The European Commission and the United States announced a new Trans-Atlantic Data Privacy Framework over the weekend, signalling clarification may be on the way regarding what data flows are allowed after a European court struck down the EU-US Privacy Shield one and a half years ago.
The Privacy Shield agreement had set the terms for transatlantic transfers of personal data. The agreement was struck down, however, after the European Court of Justice found US laws did not offer enough data protection safeguards to meet European standards, leading to legal uncertainty regarding what data flows are allowed.
The legal uncertainty led to European regulators, in recent months, issuing orders against flows of personal data that passed through products such as Google Analytics.
Meta, meanwhile, “threatened” to pull its services out of Europe if governments could not come to an agreement on a new EU-US transatlantic data transfer framework. The company eventually backpedalled from its comments, but it remained staunch in calling for a new framework to be established.
According to a White House fact sheet, the new Trans-Atlantic Data Privacy Framework will see the US government implement reforms to better protect the personal data of EU citizens, such as allowing these citizens to seek redress at a newly-created, independent Data Protection Review Court that will have “full authority” to adjudicate claims and direct remedial measures as needed.
The US government will also ensure signals intelligence collection may only be undertaken where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties under the framework.
“The new framework marks an unprecedented commitment on the US side to implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities,” the European Commission and US government said in a joint statement.
With the US committing to these reforms, among others that have yet to be publicly detailed, citizens and companies on both sides of the Atlantic will be able to continue their existing data flows between the EU and US, which companies like Google have already lauded.
“We look forward to certifying our processes under the Trans-Atlantic Data Privacy Framework at the first opportunity. For Google, these (and similar) standards serve as a floor, not a ceiling, for the protections we offer our users and customers,” Google VP of public policy Karan Bhatia said.
Max Schrems, the privacy lawyer who raised the lawsuit that culminated in the Privacy Shield agreement being canned, was sceptical of the new framework, with its details yet to be released.
“Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights,” Schrems said. “This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text but my [first] bet is it will fail again.”