Closing the book on three years of legal uncertainty, the EU has come to a new arrangement with the U.S., allowing for EU citizens’ private data to be sent across the pond by the world’s biggest technology companies and thousands of other U.S.-based businesses that rely on the free flow of data.
The new deal, known as the so-called EU-U.S. Data Privacy Framework, replaces an accord known as Privacy Shield, which the European Union’s highest court struck down in 2020 over lack of sufficient privacy protections.
This time, a sufficient bulwark appears to be in place which, among other things, would militate against spying by U.S. intelligence agencies. In this, the framework would be similar to protections already existent within the bloc, the EU says.
One of the provisions states that personal data must be erased when no longer needed. U.S. access to EU citizens’ data must also be “limited to what is necessary and proportionate to protect national security”—a clause that remains frustratingly ill-defined.
The EU, however, states that in the event of possible misuse, EU citizens have access to an “independent and impartial redress mechanism regarding the collection and use of their data,” which includes a “newly created Data Protection Review Court (DPRC).” That court would then be tasked with independently investigating and resolving complaints, adopting binding remedial measures when necessary.
In an interview with The New York Times, Didier Reynders, the EU’s commissioner for justice who helped negotiate the agreement, called it a “robust solution,” and a “real change,” adding that “protection [for EU citizens] is [now] traveling with the data.”
Brussels and Washington have long been at odds over the EU’s General Data Protection Regulation (GDPR). Only in May, an infraction meant tech giant Meta was slapped with a €1.2 billion fine.
Without going into much detail, U.S. President Joe Biden said he was pleased with the new agreement, as it “reflects our joint commitment to strong data privacy protections and will create greater economic opportunities for our countries and companies on both sides of the Atlantic.”
Last October, the American leader issued an executive order laying the groundwork for the deal, requiring American intelligence officials to add more protections for the collection of digital information.
Others are far less enthused. The Austrian non-profit group NOYB, led by privacy activist Max Schrems, has said it would legally challenge the agreement in the European Court of Justice; something it has managed to pull off with the deal’s two previous incarnations.
“Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the [European] Court of Justice. We would need changes in U.S. surveillance law to make this work,” Schrems said in a statement.
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year,” he added.
The EU’s Didier Reynders said he was confident “of fighting, of defending the new data agreement,” as its principles are solid, and that the EU Commission had made “significant progress which meets the requirements of the European Court of Justice case law,” he told a news conference.
