What does the EU-US Data Agreement entail for privacy?
The United States (“US”) and the European Commission (“EU”) had agreed to create a new Trans-Atlantic Data Privacy Framework to promote trans-Atlantic data flows and address concerns raised by the European Union’s Court of Justice (“CJEU”) when it overturned the Commission’s adequacy decision underlying the EU-US Privacy Shield framework in 2020.
This Framework would reinstate a crucial legal mechanism for transferring personal data from the EU to the US. The US has committed to implementing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, providing the privacy of EU personal data, and creating a new mechanism for EU individuals to seek redress if they believe signals intelligence activities have unlawfully targeted them.
A brief overview of past events
The conflict originates from a complaint submitted over a decade ago by Austrian lawyer and privacy campaigner Max Schrems, who was concerned about how Facebook handled his data in light of revelations about U.S. government cyberespionage by former National Security Agency contractor Edward Snowden.
Along the way, the EU’s top court also ruled that the Privacy Shield deal protecting transatlantic data transfers was invalid because it violated the 27-nation bloc’s stringent data privacy requirements. Companies were compelled to rely on legal stock contracts to continue the transfers. The debate had raised the possibility that Facebook might have to redesign its data centres to keep European data out of the United States.
What does the new EU-US Data Agreement entail?
The new Trans-Atlantic Data Privacy Framework will enable an equitable and competitive digital economy and establish the groundwork for future economic cooperation by ensuring a permanent and reliable legal framework for data flows. It addresses the European Union’s Court of Justice’s Schrems II judgement about US legislation governing signals intelligence activities. The United States has made extraordinary promises under the Trans-Atlantic Data Privacy Framework to:
- Enhance the privacy and civil rights measures that govern the US signals intelligence activities;
- Create a new redress system with independent and binding authority; and
- Improve its current, thorough and multi-layered oversight of signals intelligence activities.
For example, the new Framework ensures that:
- Signal intelligence collection may be carried out only when necessary to achieve legitimate national security objectives, and it must not have a disproportionate impact on individual privacy and civil freedoms.
- EU citizens may seek redress through a new multi-tiered redress structure that comprises an independent Data Protection Review Court comprised of individuals recruited from outside the US government who would have full ability to assess allegations and direct remedial measures as necessary; and
- Intelligence agencies in the United States will implement processes to assure effective oversight of new privacy and civil liberties requirements.
Benefits of the Agreement
Citizens on both sides of the Atlantic will gain significantly from this Framework. The agreement includes –
- New, high-standard pledges to protect personal data for EU citizens.
- It will allow citizens and businesses on both sides of the Atlantic to continue the flow of data that underlies more than $1 trillion in cross-border commerce each year, as well as
- It also allows firms of all sizes to compete in marketplaces.
It is the result of more than a year of thorough negotiations between the EU and the US following a 2020 decision by the CJEU stating that the previous EU-US arrangement, known as Privacy Shield, did not meet EU legal criteria.
The new Trans-Atlantic Data Privacy Framework highlights mutual commitment to privacy, data protection, the rule of law, and collective security, as well as a mutual understanding of the importance of trans-Atlantic data, flows to respective citizens economies, and societies in the EU-US region.
Data transfers are crucial to the trans-Atlantic economic relationship and all large and small enterprises in all industries. In reality, more data moves between the United States and Europe than anywhere else, allowing the $7.1 trillion US-EU economic connection to function.
The Way Forward
Participating enterprises and organisations using the Framework to protect data flows legally will be required to continue adhering to the Privacy Shield Principles, including self-certification through the US Department of Commerce.
Individuals in the EU will continue to have various options for resolving complaints about participating organisations, including alternative dispute resolution and binding arbitration.
The US intelligence community will execute these new principles to effectively protect its citizens and those of its friends and partners, following the high-standard protections provided by this Framework.
The US government and the European Commission teams will now work together to translate this agreement into legal documents that must be signed by both parties to put in place this new Trans-Atlantic Data Privacy Framework. These promises from the United States will be placed in an Executive Order that will serve as the foundation for the Commission’s assessment in its future sufficiency judgement.
According to Facebook’s head of global affairs, Nick Clegg, the new agreement “will help keep people connected and services running.” “It will provide invaluable certainty for American and European businesses of all sizes, including Meta, that rely on data transfer quickly and safely.” Google has praised the EU and US efforts to “protect transatlantic data transfers.”
However, Schrems described the latest agreement as a “political announcement.” He warned that it could end up in court because his Vienna-based group NOYB would thoroughly examine it and challenge anything that violated EU law.
Thus, as the agreement was only struck “in principle,” there appears to be some ambiguity, and we may have to wait a while before seeing the final text. Even optimistic views persist among privacy specialists who commend the negotiators’ efforts and are eager to ensure that organisations continue to be accredited to the expanded Privacy Shield.