In 2000 the European Commission passed a set of principles proposed by the US Department of Commerce that provided adequate protection of personal data of EU citizens . That agreement made it possible for companies in the US to transfer data from the EU.
In 2013 an Austrian student, Max Schrems field a complaint in Ireland that opposed the transfer of Facebook data from European users which brought the case to court that in 2014 posed questions to the European Court of Justice.
On October 2015 The European Court of Justice ruled the European Commission’s Safe Harbour Decision invalid which meant that there is no longer a single standard for the handling of data between US companies and EU users.
The invalidation of this meant that countries individually could set their own rules and choose to suspend data transfer if they so wish which would force US companies to host data in the specific countries. For Ireland the Facebook case will be further investigated in order to establish whether there is enough data protection in place.
Later on in February 2016 a new deal was agreed, the “Privacy Shield”, to replace the “Safe Harbour” that required the US to given a yearly written notice promising not to participate in any sort of mass surveillance of EU citizens.
There is several issues with this new ruling. The first one is that the definition of “mass surveillance” is a relative one, and it can end on each government’s understanding of what it stands for. Therefore the US promising not to execute “mass surveillance” might not include data collection form certain services since the company for the US government might not consider it “surveillance”. The second and major problem is that a simple written notice from the US guarantees literally nothing. There doesn’t seem to be any specific guidelines of behaviour and only requiring a simple promise is very conflicting taking into account the practices of the US government and the NSA that were made public by Edward Snowden in 2013.
Establishing a transatlantic agreement is difficult enough due to the differences of US and EU government and company practices, however it should be taken into account that it is data generated by European Union citizens therefore the same regulations and rules that would be expected to be applied by companies and governments of the EU should be applied tot he US clearly as it is the same principal of data collection for commercial benefit.