LONDON (AP) — On Monday, the European Union approved a new agreement addressing the privacy concerns surrounding the transfer of personal data between Europe and the United States. The aim is to alleviate worries within Europe about surveillance conducted by American intelligence agencies.
The EU-U.S. Data Privacy Framework has been deemed to provide an adequate level of protection for personal data, according to the EU’s executive commission. This means it meets the same rigorous data protection standards as those in the 27-member nations of the EU, enabling companies to transfer information from Europe to the United States without the need for additional security measures.
In October, U.S. President Joe Biden signed an executive order to implement the agreement, following a preliminary understanding reached with European Commission President Ursula von der Leyen. This move reflects the joint efforts made by Washington and Brussels to resolve their long-standing dispute regarding the safety of EU citizens’ data stored by tech companies in the U.S., after the previous two data transfer agreements were invalidated.
EU Justice Commissioner Didier Reynders announced at a press briefing in Brussels that personal data can now freely and securely flow from the European Economic Area to the United States without any additional conditions or authorizations. This development aims to address the longstanding dispute between Washington and Brussels over the disparities between the EU’s strict data privacy rules and the comparatively lenient regulations in the U.S., which lacks a federal privacy law. This uncertainty had implications for major tech companies like Google and Meta (formerly Facebook), as it raised concerns about the transfer of European data used for targeted advertising to the U.S.
However, Max Schrems, the European privacy campaigner who initiated legal challenges in this matter, dismissed the new agreement. Schrems argued that it fails to address the fundamental issues at hand and pledged to challenge it in the European Court of Justice. Schrems originally filed a complaint regarding the handling of his Facebook data in the aftermath of whistleblower Edward Snowden’s revelations a decade ago about U.S. government surveillance of online data and communications.
Schrems criticized the new agreement, stating that it is essentially a replication of the previous one. His organization, NOYB, based in Vienna, is preparing a legal challenge and expects the case to be brought before the European Court of Justice by the end of the year. Schrems emphasized that mere claims of the agreement being “new,” “robust,” or “effective” are insufficient to meet the standards of the Court of Justice. He stressed the need for changes in U.S. surveillance law to ensure the viability of the agreement, which, in his view, are currently lacking.
Starting from Tuesday, the new framework will come into effect, offering enhanced protections against data collection abuses and establishing multiple avenues for addressing grievances.
According to the agreement, U.S. intelligence agencies’ access to data will be restricted to what is deemed “necessary and proportionate” for safeguarding national security.
European individuals who suspect that U.S. authorities have accessed their data will have the option to lodge complaints with a newly established Data Protection Review Court. This court will consist of judges appointed from outside the U.S. government. Commissioner Reynders highlighted that the threshold for filing a complaint will be set at a “very low” level, and individuals will not be required to prove that their data has been accessed.
Business organizations have expressed their approval of this decision, as it paves the way for companies to continue conducting cross-border data transfers.
“This represents a significant breakthrough,” stated Alexandre Roure, the public policy director at the Brussels office of the Computer and Communications Industry Association, whose members include major tech companies such as Apple, Google, and Meta.
“After years of waiting, companies and organizations of all sizes on both sides of the Atlantic finally have the assurance of a robust legal framework that facilitates the transfer of personal data from the EU to the United States,” Roure added.
In a parallel to Max Schrems’ initial complaint, Meta Platforms (formerly Facebook) faced a significant EU privacy fine of $1.3 billion in May. The fine was imposed due to Meta’s reliance on legal mechanisms that were deemed invalid for transferring data between Europe and the United States.
In its recent earnings report, Meta cautioned that the absence of a legal framework for data transfers would compel the company to cease offering its products and services in Europe. Such a scenario would have a substantial and adverse impact on Meta’s business, financial standing, and operational outcomes.