A successor to Privacy Shield received official approval from the European Commission on Monday. This allows data on EU residents to be sent to the US again. Because the new framework better restrains the U.S. from requesting the data, lawmakers believe the deal will hold up.
At a press conference yesterday, EU Justice Commissioner Didier Reynders delivered the news that the EU-US Data Privacy Framework received approval from the European Commission. The legal framework comes as a relief to U.S. companies that can again legitimately transfer data of EU citizens to the U.S.
Lack of framework didn’t stop companies
In the three years that rules on the subject were missing, data from EU citizens were still being transferred to the U.S. It was just that the practices were illegal and in some cases the unlawfulness had to be made clear. Meta, for example, received a €1.2 billion fine last year for transferring data to the U.S. because the company could not guarantee that the data processed was adequately protected.
In the meantime, Google Analytics also faced legal headwinds. The service was found to be illegal in Europe because it transferred cookie data to the US. According to the legal institutions of Europe, cookie data is also a form of personal data because it contains IP addresses.
The reasoning for the decision reiterated why forwarding European citizens’ data to the U.S. poses risks: “Intelligence agencies in the U.S. can use online data such as IP addresses and identification numbers to surveil individuals.” U.S. intelligence agencies had the right to access collected data, even if it belonged to EU citizens.
Meanwhile, Universal Analytics completely stopped working, while Google is forcing companies to switch to Google Analytics 4. Although, of course, there are alternatives on the market.
Intelligence powers curtailed
The previous Privacy Shield fell after the European Court of Justice ruled that the data of European citizens were not guaranteed to be secure in the U.S.. There, intelligence agencies were allowed to request access to the data, which posed a problem under the GDPR.
Last October, U.S. President Joe Biden brought a solution to that problem. With an executive order, he limited the power of intelligence agencies. The executive order makes clear what information can be collected and it puts the actions of the intelligence agencies under stricter scrutiny by a newly created Data Protection Review Court.
Biden’s decision provided the cornerstone for the newly adopted EU-US Data Privacy Framework. Under the new framework, it will also become easier for European citizens to file a complaint about data collection. Previously, this required plaintiffs to prove that their data was being collected.
Relief
For lawmakers and U.S. companies, the new framework will be a relief. Accordingly, during the press conference, the approval was highlighted as a positive evolution: “With the adoption of the adequacy decision, personal data can now flow freely and securely from the European Economic Area to the United States without further conditions or authorizations,” Reynders said. “Therefore, the adequacy decision ensures that data can be exchanged between the European Union and the U.S. on the basis of a stable and trusted regime that protects individuals and provides legal certainty to companies.”
The EU commissioner said it anticipated the flaws that led the European Court of Justice to annul the Privacy Shield again. “This was my mandate and my focus in these negotiations, and this is reflected in the solutions we have obtained” he states, suggesting that Reynders is nevertheless also partly risking his own job should the agreement not survive the judiciary.
Schrems will play
The new agreement once again gives the turn to privacy activist Max Schrems. He and his organisation noyb already had the two previous agreements on data transfers annulled at the European Court of Justice. He will play again and labelled the new framework already in an initial reaction as ‘largely a copy of the failed Privacy Shield’.
“The European Commission’s third attempt to reach a stable agreement on data transfers between the EU and the U.S. is likely to come before the Court of Justice again within a few months.”
“Simply announcing that something is ‘new,’ ‘robust’ or ‘effective’ is not enough for the Court of Justice. We need changes in U.S. surveillance law to make this work – and we just don’t have them.”
The European Commission itself plans to take another look at the treaty in a year. The Commission suggests it will then revisit whether any changes or improvements to the treaty are needed.