March 30, 2022 – Late last week, the Biden Administration and the European Commission announced that they had agreed in principle to a framework that would allow the flow of personal information between the United States and the European Union (EU) to continue.  The transfer of this information is critical to the operations of Google, Amazon, Facebook, and other online commerce and social media companies. 
 
The transfer of personal information from customers in the EU to businesses in the United States underpins more than one trillion dollars in commerce, and has been threatened in recent years by the EU’s adoption of the General Data Protection Regulation (GDPR).  The GDPR was among the first major data privacy regulations and it imposed strict requirements on the collection of personal data from residents of the EU and the transfer of that data to non-EU countries. 
 
While companies around the world worked to comply with the GDPR, the United States and the EU developed a framework, known as “Privacy Shield,” that would permit the transfer of personal data from the EU to servers in the United States.  Unfortunately, the surveillance practices of the United States criminal justice and intelligence communities drew the attention of EU courts.  In 2020, the EU Court of Justice invalidated Privacy Shield because it lacked sufficient safeguards against government surveillance and review of the personal data of EU residents.  This decision led to upheaval in the digital world.  Lawsuits were filed against Amazon, and Google Analytics (the most common tool to monitor website traffic in the world) may be barred from being used on websites visited by EU residents because the servers that operate it are primarily based in California.
 
Companies in the firearms industry that perform any trans-Atlantic business (or plan to do so) will be impacted by the success or failure of any agreement regarding data transfers.  Without a data privacy agreement in place, the data of EU residents will have to remain on servers in the EU, which will increase costs and require the maintenance of separate data storage facilities.  It will also result in increased complexity when determining where and how to store information that firearms companies gather from their customers.  Even the maintenance of EU websites will become burdensome, as some of the most important tools for operating websites (like Google Analytics and various website cookies) will not be able to legally transfer data from the EU to the United States.
 
The new Trans-Atlantic Data Privacy Framework seeks to address the court’s concerns by stating that surveillance activities will only be tied to legitimate national security interests.  The framework is currently little more than a handshake deal, but it will be codified into legal documents in the coming months.  However, some experts believe that this framework is doomed to failure because it does not mandate any new legislation to protect the data of EU residents from surveillance.  Once the agreement is drafted and signed, legal challenges may follow shortly after.
 
The Renzulli Law Firm data protection team is monitoring data privacy laws and regulations and is working with clients around the world to ensure compliance with them.  If you have any questions about data privacy developments like the Trans-Atlantic Data Privacy Framework and the potential impact on your business, please contact John F. Renzulli or Christopher Renzulli.