Last week brought about an interesting development as the European Commission announced a newly forged agreement between the EU and the US regarding how American enterprises can manage data from EU users. Titled the ‘Data Privacy Framework,’ this agreement is designed to supersede the previous arrangement known as the ‘Privacy Shield.’
The Privacy Shield framework was established in 2016, but in 2020, the EU deemed the Privacy Shield ineffective in adequately safeguarding the data of EU citizens against scrutiny from US intelligence services. Since dismantling the Privacy Shield three years prior, American firms have been subject to a deluge of fines amounting to billions from EU members concerning the handling of user data. Meta, for instance, was penalized with a record-breaking $1.3 billion fine by Irish regulators in May. With the implementation of the Data Privacy Framework, the likelihood of such penalties is significantly reduced, paving the way for US tech enterprises to function more smoothly within the EU.
The absence of a solid data privacy agreement between the US and EU had profound consequences for both Google and Meta, who saw a noticeable reduction in their share of the EU digital advertising market. For instance, Google and Meta’s market share in France decreased from 72.5% in 2021 to 69% this year. Similar trends have been observed in Germany and the UK. This led to Meta contemplating a complete withdrawal from the EU.
This new framework will allow US companies to receive EU personal data without the necessity for additional transfer safeguards. US companies will be required to self-certify and align with the EU-US Data Privacy Framework through a commitment to a series of privacy obligations to access this data. The European Commission believes that the framework addresses all concerns previously raised by the Court of Justice of the European Union (CJEU), even those pertaining to the access of EU data by U.S. intelligence services.
For the ad duopoly, and international digital advertising services in general, operating between the US and EU has become significantly less challenging. It’s not just giants like Meta and Google that have been contending with resistance – firms such as Mailchimp have also been subjected to stringent rulings and penalties for conducting international business. The new agreement could be a notable stride towards a more harmonized digital landscape.
While this move helps US businesses, it still has a significant focus on ensuring European citizens’ data is managed correctly. European citizens are offered enhanced mechanisms for compensation if their personal data is managed in a way that infringes the framework’s guidelines, with the newly established Data Protection Review Court playing a pivotal role in this process.
While the new agreement may somewhat alleviate these strained relations, there are still some potential hurdles. Activists, who initially instigated the review of the Privacy Shield, have declared their intentions to contest the Data Privacy Framework. This could place the deal under scrutiny from the same EU court that invalidated the preceding agreement. However, this framework will continually undergo regular reviews by the European Commission and representatives of both the European data protection authorities and competent U.S. authorities. This will allow for continual adjustment, which will hopefully address any potential challenges.