Since a negotiated framework to protect EU data was overturned by the EU high court in 2020, companies on both sides of the Pond have struggled with how to transfer data from the EU to the US legally. The headlines on this issue have been focused on Facebook and Google. Indeed, the headlines heated up in early July when the Irish data regulator said it would prohibit transfer of data to the US, causing Facebook and Instagram to say they might have to shut down EU operations in response.
Behind those headlines, however, many US companies face increasing pressure on their data transfer practices. This includes small businesses and any company that has EU employees, or regular interaction with EU suppliers or customers. It also affects companies that, for example, use the Google or Facebook pixel in connection with advertising, analytics, or other services that involve users in the EU.
Why It Matters
The EU prohibits transfer of "personal data" about residents to the US absent a legal mechanism to protect it, because the US is deemed "inadequate" in terms of data protection laws. Many small businesses find themselves negotiating 40-page data transfer agreements, on top of their services agreements, to try to comply with these rules. Even with those data agreements in place, most are advised that the arrangements are not foolproof. The US and EU have agreed a new transfer mechanism "in principle," but have not yet hammered out the legal documents needed to implement it. Meantime, real world worries such as the flow of goods, services, and money are subject to complicated (and costly) data transfer negotiations and continued uncertainty as to how EU courts will view them.