Happy Monday. In what appears to be a big win for American companies with European customers, the EU just approved a new agreement with the U.S. that will allow Big Tech and many smaller firms to continue to export Europeans’ personal data to American shores.
This is a last-minute reprieve for Meta, which was facing the serious possibility of having to pull Facebook and Instagram out of the EU in October because all its possible legal arguments for exporting data to the U.S. had been shot down by the EU’s Court of Justice (CJEU) and privacy regulators. Now Meta and its peers have a legal basis to keep going in Europe without having to silo off their operations there.
For now, that is. Tech industry lobbying groups like the CCIA may be hailing the Trans-Atlantic Data Privacy Framework as “durable,” but Max Schrems, the man whose fight against Facebook led the CJEU to nuke two previous EU–U.S. data-sharing agreements, says the new deal is certain to share their fate.
This long-running saga boils down to the vast powers of U.S. intelligence agencies to spy on the data of non-Americans that is held in American data centers, and the fact that data privacy is a fundamental right in Europe. The two previous agreements—named Safe Harbor and Privacy Shield—were shot down because they didn’t stop U.S. spies from snooping around Europeans’ data, and because Europeans had no meaningful, independent channel of complaint in the U.S. if they think their data is being misused.
Schrems, an activist lawyer who so far has an excellent record of predicting how his CJEU cases will turn out, says the new framework still falls short of adequately protecting Europeans’ data because the concessions made by the Americans don’t go far enough. He says there’s no common understanding between the two sides of what it means for the Americans to promise to keep their bulk surveillance “proportionate,” and the new U.S. body for listening to Europeans’ complaints has been set up to be a brick wall. Schrems is confident the CJEU won’t be impressed by either measure and, despite the Commission’s political imperative to keep playing nicely with the U.S., the EU legal system will doom the deal.
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal Ping-Pong,” Schrems said in a statement. “We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it.”
Didier Reynders, the EU’s justice commissioner, said in a press conference today that people should “test the system before going too far in the criticism of the new system.” He also took a swipe at Schrems and his crowdfunded privacy organization, NOYB (“None of Your Business”), saying “access to the Court of Justice is part of the business model of some civil society organizations.”
But if Schrems is right, could this doomed-deal-to-replace-a-doomed-deal game just go on forever? “Yes, this could [go] on for another 100 circles,” Schrems said, unless the Commission has a change of attitude. “The last time they said there will be no deal unless there [are] major changes—now we have another, ‘Oh you slapped a new name on it and rephrased some stuff, all cool.’”
Either way, Big Tech’s European policy people get to exhale for a while—at least when it comes to being able to export Europeans’ personal data. There’s still that whole business of the CJEU blowing up the legal bases for targeted advertising in the bloc, but we can’t make things too easy now, can we?
More news below. And by the way, nominations for Fortune’s Change the World list are now open here, and for our Most Powerful Women list here.
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer