Today, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.
In 2020, European Union courts struck down the previous agreement between the EU and the US, the Privacy Shield, as the court stated it did not sufficiently protect EU user data from US government surveillance. This was obviously a big problem for companies like Facebook and Google, and ever since, the two blocks have been trying to come up with a replacement that would allow these companies to continue to operate relatively unscathed. In the meantime, though, several European countries handed out large fines to Amazon and Facebook for not taking proper care of EU user data.
So, what makes this new agreement stricter than the previous one?
The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.
I’m obviously no legal expert so take this with a grain of salt, but this kind of feels like yes, there are additional protections and safeguards, but if (let’s be real here: when) companies like Facebook violate these, don’t worry, EU citizen! You can undertake costly, complex, and long legal proceedings in misty business courts so Facebook or whatever can get fined for an amount that Zuckerberg spends on his interior decorator every week.
The courts struck down the Safe Harbor agreement in 2015, and the aforementioned Privacy Shield in 2020, so we’ll see if this new agreement stands the test of the courts.