New Transatlantic Data Deal Can Reopen EU Opportunities for Startups

By Sean Davis, Policy Manager, Engine Advocacy & Foundation

Recent news of the new transatlantic data transfer framework is a welcome step for U.S. startups with users across the Atlantic who have waited nearly two years for clarity around how to legally transfer data about European users for storage and processing in the U.S.

Late last month during his trip to Europe, President Biden, together with European Commission President Ursula von der Leyen, announced that the U.S. and Europe had reached an agreement in principle to restore the transfer of data between the U.S. and EU. The new data privacy framework will supplement the Privacy Shield Agreement that was invalidated as a legal data transfer mechanism in July 2020 and restore the flow of data that underpins the $7.1 trillion economic relationships between the two continents. With a clear agreement for companies to follow, startups will finally be able to transfer data across the Atlantic and serve EU users without fear of litigation.

Widely seen as prompted by the Russia-Ukraine conflict, the announced framework is a political deal whose details still remain to be fully fleshed out. As a result, the data protection authorities of EU member states are already warning companies that the announcement isn’t itself a replacement agreement, and privacy activists have threatened to challenge the eventual framework. Startups with limited resources on both sides of the Atlantic need a deal that they can rely on to serve users in both the U.S. and EU that will withstand legal scrutiny, and they need it as soon as possible.

Privacy Shield, the previous data transfer pact between the EU and the U.S., had enabled U.S. companies to process and store European users’ data in America, and it was overwhelmingly relied on by startups. Europe’s top court invalidated Privacy Shield — which itself was a replacement to an earlier invalidated data transfer pact called Safe Harbor — in a decision known as Schrems II, stating the United States’ existing data privacy protections are too weak for EU-based users and could potentially allow their data to be intercepted or swept up by U.S. government intelligence agencies. Europe’s concern around U.S. data transfers and surveillance arose after Edward Snowden exposed U.S. surveillance programs that collected users’ data.

The decision has created uncertainty for American and European companies relying on the flow of data between Europe and the United States to effectively operate, and the impact has fallen heavily on startups. In particular, U.S. startups operating in the EU have lost customers and faced increased costs as a result of the decision. Larger companies have generally been able to use other mechanisms — like standard contractual clauses (SCCs), to transfer data between continents — but these mechanisms can be out of reach for startups. Shifting to SCCs can carry a five-figure bill for a startup, in addition to distracting founders’ focus and engineering hours from other core startup activities. And SCCs carry additional uncertainty as they can still be found to be unlawful transfer mechanisms. These costs create barriers for startups to operating in the EU and highlight why an agreement to restore the flow of data is tantamount.

The new agreement seeks to address EU concerns that have doomed previous agreements, especially around U.S. government surveillance and the (in)ability of EU residents to challenge the use of their data. Rather than replacing Privacy Shield with a completely new program, according to the White House, the new transatlantic data flow deal will supplement the Privacy Shield Program by: (1) mandating that intelligence collection only takes place when necessary to advance national security (2) allowing EU residents an opportunity for redress through an “independent Data Protection Review Court,” and (3) adopting procedures for U.S. intelligence agencies to uphold new privacy standards. Because the agreement supplements the Privacy Shield Program with fixes to EU concerns, it will be easier for startups that have continued to certify their adherence to the Privacy Shield Principles with the Commerce Department to quickly resume data flows once the deal is final and becomes a legal mechanism. The U.S. will direct the new intelligence collection practices and set up the redress mechanisms through an executive order and regulatory actions.

The agreement needs to be completed and stands to deliver a clear standard for data transfers long needed by startups on both sides of the Atlantic. U.S. and EU officials are presently hammering out the details of turning the agreement in principle into adoptable text — a multi-step process likely to take months until the agreement can be relied upon as a legal transfer mechanism. Once finalized, the Executive Order and regulatory text will become the basis for an EU adequacy decision — a finding that the deal contains an adequate level of data protection for EU citizens. The adequacy process that seeks input from across the EU government, and past decisions has taken around four to five months.

Startups need an agreement they can rely on, and policymakers on both sides of the Atlantic should work expediently to finalize and implement the framework. U.S. policymakers should also consider the impact that domestic policy — including around privacy protections and government surveillance programs — can have on U.S. startups to compete globally.

Engine is a non-profit technology policy, research, and advocacy organization that bridges the gap between policymakers and startups. Engine works with government and a community of thousands of high-technology, growth-oriented startups across the nation to support the development of technology entrepreneurship through economic research, policy analysis, and advocacy on local and national issues.