The U.S. and EU have agreed a new data-sharing pact allowing European data to be stored in the U.S.—but privacy campaigners look set to challenge it.
U.S. companies such as Facebook and Google will be allowed to operate under the EU-U.S. Data Privacy Framework if they commit to a detailed set of privacy obligations.
These include deleting personal data when it is no longer necessary for the purpose for which it was collected, and ensuring continuity of protection when personal data is shared with third parties. If data is wrongly handled, EU residents can turn to a free-of-charge independent dispute resolution mechanism and an arbitration panel.
“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework,” says EU president Ursula von der Leyen.
“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values.”
The agreement deals specifically with concerns that European data might be being shared with U.S. public bodies and law enforcement agencies. Access to data will be limited to what is “necessary and proportionate” to protect national security.
Meanwhile, EU individuals will have access to an independent and impartial redress mechanism specifically for this, including a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.
The deal has been welcomed by many.
“This is a major breakthrough,” says Alexandre Roure, public policy director of the Computer & Communications Industry Association (CCIA).
“After waiting for years, companies and organizations of all sizes on both sides of the Atlantic finally have the certainty of a durable legal framework that allows for transfers of personal data from the EU to the United States.”
However, that thorn in the tech firms’ side who has led challenges to earlier data agreements, Max Schrems, says he plans an appeal.
“We have now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’—but no substantial change in U.S. surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years,” he says.
“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work—and we simply don’t have it.”
Schrems says he hopes to be back at the European Court of Justice by the beginning of next year, and is calling on the court to suspend the deal in the meantime—an unlikely prospect.
The European Commission meanwhile, says the deal will be reviewed periodically—and certainly within the first year—to make sure that the necessary measures have been implemented in U.S. law and are working as they should.
Follow me on Twitter.