On July 10, the European Commission adopted a new legal framework allowing the transfer of personal data from the EU to the US. This system is crucial for actors in the digital economy, who faced legal uncertainty following the invalidation of the previous framework by the European Court of Justice.
The previous devices, which were intended to allow the transfer of data from the EU to the US, Safe Harbor and Privacy Shield, had become invalid in the face of US surveillance laws. The European Court of Justice had to make these decisions following an appeal by the Austrian privacy activist Max Schrems.
The new framework
To enable the free transfer of personal data from the EU (as well as from Norway, Liechtenstein and Iceland) to a third country, the Commission must ensure that the level of protection in that country is sufficient
Since the invalidation of the “Privacy Shield” in 2020, the European Commission and the US government have begun discussions on a new framework that addresses the concerns raised by the Court. In March 2022, President Ursula von der Leyen and President Joe Biden announced that they had reached an agreement in principle.
An executive order to improve security measures for intelligence activities in the United States will respond today to the concerns expressed by the Court of Justice of the European Union in its July 2020 Schrems II decision.
The adequacy decision of 10. July therefore concludes that “The US guarantees an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU to US companies under the new framework”.
The EU-US data protection framework introduces new binding safeguards, including limiting US intelligence access to EU data to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC) to which EU citizens will have access .
US companies can participate if they meet a set of privacy obligations, including deleting personal data when no longer needed and ensuring continued protection when sharing data with third parties.
EU citizens will have several avenues of appeal for US companies’ misuse of their data.
Ursula von der Leyen said:
“The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic. Following the tentative agreement I reached with President Biden last year, the US made unprecedented commitments to establish the new framework . Today we are taking an important step to give citizens confidence in the security of their data, to deepen the economic ties between the EU and the US, while reaffirming our shared values. It shows that by working together we can tackle the most complex issues”.
A new appeal to the European Court of Justice?
For Max Schrems, “as a whole, the new “transatlantic data protection framework” is a copy of the Privacy Shield (of 2016), which itself was a copy of the “Safe Harbor” (of 2000)”.
He said in a statement on the day of the announcement:
“We already have several appeals in our drawers, but we are tired of this legal ping-pong. We currently expect that the Court will be brought again at the beginning of next year. The court could even suspend the new agreement while it examines its content. In the interests of legal certainty and the rule of law, we will then know whether the small improvements made by the Commission were sufficient or not. For the past 23 years, all agreements between the EU and the US have been declared invalid retroactively, making all data transfers by companies illegal – it seems we’ve just added two more years to this ping pong”.
