The European Union has approved a proposal that allows companies such as Facebook, Google and Apple to store the data of European users in the United States, again allowing data to flow across the Atlantic.
In 2020, an EU court ruled that an agreement allowing the transfer of user data across the Atlantic was illegal. But the EU approved a new plan to continue allowing technology companies to store EU citizens’ data in the US. The European Commission adopted an “adequacy decision” for the Trans-Atlantic Data Privacy Framework, concluding that the US provides adequate protection for transferred data “comparable to that of the European Union”.
The framework includes binding safeguards to address concerns raised by the European Court of Justice, such as limiting US intelligence services’ access to EU data to only “what is necessary and proportionate”. It also provides for a Data Protection Review Court that EU citizens can access and other improvements that the previous Privacy Shield framework did not offer.
Adequacy does not require the third country’s data protection system to be identical to the one of the EU but is based on the “essential equivalence” standard. It involves a comprehensive assessment of a country’s data protection framework, both the protection applicable to personal data and the available oversight and redress mechanisms.
The European data protection authorities have developed a list of elements that must be considered for this assessment, such as core data protection principles, individual rights, independent supervision and effective remedies.
New frontiers, but some are against
“The new EU-US Trans-Atlantic Data Privacy Framework will ensure secure data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said European Commission President Ursula von der Leyen.
“Following the agreement in principle reached with President Biden last year, the US has made unprecedented commitments to establish the new framework.” US-based companies can join the framework by committing to a list of privacy obligations, such as deleting personal data when it is no longer needed for the purpose it was initisally collected.
Adopting the framework puts in place a way for US-based technology companies to continue to operate with transatlantic dsvata transfers without having to resort to complying with EU data privacy rules by investing more in EU-specific infrastructure, for example.
The change will be helpful for companies like Meta, which the European Union fined €1.2 billion in May for its illegal data transfers. Although the agreement means that Facebook will not necessarily have to make significant changes in how it handles data, it is still expected to pay the fine. Although the new framework will benefit the tech giants, it will likely face legal challenges from privacy advocates in the US, who may still be opposed to data transfers.
The new agreement for data transfer between the US and the EU, which the EU Commission has just approved, was greeted with heavy criticism by Max Schrems, the privacy activist who, through his association, NOYB, had already successfully challenged the validity of the two previous agreements for transatlantic data transfer, the “Safe Harbour” and the “Privacy Shield”. This was to be expected. Max Schrems has already announced that he intends to return to the European Court of Justice again; it will be the third time, and to expect an answer in 2024 or 2025.