European Commission on Monday adopts its “adequacy decision for the EU-US Data Privacy Framework”, but legal challenge is threatened
Relief for some big name tech players, after the European Commission announced a new data transfer pact with the United States on Monday.
The EC announced on Monday that it has “adopted its adequacy decision for the EU-US Data Privacy Framework.”
The EC said that its decision on Monday “concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework.”
“On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards,” it said.
The EU-US Data Privacy Framework “introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access.”
The EC said the new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield.
“The new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said President Ursula von der Leyen.
“Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework,” said von der Leyen. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
However, the move was immediately criticised by non-profit group noyb, led by privacy activist Max Schrems, which said it would challenge the agreement.
“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work,” Schrems was quoted by Reuters as saying in a statement.
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year,” Schrems added.
It should be noted that Europe’s top court have scuppered the previous two deals after challenges by Schrems, due to concerns about US intelligence agencies accessing European citizens’ private data.
The issue of transferring European user data to American servers has long been a bug bear for the European Commission and privacy campaigners.
Data used to be transferred to the US under the Safe Habour agreement, but the European Court of Justice in 2015 suspended the original Safe Harbour agreement.
It was suspended in the wake of the Edward Snowden revelations about the scale of US and its NSA agency spying on friends and allies.
The Privacy Shield (or Safe Harbour 2.0) was then drafted, but the United States and the European Union were forced to change it after an initial agreement submitted in February 2016 was rejected by European Watchdogs for not being robust enough.
The two sides then agreed to stricter rules for American companies holding information on Europeans and clearer limits on US surveillance. And this reworked Privacy Shield agreement was then approved by EU member states and adopted in July 2016.
The European Commission’s Privacy Shield data framework replaced the EU-US Safe Harbour deal which had been in place since 2000, but right from the start it proved controversial with ongoing concerns about US spying.
The Privacy Shield had been designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules.
It remains to be seen whether the new ‘Trans-Atlantic Data Privacy Framework’ will pass the scrutiny of European courts.