A new transatlantic data-transfer agreement between the European Union (EU) and the United States has been approved in a third attempt, following assurances from U.S. President Joe Biden about protecting EU citizens' data from potential access by American security agencies. However, EU Justice Commissioner Didier Reynders anticipates legal challenges similar to the ones faced by its two predecessors.
EU Commission President Ursula von der Leyen stated that this adequacy decision facilitates data transfer between thousands of companies on both sides of the Atlantic while complying with EU privacy law. The decision follows lengthy negotiations and an executive order from President Biden, promising to safeguard EU citizens’ data transferred to the US.
The agreement marks a significant advancement in the ongoing issue that left numerous companies, including Meta Platforms Inc., in legal uncertainty following the 2020 annulment of the previous Privacy Shield pact by the EU's top court. This annulment threatened to disrupt significant data exchanges necessary for various business activities, from sales and marketing to payroll processing.
The newly approved EU-U.S. Data Privacy Framework addresses concerns previously raised by the European Court of Justice. It introduces several measures, such as limiting access to EU data by US intelligence services to what is deemed necessary and proportionate. The framework also establishes a Data Protection Review Court (DPRC), accessible to EU individuals.
Notably, if the DPRC determines that data has been collected violating the new safeguards, it can order the data's deletion. This comprehensive approach, coupled with additional obligations for US companies importing data from the EU, represents significant improvements over the old Privacy Shield mechanism.
Under the new framework, US companies can participate by committing to a detailed set of privacy obligations. For example, companies must delete personal data when no longer necessary and ensure continued protection when personal data is shared with third parties.
The new framework provides several recourse avenues for EU individuals if US companies mishandle their data. These include free independent dispute resolution mechanisms and an arbitration panel. The safeguards also limit data access by US public authorities, particularly for criminal law enforcement and national security purposes, to what is necessary and proportionate.
Privacy advocate Max Schrems, who initiated the legal battles that resulted in the cancellation of prior EU data transfer pacts, is ready to challenge this most recent agreement. Schrems has expressed concerns about the recurring pattern of these agreements, speculating that the current one could meet a similar end.
The US has set up an independent and impartial redress mechanism, including the Data Protection Review Court (DPRC), to address complaints from EU individuals regarding their data's collection and use by US intelligence agencies.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, with the first review expected within a year of the adequacy decision's enforcement. These reviews will be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.
