The new data privacy framework will ensure safe data sharing for Europeans and bring legal certainty to companies on both sides of the Atlantic.
The European Union and United States have finalized a framework for the transfer of data from EU citizens to US organizations, which complies with EU privacy rights and doesn’t require US organizations to add another layer of protocols or data safeguards.
The agreement, which was finalized several months ago, was necessary after the Court of Justice of the European Union found the Safe Harbor and Privacy Shield invalid in 2020, which was the second time the court had ruled this way. There were worries that major tech apps, such as Facebook and Amazon, would either have to close operations in the EU or substantially reduce feature availability in the region if an arrangement could not be agreed upon.
This agreement, called the EU-US Data Privacy Framework, has in place mechanisms to allow EU citizens to object to their data being collected if they believe their data has been intercepted by US intelligence agencies. It also outlines in more granular detail times in which intelligence agencies can collect said data. In addition, EU citizens can also object if they believe their data has been handled incorrectly.
“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said EU President, Ursla von der Leyen. “Following the agreement in principle reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
Self-certification required to meet terms of data sharing framework
For businesses wanting to join the EU-US Framework, there will be a self-certifying commitment to a set of privacy obligations surrounding EU data transfers and privacy. The US Department of Commerce will be in control of the standards and ensuring that organizations comply.
Austrian privacy activist Max Schrems is at the heart of the Court of Justice’s decision to invalidate the Safe Harbor and Privacy Shield agreement, after launching a legal challenge to Facebook for storing EU citizen data on US servers. Schrems began his legal challenge after the revelations from Edward Snowden of global intelligence programs which were spying on EU citizens through interception of US organizations data.
Many tech giants have been worried as to the effects of not having a data agreement in place with the EU, with the most notable being the $1.3 billion fine Meta Platforms faced due to violating GDPR. With this agreement now in place, there should be less of these blockbuster fines for US tech companies.
That said, Schrems and others are not convinced that the EU-US Framework is enough to protect EU citizens privacy. Some have said that the backdoor methods for creating this framework, without much input from the European Commission, has led to an agreement that favors the US tech giants. Schrems has also said that the US has not made any changes to its own surveillance laws, dampening the likelihood that this law will have a serious effect on intelligence agencies data collection methods.