisi, the president of Interpol. “The probe follows a legal complaint by an NGO which accused Raisi of being responsible for the torture of an opposition figure in his role as high-ranking official at the United Arab Emirates interior ministry,” according to RFI. 

    7. Former party producer Thomas Spieker was charged in a $2.7 million Bitcoin-laundering scheme, with prosecutors claiming he exchanged cash for cryptocurrency. He has pled not guilty to the charges. 

    8. Spanish truck drivers are in the middle of a 12-day walkout over fuel prices and good shortages. Spain’s transport minister agreed to meet with the drivers on Friday, who are blocking Madrid’s La Castellana avenue as well as roads in Barcelona.

    9. The FBI released its 2021 Internet Crime Report this week, with numbers showing that reported complaints of suspected Internet crime rose 7 percent in 2021 from 2020 with losses exceeding $6.9 billion. The top three reported cyber crimes by victims in 2021 were phishing scams, non-payment/non-delivery scams, and personal data breaches. Victims lost the money to business email compromise scams, investment fraud, and romance and confidence scams. 

    10. A debt crisis in Sri Lanka is disrupting daily life and leading protests against its president. “The central bank is printing rupees and hoarding dollars, sending inflation to a record high of 17.5 percent in February,” the New York Times reports. “The finance minister is begging neighbors for credit lines to buy diesel fuel and milk powder. In a barter arrangement, the central bank is paying for Iranian oil with tea leaves. For months, the government of President Gotabaya Rajapaksa has rationed power. Sections of the capital, Colombo, go dark suddenly, city streets becoming as inky black as the Indian Ocean beside them.”