The European Commission (EC) has decided to permit the transfer of personal data from the European Union to US-based companies, marking a victory for firms like Facebook and Google.
This move comes despite concerns raised by privacy advocates who worry about the potential impact of US government surveillance on personal data.
In an official announcement, the EC stated that it has adopted its adequacy decision for the EU-US Data Privacy Framework. The decision concludes that the United States ensures adequate protection for personal data transferred from the EU to the US companies under the new framework.
As a result, data can flow securely from the EU to the US companies participating in the framework without the need for additional data protection safeguards.
In May, Meta, the parent company of Facebook, was fined 1.2 billion euros for violating the General Data Protection Regulation (GDPR) by transferring personal data to the US. The company was ordered to cease storing European Union user data in the US within six months. However, Meta expresses confidence that if the pending data-transfer pact were to effect before the implementation deadline expires, their services would continue without disruption or impact on users.
European privacy advocates are expected to challenge the data-transfer deal, arguing that substantial changes to US surveillance laws are necessary. The validity of data transfers from Europe to the US has been under scrutiny since a 2020 ruling by the European Court of Justice, which declared a previous trans-Atlantic data flows deal illegal due to the lack of effective means for EU individuals to challenge US government surveillance of their data.
The EC’s announcement emphasised that the new framework includes binding safeguards to address the concerns raised by the European Court of Justice. These safeguards restrict access to EU data by US intelligence services to what is deemed necessary and proportionate and establish a Data Protection Review Court (DPRC) accessible to EU individuals. The DPRC will have the authority to order the deletion of data collected in violation of the new rules.
The administration and monitoring of the framework will be the responsibility of the US Department of Commerce, while the US Federal Trade Commission will enforce US companies’ compliance. EU residents will have access to independent dispute redressal mechanisms and an arbitration panel when challenging data collection.
US companies can join the EU-US framework by committing to comply with the detailed set of privacy obligations. This includes requirements such as deleting personal data when it is no longer necessary and ensuring continuity of protection when sharing personal data with third parties, according to the European Commission.
However, not all are in agreement with this framework. Privacy activist Max Schrems, known for leading legal challenges to previous data agreements, plans to challenge the latest deal, citing the need for changes in US surveillance law to address ongoing concerns.
Europen Parliament member Birgit Sippel also is against the framework. Sippel told The New York Times that this “framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by US intelligence agencies.”
The EC’s approval of the deal has been welcomed by the Computer & Communications Industry Association, representing major tech companies, including Amazon, Apple, Google, and Twitter. The association views the decision as a means to restore legal certainty for data transfers, emphasizing the importance of data flows to transatlantic trade and the EU-US economic relationship, worth €5.5 trillion annually.
In the News: AI text detectors flag non-native English speakers’ work: Research
