(Brussels) Brussels adopted on Monday a new legal framework to allow the transfer of personal data from the EU to the United States, a crucial device for the digital economy after European court decisions having invalidated the precedents.
“The new EU-US personal data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic,” said European Commission President Ursula von der Leyen, in a statement.
US President Joe Biden welcomed the decision, which he said “reflects the two partners’ “shared commitment” to “strong personal data protection”.
The two schemes previously put in place to allow companies to transfer such data from Europeans to the United States had been invalidated due to fears of surveillance by American intelligence services – the latest, “Privacy Shield”, in 2020 –.
These appeals to the EU Court of Justice were brought by Austrian privacy activist Max Schrems.
Monday, he announced to take legal action again, considering that the new text did not bring any improvement in terms of the protection of the personal data of Europeans.
“We already have options in the drawers for a new remedy, although we are tired of this game of legal ping-pong. We expect the case to come before the Court of Justice again early next year,” said Max Schrems.
The European Commissioner for Justice, Didier Reynders, admitted that he expected new legal battles. “Referring to the Court of Justice seems to be part of the business model of some civil society organizations,” he quipped, in a hint to the Austrian activist’s European Center for Digital Rights (Noyb).
The establishment of a new framework is essential for digital giants such as Google, Meta and Amazon who lamented the lack of clear rules for transferring data between the two sides of the Atlantic.
In particular, Meta was fined a record 1.2 billion euros at the end of May for violating European data protection rules with its social network Facebook.
In July 2020, European justice had concluded that the “Privacy Shield” used by American companies did not protect possible “interferences in the fundamental rights of the persons whose data were transferred”.
Since then, companies have been resorting to alternative legal solutions, with more uncertain legality, to continue these transfers, while waiting for a more solid and sustainable system.
Ms. von der Leyen and Joe Biden had reached an agreement in principle in March 2022 on a new legal device, supposed to respond to the concerns expressed by justice.
The new European legal framework implements this agreement. It provides additional safeguards to ensure that access by US intelligence agencies, in the name of national security, to data collected in Europe and transferred or hosted in the United States is limited to what is “necessary” and “proportionate”.
The text also opens up a possibility of recourse to European nationals if they consider that their personal data has been illegally collected by American intelligence, allowing them to obtain, if necessary, the deletion or correction of this data.
“The United States has made unprecedented commitments,” said Ms. von der Leyen.
Digital players welcomed this announcement. “After years of waiting, businesses and organizations of all sizes on both sides of the Atlantic finally have the certainty of having a durable legal framework that allows transfers of personal data from the EU to United States,” said Alexandre Roure, director of public policy for the CCIA, the lobby of tech giants.
“Data flows are the basis of EU services exports to the US worth €1 trillion a year, and this decision will give companies more confidence to conduct their business and will help our economies grow,” commented Cecilia Bonefeld-Dahl of DigitalEurope, another industry organization.