EU-U.S. Data Privacy Framework Allows for Normal Data Transfer

A new data-sharing pact called the EU-U.S. Data Privacy Framework has been agreed upon by the European Union and the United States, allowing businesses to continue transferring data as usual. This replaces a previous agreement that was invalidated in 2020 and has significant implications for U.S. tech giants who rely on the pact to transfer data on their European users back to America. Without this agreement, these companies would have had to process and store user data locally or withdraw their business from the European Union. The new rules provide relief to companies like Meta that share large amounts of user data globally. However, privacy activists are concerned about the level of protection the framework offers European citizens, and legal challenges are expected. Here’s what you need to know about the new EU-U.S. privacy framework.

What is the new EU-U.S. Data Privacy Framework?

The new data-sharing pact, called the EU-U.S. Data Privacy Framework, ensures safe data flow between the EU and the U.S. without the need for additional data protection measures. The European Commission concluded that U.S. data protection laws offer an adequate level of protection for European citizens. The framework introduces new safeguards that limit access to EU data by U.S. intelligence services to what is necessary and proportionate. It also establishes a Data Protection Review Court for Europeans to issue privacy complaints, with the power to order firms to delete users’ data if it violates the safeguards.

Why was a new data transfer agreement needed?

The Data Privacy Framework replaces a prior agreement called Privacy Shield, which allowed companies to share data on Europeans with the U.S. for storage and processing. However, Privacy Shield was invalidated in 2020 by the European Court of Justice due to concerns about U.S. law’s protection against surveillance by public authorities. The new framework was needed to address these concerns and ensure secure data transfers. In the absence of a valid agreement, companies have relied on Standard Contractual Clauses, which are also under threat.

Why does it matter?

Data transfers are crucial for multinational companies operating in different jurisdictions. U.S. tech giants, like Meta, Google, and Amazon, collect vast amounts of data on their users and share it back to the U.S. for various purposes. However, the handling of data by these companies has faced scrutiny due to privacy and security concerns. The EU has strict regulations, such as the General Data Protection Regulation (GDPR), to ensure safe data processing. In contrast, the U.S. lacks a comprehensive federal data protection law, relying on state-specific regulations. The new framework aims to reconcile these differences and provide certainty for businesses.

Will it succeed?

Although the new data privacy framework provides certainty for businesses, it faces potential legal challenges from privacy activists. Max Schrems, an Austrian privacy activist who played a role in invalidating Privacy Shield, plans to launch a legal challenge against the new pact. Activists argue that U.S. privacy laws do not extend sufficient protections to non-U.S. citizens. The success of the framework will depend on how the European courts evaluate U.S. data protection measures. Businesses must consider these potential challenges in their planning.