Europe and the U.S. finally agree a landmark data-sharing pact — and it’s already under threat
The Privacy Shield Framework logo is displayed on a smartphone screen.
Pavlo Gonchar | Sopa Images | Lightrocket | Getty Images
Businesses can continue transferring data from the European Union to the U.S. as normal after the two superpowers this week agreed a landmark data-sharing pact.
The framework, which replaces a previous agreement that was invalidated in 2020, is a major development with implications for U.S. tech giants, which rely on the pact to transfer data on their European users back to America.
Without it in place, these companies faced the risk of costly initiatives to process and store user data locally — or withdraw their business from the bloc altogether. So the agreement of the new rules will provide some relief to Meta and other U.S. companies which share gargantuan amounts of user data around the world.
However, the rules already face the threat of legal challenges from privacy activists, who are unhappy with the level of protection the measures offer European citizens. They say it isn’t that different from an earlier framework called Privacy Shield.
CNBC runs through all you need to know about the new EU-U.S. privacy framework, why it matters, and its chances of success.
What’s the new EU-U.S. Data Privacy Framework?
The new data-sharing pact, called the EU-U.S. Data Privacy Framework, aims to ensure that data can flow safely between the EU and U.S., without having to put in place additional data protection safeguards.
In a statement Monday, EU executive body the European Commission said it concluded that U.S. data protection laws offer an “adequate level of protection” for European citizens, and introduced new safeguards limiting access to EU data by U.S. intelligence services to only what is “necessary and proportionate.”
A new Data Protection Review Court will be established for Europeans to issue privacy complaints. It will have powers to order firms to delete users’ data if it finds the information collected was in breach of the new safeguards.
Why was a new data transfer agreement needed?
The Data Privacy Framework replaces a prior agreement, called Privacy Shield, which allowed companies to share data on Europeans to the U.S. for storage and processing locally in their domestic data centers.
This was struck down in July 2020, when the European Court of Justice, the EU’s top court, sided with Austrian privacy campaigner Max Schrems, who alleged U.S. law did not offer sufficient protection against surveillance by public authorities.
Schrems said that revelations from NSA whistleblower Edward Snowden about U.S. surveillance meant that American data protection standards couldn’t be trusted.
He raised a complaint against the social network Facebook which, like many other firms, was transferring his and other user data to the States, as well as the Irish Data Protection Commission, which is Facebook’s main regulatory authority when it comes to data privacy in Europe.
It reached the European Court of Justice, which in 2015 ruled that the then Safe Harbour Agreement, a previous mechanism for allowing European users’ data to be moved to the U.S., was not valid and did not adequately protect European citizens.
It was replaced with the Privacy Shield, however, this was subsequently scrapped too.
In the meantime, companies have relied on separate mechanisms known as Standard Contractual Clauses to ensure they can still move data across the Atlantic.
These tools, too, are under threat.
The Irish DPC in May ruled that Meta’s use of SCCs for transfers of personal data to the U.S. is in breach of the EU’s General Data Protection Regulation. The U.S. tech giant was fined a record $1.3 billion.
Why does it matter?
Multinational companies operate in various jurisdictions, and they need to move data on their customers across borders in a way that’s both secure and complies with data protection regulations.
U.S. tech giants share data on their European users back home all the time. It’s part and parcel of the internet being an open, interconnected platform.
But the way data is handled by these tech companies has come under heavy scrutiny by regulators and privacy campaigners.
Meta, Google, Amazon and others collect huge amounts of data on their users, which they use to inform their content recommendation algorithms and personalize ads.
There have also been countless examples of scandals surrounding the misuse of people’s data by tech firms — not least Meta’s improper sharing of data with Cambridge Analytica, the controversial political consulting firm.
Europe has tough regulations when it comes to processing internet users’ data.
In 2018, the General Data Protection Regulation, or GDPR, came into force introducing tough requirements for organizations to ensure they handle user data safely and securely. This is a law that applies across all the countries within the EU.
The U.S., on the other hand, does not have a singular federal data protection law in place that covers the privacy of all types of data.
Instead, individual U.S. states have come up with their own respective regulations for data privacy, with California leading the charge.
“There has been intense regulatory and political scrutiny on EU-U.S. data transfers, so there are notable differences in the U.S. law protections implemented to support the new framework,” Holger Lutz, partner at law firm Clifford Chance, told CNBC via email.
“Changes to U.S. law have been made in parallel to enhance protections for EU personal data and rights for EU citizens in connection with that data. Those protections are not limited to the new framework – they also protect EU-U.S. personal data transfers outside the framework, and can be taken into account when making such transfers based on other legal instruments such as the EU standard contractual clauses.”
Will it succeed?
The approval of a new data privacy framework means that businesses will now have certainty over how they can process data across borders going forward.
Had there not been an agreement, some companies may have been forced to close their operations in Europe. Indeed, Meta warned this was a risk in February 2022.
Still, obstacles lie ahead.
Schrems, the Austrian privacy activist who helped bring down Privacy Shield, has already said he plans to launch a legal challenge to rip up the new data-sharing pact.
In a statement, Schrems said his law firm Noyb has “various options for a challenge already in the drawer.”
“We currently expect this to be back at the Court of Justice by the beginning of next year,” Schrems said.
“The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not.”
Privacy activists say the measures are not sufficient as U.S. privacy laws do not extend protections to non-U.S. citizens, meaning people in the EU don’t have the same level of protection.
“Whether the framework is successful will be a matter of whether the European courts consider the protections for personal data in the US do enough to deliver essential equivalence to the EU protections,” Lutz of Clifford Chance told CNBC.
“Businesses will be carefully considering these potential challenges in their scenario planning.”
Elon Musk attends the America First Policy Institute gala at Mar-A-Lago in Palm Beach, Florida, Nov. 14, 2024.
Carlos Barria | Reuters
X’s new terms of service, which took effect Nov. 15, are driving some users off Elon Musk’s microblogging platform.
The new terms include expansive permissions requiring users to allow the company to use their data to train X’s artificial intelligence models while also making users liable for as much as $15,000 in damages if they use the platform too much.
The terms are prompting some longtime users of the service, both celebrities and everyday people, to post that they are taking their content to other platforms.
“With the recent and upcoming changes to the terms of service — and the return of volatile figures — I find myself at a crossroads, facing a direction I can no longer fully support,” actress Gabrielle Union posted on X the same day the new terms took effect, while announcing she would be leaving the platform.
“I’m going to start winding down my Twitter account,” a user with the handle @mplsFietser said in a post. “The changes to the terms of service are the final nail in the coffin for me.”
It’s unclear just how many users have left X due specifically to the company’s new terms of service, but since the start of November, many social media users have flocked to Bluesky, a microblogging startup whose origins stem from Twitter, the former name for X. Some users with new Bluesky accounts have posted that they moved to the service due to Musk and his support for President-elect Donald Trump.
Bluesky’s U.S. mobile app downloads have skyrocketed 651% since the start of November, according to estimates from Sensor Tower. In the same period, X and Meta’s Threads are up 20% and 42%, respectively.
X and Threads have much larger monthly user bases. Although Musk said in May that X has 600 million monthly users, market intelligence firm Sensor Tower estimates X had 318 million monthly users as of October. That same month, Meta said Threads had nearly 275 million monthly users. Bluesky told CNBC on Thursday it had reached 21 million total users this week.
Here are some of the noteworthy changes in X’s new service terms and how they compare with those of rivals Bluesky and Threads.
Artificial intelligence training
X has come under heightened scrutiny because of its new terms, which say that any content on the service can be used royalty-free to train the company’s artificial intelligence large language models, including its Grok chatbot.
“You agree that this license includes the right for us to (i) provide, promote, and improve the Services, including, for example, for use with and training of our machine learning and artificial intelligence models, whether generative or another type,” X’s terms say.
Additionally, any “user interactions, inputs and results” shared with Grok can be used for what it calls “training and fine-tuning purposes,” according to the Grok section of the X app and website. This specific function, though, can be turned off manually.
X’s terms do not specify whether users’ private messages can be used to train its AI models, and the company did not respond to a request for comment.
“You should only provide Content that you are comfortable sharing with others,” read a portion of X’s terms of service agreement.
Though X’s new terms may be expansive, Meta’s policies aren’t that different.
The maker of Threads uses “information shared on Meta’s Products and services” to get its training data, according to the company’s Privacy Center. This includes “posts or photos and their captions.” There is also no direct way for users outside of the European Union to opt out of Meta’s AI training. Meta keeps training data “for as long as we need it on a case-by-case basis to ensure an AI model is operating appropriately, safely and efficiently,” according to its Privacy Center.
Under Meta’s policy, private messages with friends or family aren’t used to train AI unless one of the users in a chat chooses to share it with the models, which can include Meta AI and AI Studio.
Bluesky, which has seen a user growth surge since Election Day, doesn’t do any generative AI training.
“We do not use any of your content to train generative AI, and have no intention of doing so,” Bluesky said in a post on its platform Friday, confirming the same to CNBC as well.
Liquidated damages
Another unusual aspect of X’s new terms is its “liquidated damages” clause. The terms state that if users request, view or access more than 1 million posts – including replies, videos, images and others – in any 24-hour period they are liable for damages of $15,000.
While most individual users won’t easily approach that threshold, the clause is concerning for some, including digital researchers. They rely on the analysis of larger numbers of public posts from services like X to do their work.
X’s new terms of service are a “disturbing move that the company should reverse,” said Alex Abdo, litigation director for the Knight First Amendment Institute at Columbia University, in an October statement.
“The public relies on journalists and researchers to understand whether and how the platforms are shaping public discourse, affecting our elections, and warping our relationships,” Abdo wrote. “One effect of X Corp.’s new terms of service will be to stifle that research when we need it most.”
Neither Threads nor Bluesky have anything similar to X’s liquidated damages clause.
Meta and X did not respond to requests for comment.
WATCH: Bluesky CEO: Our platform is ‘radically different’ from anything else in social media
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports8 months agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Sports3 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business2 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway