The European Union signed off Monday on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.
The EU-U.S. Data Privacy Framework has an adequate level of protection for personal data, the EU’s executive commission said. That means it’s comparable to the 27-nation’s own stringent data protection standards, so companies can use it to move information from Europe to the United States without adding extra security.
U.S. President Joe Biden signed an executive order in October to implement the deal after reaching a preliminary agreement with European Commission President Ursula von der Leyen. Washington and Brussels made an effort to resolve their yearslong battle over the safety of EU citizens’ data that tech companies store in the U.S. after two earlier data transfer agreements were thrown out.
“Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations,” EU Justice Commissioner Didier Reynders said at a press briefing in Brussels.
Washington and Brussels long have clashed over differences between the EU’s stringent data privacy rules and the comparatively lax regime in the U.S., which lacks a federal privacy law. That created uncertainty for tech giants including Google and Facebook parent Meta, raising the prospect that U.S. tech firms might need to keep European data that is used for targeted ads out of the United States.
The European privacy campaigner who triggered legal challenges over the practice, however, dismissed the latest deal. Max Schrems said the new agreement failed to resolve core issues and vowed to challenge it to the EU’s top court.
Schrems kicked off the legal saga by filing a complaint about the handling of his Facebook data after whistleblower Edward Snowden’s revelations a decade ago about how the U.S. government eavesdropped on people’s online data and communications.
Calling the new agreement a copy of the previous one, Schrems said his Vienna-based group, NOYB, was readying a legal challenge and expected the case to be back in the European Court of Justice by the end of the year.
“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” Schrems said. “We would need changes in U.S. surveillance law to make this work — and we simply don’t have it.”
The framework, which takes effect Tuesday, promises strengthened safeguards against data collection abuses and provides multiple avenues for redress.
Under the deal, U.S. intelligence agencies’ access to data is limited to what’s “necessary and proportionate” to protect national security.
Europeans who suspect U.S. authorities have accessed their data will be able to complain to a new Data Protection Review Court, made up of judges appointed from outside the U.S. government. The threshold to file a complaint will be “very low” and won’t require people to prove their data has been accessed, Reynders said.
Business groups welcomed the decision, which clears a legal path for companies to continue cross-border data flows.
“This is a major breakthrough,” said Alexandre Roure, public policy director at the Brussels office of the Computer and Communications Industry Association, whose members include Apple, Google and Meta.
“After waiting for years, companies and organizations of all sizes on both sides of the Atlantic finally have the certainty of a durable legal framework that allows for transfers of personal data from the EU to the United States,” Roure said.
In an echo of Schrems’ original complaint, Meta Platforms was hit in May with a record $1.3 billion EU privacy fine for relying on legal tools deemed invalid to transfer data across the Atlantic.
Meta had warned in its latest earnings report that without a legal basis for data transfers, it would be forced to stop offering its products and services in Europe, “which would materially and adversely affect our business, financial condition, and results of operations.”
Related: Europe’s Hypocrisy Over Personal Data Privacy Exposed
Related: One Year After Europe’s Schrems II Decision, Privacy Activist Bemoans Lack of Progress
