Connect with us

Hi, what are you looking for?



Europe Signs Off on a New Privacy Pact That Allows People’s Data to Keep Flowing to US

The EU signed off on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.

EU US Data Sharing Agreement

The European Union signed off Monday on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.

The EU-U.S. Data Privacy Framework has an adequate level of protection for personal data, the EU’s executive commission said. That means it’s comparable to the 27-nation’s own stringent data protection standards, so companies can use it to move information from Europe to the United States without adding extra security.

U.S. President Joe Biden signed an executive order in October to implement the deal after reaching a preliminary agreement with European Commission President Ursula von der Leyen. Washington and Brussels made an effort to resolve their yearslong battle over the safety of EU citizens’ data that tech companies store in the U.S. after two earlier data transfer agreements were thrown out.

“Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations,” EU Justice Commissioner Didier Reynders said at a press briefing in Brussels.

Washington and Brussels long have clashed over differences between the EU’s stringent data privacy rules and the comparatively lax regime in the U.S., which lacks a federal privacy law. That created uncertainty for tech giants including Google and Facebook parent Meta, raising the prospect that U.S. tech firms might need to keep European data that is used for targeted ads out of the United States.

The European privacy campaigner who triggered legal challenges over the practice, however, dismissed the latest deal. Max Schrems said the new agreement failed to resolve core issues and vowed to challenge it to the EU’s top court.

Schrems kicked off the legal saga by filing a complaint about the handling of his Facebook data after whistleblower Edward Snowden’s revelations a decade ago about how the U.S. government eavesdropped on people’s online data and communications.

Advertisement. Scroll to continue reading.

Calling the new agreement a copy of the previous one, Schrems said his Vienna-based group, NOYB, was readying a legal challenge and expected the case to be back in the European Court of Justice by the end of the year.

“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” Schrems said. “We would need changes in U.S. surveillance law to make this work — and we simply don’t have it.”

The framework, which takes effect Tuesday, promises strengthened safeguards against data collection abuses and provides multiple avenues for redress.

Under the deal, U.S. intelligence agencies’ access to data is limited to what’s “necessary and proportionate” to protect national security.

Europeans who suspect U.S. authorities have accessed their data will be able to complain to a new Data Protection Review Court, made up of judges appointed from outside the U.S. government. The threshold to file a complaint will be “very low” and won’t require people to prove their data has been accessed, Reynders said.

Business groups welcomed the decision, which clears a legal path for companies to continue cross-border data flows.

“This is a major breakthrough,” said Alexandre Roure, public policy director at the Brussels office of the Computer and Communications Industry Association, whose members include Apple, Google and Meta.

“After waiting for years, companies and organizations of all sizes on both sides of the Atlantic finally have the certainty of a durable legal framework that allows for transfers of personal data from the EU to the United States,” Roure said.

In an echo of Schrems’ original complaint, Meta Platforms was hit in May with a record $1.3 billion EU privacy fine for relying on legal tools deemed invalid to transfer data across the Atlantic.

Meta had warned in its latest earnings report that without a legal basis for data transfers, it would be forced to stop offering its products and services in Europe, “which would materially and adversely affect our business, financial condition, and results of operations.”

Related: Europe’s Hypocrisy Over Personal Data Privacy Exposed

Related: One Year After Europe’s Schrems II Decision, Privacy Activist Bemoans Lack of Progress

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.