A deal to ensure that data from Meta, Google and a host of other companies can continue to flow between the United States and the European Union was finalized Monday, after the digital transfer of personal information between the two jurisdictions was called into question due to privacy concerns. .
The European Commission’s decision is the latest step in a years-long process and resolves — at least for now — a dispute over the ability of US intelligence agencies to access data on European Union residents. During the debate, concerns about US national security were contrasted with European privacy rights.
The agreement, known as the EU-US Data Privacy Framework, gives Europeans the opportunity to object if they believe their personal information has been inappropriately collected by US intelligence agencies. A new independent review body, made up of US judges, called the Data Protection Review Court, will be established to hear such appeals.
Didier Reynders, the European Commissioner who helped negotiate the agreement with US Attorney General, Merrick B. Garland, and Commerce Secretary, Gina Raimondo, called it a “robust solution”. The deal sets out more clearly when intelligence agencies can request personal information about people in the European Union and also outlines how Europeans can appeal against such collection, he said.
“It’s a real change,” said Mr. Reynders in an interview. “Security travels with the data.”
President Biden issued an executive order in October that laid the groundwork for the deal, requiring U.S. intelligence officials to provide greater protections for collecting digital information, including making it commensurate with national security risks.
The transatlantic agreement has been a top priority for the world’s largest technology companies and thousands of other multinational companies that rely on the free flow of data. The deal replaces an earlier agreement known as Privacy Shield, which was declared invalid in 2020 by the European Union’s highest court because it did not provide sufficient privacy protection.
The lack of an agreement had led to legal uncertainty. In May, a European privacy regulator pointed to the 2020 verdict when it fined Meta 1.2 billion euros ($1.3 billion) and ordered it to stop sending information about Facebook users in the European Union to the United States. Meta, like many companies, moves data from Europe to the United States, where its headquarters and many of its data centers are located.
Other European privacy regulators ruled that services from US companies, including Google Analytics and MailChimp, could violate the privacy rights of Europeans because they moved data through the United States.
The matter goes back to when Edward Snowden, a former US national security contractor, released details about how the US foreign surveillance apparatus used data stored by US technology and telecommunications companies. Under laws such as the Foreign Intelligence Surveillance Act, U.S. intelligence agencies may attempt to access data on corporate international users for national security purposes.
Following the revelation, an Austrian privacy activist, Max Schrems, launched a legal challenge arguing that Facebook’s storage of his data in the United States violated his European privacy rights. The European Union’s highest court agreed, striking down two previous transatlantic data-sharing pacts.
On Monday, Mr Schrems said he intended to file another lawsuit.
“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ is not enough for the Court of Justice,” Schrems said in a statement, referring to the European Union’s highest court. “We would need changes in US surveillance law for this to work — and we just don’t have those.”
Members of the European Parliament criticized the deal. Parliament had no direct role in the negotiations, but passed a non-binding resolution in May saying the agreement did not provide adequate protection.
“The framework does not provide any meaningful protection against arbitrary surveillance by US intelligence agencies,” said Birgit Sippel, a European legislator from the Socialists and Democrats group who specializes in civil liberties issues. “This lack of protection makes Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
Mr Reynders said people should wait to field test the new policy.
He said the new framework would create a system for Europeans to raise concerns with the US government. First, Europeans who suspect that their data is being unfairly collected by a US intelligence agency should file a complaint with their national data protection regulator. After further investigation, authorities will refer the matter to US officials in a process that could eventually reach the new review panel.
Ms Raimondo said this month that the US Department of Justice has determined that countries within the 27-nation European Union will have access to the tools to complain about violations of their rights. She said the Office of the Director of National Intelligence has also confirmed that intelligence agencies have added the safeguards laid out in Mr Biden’s order.
“This represents the culmination of months of significant cooperation between the United States and the EU and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data,” Ms. Raimondo said in a recent statement.
