The European Commission recently approved a newly proposed EU-US data privacy framework concerning how EU data transferred to US companies is handled. Any US company handling EU data will not need to implement additional data protection safeguards if they are operating under the approved framework.
This agreement comes three years after an EU court struck down Privacy Shield, the previous protocol that allowed US-based companies to collect and process EU citizens’ data. The court found that the protocol didn’t do enough to protect EU data from US intelligence agencies. Afterwards, companies that did not comply with EU data-transfer policies, such as Meta and Amazon, were hit with hefty fines.
About the deal
According to the European Commission, the new framework improves upon Privacy Shield by introducing mechanisms to assess the necessity of data collected and order its deletion if need be. To do this, a Data Protection Review Court will be established. If EU citizens have concerns, they can contact the court.
US companies can operate under the new framework if they commit to some specific privacy obligations. These include a requirement to delete data “when it is no longer necessary for the purpose for which it was collected” and ensuring that third parties it was shared with do the same. Data shared with US intelligence agencies must also be limited to “what is necessary and proportionate to protect national security.” If EU citizens suspect their data has been unfairly shared with intelligence agencies, they can take it to the review court.
Criticism
While tech companies are understandably delighted by the deal, Internet privacy activists aren’t so pleased. Experts believe the measures aren’t enough to protect EU citizens, as US privacy laws do not protect non-US citizens in the same way as US citizens.
Holger Lutz, partner at law firm Clifford Chance, told CNBC:
“Whether the framework is successful will be a matter of whether the European courts consider the protections for personal data in the US do enough to deliver essential equivalence to the EU protections.”
Non-profit group NOYB (None of Your Business) has stated it will challenge the decision. Its leader, Austrian privacy activist Max Schrems, said in a statement:
“Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the [European] Court of Justice. We would need changes in US surveillance law to make this work and we simply don’t have it.”
So it remains to be seen if this new framework will make things easier for US tech companies while protecting EU citizens’ rights.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.