After the two superpowers agreed this week to a landmark data-sharing agreement, European businesses can continue to transfer data to the U.S. as usual.

It is a major development with implications for United States tech giants, which rely on it to transfer data on European users back to the U.S. The framework replaces an agreement that was invalidated in 2020.

These companies faced the risk of costly initiatives to process and store user data locally – or withdrawing their business completely from the bloc without it. Meta and other U.S. companies that share massive amounts of user data around the world will benefit from the new rules.

Privacy activists, however, are already challenging the rules, claiming that the level of protection offered to European citizens is inadequate. Compared to the earlier Privacy Shield framework, it isn’t that different.

Here’s everything you need to know about the EU-U.S. data protection framework, why it matters, and how likely it is to succeed.

What’s the new EU-U.S. Data Privacy Framework?

By establishing the EU-U.S. Data Privacy Framework, it aims to ensure that data can freely flow between the EU and U.S. without additional data protection measures being added.

In a statement Monday, the EU executive body the European Commission said it concluded that U.S. data protection laws offer an “adequate level of protection” for European citizens, and introduced new safeguards limiting U.S. intelligence services’ access to EU data to only what is “necessary and proportionate.”

Data Protection Review Courts will be established for Europeans to file privacy complaints. When the new safeguards are violated, the commission will have the power to order firms to delete users’ data.

Why was a new data transfer agreement needed?

It replaces the Privacy Shield agreement, which allowed companies to store and process European personal data locally in their domestic data centers under the Privacy Shield agreement.

In July 2020, the European Court of Justice ruled that U.S. law did not offer sufficient protection against government surveillance, siding with Austrian privacy campaigner Max Schrems.

According to Schrems, U.S. data protection standards cannot be trusted after revelations by NSA whistleblower Edward Snowden.

He filed a complaint against Facebook, which, like many other firms, transferred his and other users’ data to the States, as well as the Irish Data Protection Commission, Facebook’s main regulatory body for privacy in Europe.

In 2015, the European Court of Justice ruled that the then Safe Harbour Agreement, a previous mechanism for allowing European users’ data to be transferred to the U.S., was invalid and inadequately protected European citizens.

In order to move data across borders securely and in compliance with data protection regulations, multinational companies operate in multiple jurisdictions.

It is common practice for U.S. tech giants to share data about their European users back home. As an open, interconnected platform, the internet is subject to this phenomenon.

Regulations and privacy activists have raised concerns about how these tech companies handle data.

Many companies collect a lot of user data, which they use for content recommendation algorithms and advertising personalization.

Several scandals have also involved the misuse of people’s data by tech firms – not least Meta’s improper sharing of data with Cambridge Analytica, a controversial political consulting firm.

The processing of internet users’ data is subject to tough regulations in Europe.

The General Data Protection Regulation, or GDPR, came into effect in 2018, introducing tough requirements for organizations regarding the handling of user data. All EU countries are subject to this law.

On the other hand, the United States does not have a single federal data protection law covering all types of personal information.

The U.S. states have instead come up with their own privacy regulations, with California leading the way.

There has been intense regulatory and political scrutiny regarding EU-U.S. data transfers, so the U.S. law protections to support the new framework differ significantly,” said Holger Lutz, a partner at Clifford Chance.

Changes to U.S. law have been made in parallel to strengthen protections for EU personal data and rights for EU citizens. These protections apply not only to the new framework, but also to transfers outside the framework, and can be taken into account when making such transfers in accordance with other legal instruments such as the EU standard contractual clauses.”