A deal was finalized Monday to ensure that data from Meta, Google and dozens of other companies can continue to flow between the United States and the European Union, after the digital transfer of personal information between the two jurisdictions was called into question due to privacy issues. .
The decision by the European Commission is the final step in a year-long process and resolves, at least for now, a dispute over the ability of US intelligence agencies to access data on European Union residents. The debate pitted US national security concerns against European privacy rights.
The agreement, known as the EU-US Data Privacy Framework. The US gives Europeans the ability to object when they believe US intelligence agencies have inappropriately collected their personal information. A new independent review body made up of US judges, called the Data Protection Review Tribunal, will be created to hear such appeals.
Didier Reynders, the European commissioner who helped broker the deal with US Attorney General Merrick B. Garland and Commerce Secretary Gina Raimondo, called it a “solid solution.” The agreement sets out more clearly when intelligence agencies can recover personal information about people in the European Union and also outlines how Europeans can appeal such collection, she said.
“It’s a real change,” Reynders said in an interview. “Protection is traveling with the data”.
President Biden issued an executive order that laid the groundwork for the agreement in October, requiring American intelligence officials to add more protections for the collection of digital information, including making them proportionate to national security risks.
The transatlantic deal was a top priority for the world’s largest technology companies and thousands of other multinational companies that depend on the free flow of data. The agreement replaces a previous agreement, known as the Privacy Shield, which was invalidated in 2020 by the highest court of the European Union because it did not include sufficient privacy protections.
The lack of agreement had created legal uncertainty. In May, a European privacy regulator pointed to the 2020 ruling by fining Meta 1.2 billion euros ($1.3 billion) and ordering it to stop sending information about Facebook users in the European Union to the United States. Meta, like many companies, moves data from Europe to the United States, where it is headquartered and has many of its data centers.
Other European privacy regulators have ruled that services provided by American companies, including Google Analytics and MailChimp, could violate the privacy rights of Europeans because they moved data across the United States.
The problem dates back to when Edward Snowden, a former US homeland security contractor, released details about how the US foreign surveillance apparatus exploited data stored by US technology and telecommunications companies. Under laws like the Foreign Intelligence Surveillance Act, US intelligence agencies can try to gain access to data about international business users for national security purposes.
After the disclosure, an Austrian privacy activist, Max Schrems, launched a legal challenge arguing that Facebook’s storage of his data in the United States violated his European privacy rights. The European Union’s highest court agreed, annulling two previous transatlantic data-sharing pacts.
On Monday, Schrems said he planned to sue again.
“Simply announcing that something is ‘new’, ‘solid’ or ‘effective’ is not enough before the Court of Justice,” Schrems said in a statement, referring to the European Union’s highest court. “We would need changes to US surveillance law to make this work, and we just don’t have it.”
Members of the European Parliament criticized the deal. Parliament did not have a direct role in the negotiations, but passed a non-binding resolution in May saying the deal failed to create adequate protection.
“The framework does not provide meaningful safeguards against indiscriminate surveillance by US intelligence agencies,” said Birgit Sippel, a European lawmaker from the Socialists and Democrats group who specializes in civil liberties issues. “This lack of protection leaves the personal data of Europeans vulnerable to mass surveillance, which undermines their privacy rights.”
Reynders said people should wait to test the new policy in practice.
He said the new framework would establish a system through which Europeans could raise concerns with the US government. First, Europeans who suspect that their data is being unfairly collected by a US intelligence agency should file a complaint with their national data protection regulator. After further review, authorities will take the matter to US officials in a process that could eventually reach the new review panel.
Ms. Raimondo said this month that the US Department of Justice has established that countries within the 27-nation European Union will have access to tools that allow them to report abuses of their rights. She said the Office of the Director of National Intelligence has also confirmed that the intelligence agencies added the safeguards set out in Mr. Biden’s order.
“This represents the culmination of months of meaningful collaboration between the US and the EU and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data,” Ms. Raimondo said in a recent statement.