The European Commission said Monday it has adopted a new legal framework to protect Europeans’ personal data in exchanges with the United States — its third attempt to get past legal challenges.
“Today we take an important step to provide trust to (EU) citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values,” commission chief Ursula von der Leyen said.
The announcement was made possible after US President Joe Biden last year issued an executive order updating US intelligence agencies’ rules when it came to snooping on international data flows to give “safeguards” to European Union citizens and residents, the EU executive said.
Umbrella groups representing tech companies, whose business models depend on transatlantic data exchanges, hailed the announcement of the EU-US Data Privacy Framework
It was “good news for thousands of businesses,” one of them, DigitalEurope, said in a statement.
A US grouping, The Software Alliance (BSA), said it would “bolster the management of data across borders — a cornerstone of our modern economy — and improve safeguards for citizens of the EU and US alike”.
But Max Schrems, an Austrian legal activist whose challenges led to EU courts shooting down two previous EU-US attempts on data transfers, said this one, too, would fail to satisfy EU law.
The latest framework still has “the fundamental problem” that the United States “takes the view that only US persons are worthy of constitutional rights” protecting them from American electronic snooping, he said.
He vowed to challenge the latest effort, predicting the case “will be likely back at the Court of Justice (of the EU) in a matter of months”.
EU justice commissioner Didier Reynders told journalists he had “no illusion” about the coming likely legal challenge.
“But it’s maybe useful to test the new US system before to challenge such an adequacy decision,” he said.
Reynders added, in an apparent swipe at Schrems’s non-profit European Centre for Digital Rights, that “maybe the access to the court of justice is a small part of the business model of some civil society organisations”.
The European Commission argued that the new framework offered “significant improvements” over the previous data-transfer mechanism, called Privacy Shield, which the EU court deemed inadequate.
The commission said US companies signing onto the EU-US Data Privacy Framework would be required to delete Europeans’ personal data when it was no longer needed for the purpose it was collected.
Its scope applies to citizens of the 27-nation EU and of associated countries Norway, Iceland and Liechtenstein, as well as residents in all those countries.
They would have the right to redress if they found their data was wrongly handled by US companies.
Under US law, Americans are protected from electronic spying by US intelligence agencies by their constitution, but all other nationalities are fair game.
While Biden’s October 2022 executive order does not extend that same protection to Europeans, it does oblige US intelligence agencies to show data-collection on foreigners is “proportionate” to a specified US national security objective.
It also adds oversight to the handling of personal data collected, and offers a path to “redress” for citizens of “qualifying states”, which is meant to include those of the EU.
A new US Data Protection Review Court, made up of experts from outside the American government, would be able to review data decisions made inside the US office of the Director of National Intelligence.
The European Commission said the US measures would underpin standard contractual clauses that so many online platforms, including those run by Meta, Amazon and Google, rely on to transfer Europeans’ data to the United States.