The United States and the European Union reached a preliminary agreement that would allow companies to store data about European citizens on servers housed in the United States. If finalized, the so-called Trans-Atlantic Data Privacy Framework ("TDPF") would resolve a thorny issue that has prevented US-based data centers to freely engage in lucrative and arguably mission-critical activities like selling online advertisements using analytics of data collected from European sources. The deal is widely seen as beneficial to Meta Platforms and Alphabet, the companies that operate Facebook and Google, respectively, and other data-driven tech companies.
The TDPF replaces an earlier agreement that was deemed illegal by the EU's highest court in 2020. Specifically, the EU's Court of Justice previously determined that the safeguards built into the earlier agreement were insufficient to protect Europeans' personal data and that the prior deal lacked an appropriate mechanism for challenging US government surveillance of data collected from Europeans.
Assuming it is implemented, the TDPF will require the creation of an independent Data Protection Review Court with the power to adjudicate claims and impose remedies to redress violations. The new court would be established by executive order rather than enacting new law, thus eliminating the need for congressional action.
While the TDPF's announcement has been applauded by tech companies, many experts predict the new agreement will be challenged in court again. Time will tell whether the TDPF proves to be a long-term solution or merely another stopgap.
Nixon Peabody's Cybersecurity & Privacy Team will continue to monitor developments.