Intercontinental data flows —
EU-US data pact approved; privacy advocates to appeal because of US surveillance.
Getty Images | BeeBright
The European Commission today decided it is safe for personal data to be transferred from the European Union to US-based companies, handing a victory to firms like Facebook and Google despite protests from privacy advocates who worry about US government surveillance.
The commission announced that it “adopted its adequacy decision for the EU-US Data Privacy Framework,” concluding “that the United States ensures an adequate level of protection—comparable to that of the European Union—for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.”
In May, Facebook-owner Meta was fined 1.2 billion euros for violating the General Data Protection Regulation (GDPR) with transfers of personal data to the United States and was ordered to stop storing European Union user data in the US within six months. But Meta said at the time that if the pending data-transfer pact “comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users.”
The data-transfer deal “is expected to face a legal challenge from European privacy advocates, who have long said that the US needs to make substantial changes to surveillance laws,” a Wall Street Journal report said today. “Transfers of data from Europe to the US have been in question since an EU court ruled in 2020 that a previous deal allowing trans-Atlantic data flows was illegal because the US didn’t give EU individuals an effective way to challenge surveillance of their data by the US government.”
US to monitor compliance
The EC’s announcement said the new framework has “binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access.” The new court “will be able to order the deletion” of data that is found to have been collected in violation of the new rules.
The framework will be administered and monitored by the US Department of Commerce and the “US Federal Trade Commission will enforce US companies’ compliance,” the EC announcement said. EU residents who challenge data collection will have free access to “independent dispute resolution mechanisms and an arbitration panel.”
The US and EC agreed on the data privacy framework in March 2022, and the US announced last week that it has fulfilled its commitments for implementing the deal.
Google supported the agreement, writing last year that the “US government has now committed to systems that will enable independent and meaningful redress for people in the EU, strengthen the guardrails and proportionality of US intelligence collection, and ensure effective oversight of these new privacy and civil liberties standards in ways that address the concerns articulated by the Court of Justice of the European Union.” Google also said the agreement provides “a reliable and durable foundation for the future of Internet services on both sides of the Atlantic.”
US companies can join the EU-US framework “by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties,” the European Commission said.
Privacy activist plans appeal
Previous data agreements known as Safe Harbor and Privacy Shield were struck down by European courts, the WSJ noted. “Max Schrems, an Austrian lawyer and privacy activist who led the legal challenges to the earlier agreements, said he plans to challenge the latest deal, too,” the report said.
“We would need changes in US surveillance law to make this work and we simply don’t have it,” Schrems was quoted as saying.
European Parliament member Birgit Sippel, who is in Germany’s Social Democratic Party, said the “framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by US intelligence agencies,” according to The New York Times.
The EC approval of the deal was lauded by the Computer & Communications Industry Association, which represents Amazon, Apple, eBay, Google, Meta, Twitter, and other tech companies. “Today’s decision means that EU and US businesses will soon have full legal certainty again to transfer personal data across the Atlantic… Data flows are vital to transatlantic trade and the EU-US economic relationship, which is worth €5.5 trillion per year. Nevertheless, the two economies had been left without guidelines for data transfers after an EU Court ruling invalidated the previous framework back in 2020,” the group said.
